Cryptocurrency Scams Rampant on X/Twitter: A Cautionary Tale
Brook.X
In recent times, account hijacking on X/Twitter has become alarmingly common, with notable victims including the official account of the U.S. Securities and Exchange Commission (SEC), which was compromised to falsely claim the approval of a Bitcoin spot ETF. Such incidents have led to significant fluctuations in the prices of cryptocurrencies.
Adding to the list of high-profile hacks, the official X account of Microsoft India was hijacked last night. Despite being verified with X's organizational authentication and sporting a gold verification badge, the account fell prey to scammers.
The cybercriminals used the hijacked Microsoft India account to promote a cryptocurrency scam, falsely claiming that GameStop, known for its central role in the retail investor battle against Wall Street's short-sellers, was issuing a new cryptocurrency named KITTY. They lured users with the prospect of purchasing KITTY through pre-sales, promising greater returns upon the cryptocurrency's market debut, requiring payments in Ethereum.
Interestingly, the scam primarily targeted Americans, raising questions about why the attackers did not hijack Microsoft's U.S. account instead (presumably due to unsuccessful attempts).
The scammers didn't just stop at hijacking; they further amplified their phishing tweets through bots to draw more users into their trap.
However, the real scam wasn't about users sending Ethereum to purchase the fictitious KITTY tokens. Instead, connecting a Web3 wallet to the phishing site granted the scammers various permissions by default. This allowed them to empty the victims' wallets of all supported cryptocurrencies without any need for the victims to manually send Ethereum or any other tokens, maximizing the fraudsters' gains.
The exact method of the Microsoft India account compromise remains unclear, though common vulnerabilities include password leaks and lack of two-factor authentication (2FA). More sophisticated methods, like SIM swap attacks, have also been observed, as was the case with the SEC account hijacking, where the attackers collected employee phone numbers, forged documents, and convinced carriers to issue duplicate SIM cards, enabling them to bypass SMS-based authentication.
YouTube accounts, particularly those associated with Elon Musk, have also been frequent targets. A notable incident involved a SpaceX live stream being hijacked to display AI-generated videos of Musk, deceiving viewers into scanning a QR code that led them to a phishing site promising cryptocurrency returns, such as doubling Bitcoin sent to a specified address.
These phishing schemes are increasingly prevalent on X/Twitter and are likely to continue. Therefore, it's crucial to remain vigilant against too-good-to-be-true cryptocurrency offers, which are often scams that can lead to significant financial losses.
