In the cryptocurrency circle, Twitter, as the main social media, is an important platform for information exchange, but it also exposes many security risks. In recent months, a new trend of theft has emerged: well-known opinion leaders (KOLs) have become prime targets for social engineering attacks, and account thefts have occurred frequently on the project's official social media platform, X (formerly Twitter).
These well-planned attacks not only violate the privacy of individuals, but also threaten the security of entire digital assets. BlockBeats will explore several recent examples of social engineering attacks against high-profile KOLs, revealing how attackers are using well-crafted scams and how KOLs and casual users can be vigilant against this growing cyberthreat.
Fake journalists in disguise, social worker attacks against KOLs
According to incomplete statistics from BlockBeats, the first person to be attacked by social workers was the editor-in-chief of Forbes, a mainstream media in the United States. After communicating with the crypto Kol@0xmasiwei about friend.tech and other counterfeit SocialFi projects, the imposter sends them an friend.tech "authentication" link. Verified by SlowMist security personnel, the link is a phishing link.
In addition, FrenTechPro, the founder of SlowMist, determined that FrenTechPro, an all-in-one customization tool for friend.tech, is a phishing scam, and hackers will continue to try to steal wallet-related assets after users click ACTIVATE NOW.
Two months later, PeckShieldAlert detected a similar incident again.
On December 18, crypto data researcher and DeFiLlama contributor Kofi (@0xKofi) posted on the social media platform that DefiLama's contracts and dApps were affected by vulnerabilities, asking users to click on the link attached to the tweet to verify the security of their assets. This is a typical example of a social worker attack, where a fraud ring takes advantage of users' fear of vulnerabilities and makes them lower their protection against fraudulent links.
At 2 a.m. yesterday, @0xcryptowizard's attack by a social worker once again sparked discussion in the crypto circle. @0xcryptowizard used the "machine translation" Chinese on social media platforms to promote the Arbitrum inscription with a mint link. According to community members, the wallet was emptied as soon as they clicked into the link.
In this regard, @0xcryptowizard posted that the scammers seized the opportunity to post phishing links during their own breaks. Subsequently, @0xcryptowizard included a reminder in the Twitter bio, "No links will be posted in the future; 」
As for the reason for the theft, @0xcryptowizard said it was a well-planned cyber scam. The attacker @xinchen_eth disguised himself as a reporter from Cointelegraph, a well-known cryptocurrency outlet, and approached the target under the pretext of booking an interview. The attacker tricks them into clicking on a seemingly normal appointment link, which is disguised as an appointment booking page for Calendly, a popular scheduling tool. However, this is actually a disguised page whose real purpose is to complete the authorization of the @xinchen_eth Twitter account and thus gain its Twitter permissions.
In the process, even though he was suspicious of the link, the design and presentation of the page still led him to mistake it into a normal Calendly booking interface. In fact, the page doesn't show any Twitter-authorized interface, only an interface for booking a time, which led him to a misunderstanding. In retrospect, @0xcryptowizard thought the hackers may have cleverly disguised the page.
Finally, @0xcryptowizard reminds other well-known KOLs to be extra careful not to click on unknown links, even if they look like normal service pages. The highly concealed and deceptive nature of this scam is a serious security concern.
After @0xcryptowizard, NextDAO co-founder @_0xSea_ also experienced a social worker attack, with a scammer claiming to be from Decrypt, a well-known crypto media company, asking him to conduct an interview with him, aiming to spread some ideas to Chinese-speaking users.
However, as a lesson from the past, @_0xSea_ carefully noticed that in the Calendly .com authorization page sent by the other party, the character in the sentence "Authorize Calendlỵ to access your account" is "ỵ", not the letter "y", which is similar to the situation of the last fake sats, and the last character is actually "ʦ" instead of "ts". Judging from this, this is a fake account that is impersonated.
训练有素的加密黑客团伙 Pink Drainer
In the @0xcryptowizard attack, Slowmist Cosine points out the scam gang Pink Drainer. It is reported that Pink Drainer is a malware-as-a-Service (MaaS) that allows users to quickly set up malicious websites and obtain illegal assets through the malware.
According to blockchain security firm Beosin, the phishing URL uses a crypto-wallet stealing tool to trick users into signing requests. Once the request is signed, the attackers will be able to transfer NFTs and ERC-20 tokens from the victim's wallet. 'Pink Drainer' charges users for stolen assets, which can reportedly be up to 30% of stolen assets.
The Pink Drainer team is notorious for high-profile attacks on platforms like Twitter and Discord, involving incidents such as Evomos, Pika Protocol, and Orbiter Finance.
On June 2 last year, hackers used Pink Drainer to hack into the Twitter of OpenAI's chief technical officer, Mira Murati, to post fake news, claiming that OpenAI was about to launch an "OPENAI token", driven by an AI language model, and posted a link to tell netizens to check if their Ethereum wallet address was eligible to receive empty investment. In order to prevent others from exposing the scam in the comment area, the hacker also turned off the public reply function of the message.
Although the fake message was removed an hour after it was posted, it has already reached more than 80,000 Twitter users. Scam Sniffer showed data that the hackers made about $110,000 in illegal income from the incident.
Late last year, Pink Drainer was involved in a highly sophisticated phishing scam that resulted in the theft of $4.4 million worth of Chainlink (LINK) tokens. The cyber theft targeted a single victim who was tricked into signing a transaction related to the "increase authorization" feature. Pink Drainer leverages the "Add Authorization" feature, a standard procedure in the crypto space, which allows users to set limits on the number of tokens that can be transferred from other wallets.
Without the victim's knowledge, this action resulted in 275,700 LINK tokens being transferred without authorization in two different transactions. Details from crypto-security platform Scam Sniffer show that initially, 68,925 LINK tokens were transferred to a wallet marked by Etherscan as "PinkDrainer: Wallet 2", while the remaining 206,775 LINK tokens were sent to another address ending in "E70e".
Although it is unclear how they tricked their victims into authorizing the token transfer. Scam Sniffer has also uncovered at least 10 new scam websites related to Pink Drainer in the last 24 hours since the theft occurred.
Today, Pink Drainer's activity is still on the rise, with more than $25 million in fraud and tens of thousands of victims at the time of writing, according to Dune.
Project officials are frequently stolen
Not only that, in the past month, there have been frequent incidents of theft from project officials:
12 月 22 日,ARPG 暗黑刷宝类链游《SERAPH: In the Darkness》官方 X 平台账号疑似被盗,请用户暂时不要点击该账号发布的任何链接。
On December 25, the official Twitter account of the decentralized finance protocol Set Protocol was suspected of being stolen and posted multiple tweets containing phishing links.
On December 30, DeFi lending platform Compound tweeted a tweet that was suspected of being stolen and posted a tweet containing a phishing link, but did not allow comment permissions. BlockBeats reminds users to pay attention to asset security and not to click on phishing links.
Even security companies are not immune. On January 5, CertiK's Twitter account was compromised. Publish a fake message that the Uniswap router contract has been found to be vulnerable to a re-entrancy vulnerability. The RevokeCash link is a phishing link. In response to the theft, CertiK said on its social media platform, "A verified account related to a well-known media outlet contacted a CertiK employee, however, the account appears to have been compromised, resulting in a phishing attack on our employees. CertiK quickly discovered the vulnerability and deleted the tweet within minutes. The investigation indicated that this was a large-scale and ongoing attack. According to the investigation, the incident did not cause significant damage. 」
On January 6, according to community feedback, the official Twitter account of Sharky, an NFT lending protocol in the Solana ecosystem, has been hacked and posted a phishing link, and users are requested not to click on any links posted by the official Twitter.