In recent months, well-known opinion leaders have become the primary targets of social engineering attacks, and the official Twitter accounts of projects have frequently been hacked.
Authors: Luccy, Lu Dong Xiao Gong, BlockBeats
In the cryptocurrency circle, Twitter, as a major social media platform, is an important platform for information exchange, but it also exposes many security risks. In recent months, a new trend of theft has emerged: well-known Key Opinion Leaders (KOL) have become the primary targets of social engineering attacks, and the official social media platform X (formerly Twitter) of the projects has frequently experienced account hacking incidents.
These carefully planned attacks not only violate personal privacy but also threaten the security of the entire digital assets. BlockBeats will explore several recent cases of social engineering attacks against well-known KOLs, revealing how attackers use carefully designed fraudulent methods, and how KOLs and ordinary users can increase vigilance to prevent these increasingly rampant online threats.
Disguised fake journalists, social engineering attacks against KOLs
According to incomplete statistics from BlockBeats, the first person to encounter a social engineering attack was the editor-in-chief of the mainstream US media "Forbes". After the impostor communicated with the crypto KOL @0xmasiwei on friend.tech and other imitation SocialFi projects, they sent a friend.tech "identity verification" link. After verification by the SlowMist security personnel, it was confirmed that this link was a phishing link.
In addition, SlowMist founder Yu Xian confirmed that friend.tech's integrated custom tool FrenTechPro is a phishing scam. After clicking "ACTIVATE NOW," hackers continuously attempted to steal wallet-related assets.
Two months later, Pionex Shield PeckShieldAlert again monitored similar events.
On December 18th, cryptocurrency researcher and DeFiLlama contributor Kofi (@0xKofi) posted on social media platforms claiming that there were vulnerabilities in DefiLama's contracts and dApps, and requested users to click the link attached to the tweet to verify the security of their assets. This is a typical example of a social engineering attack, where the fraudsters exploited users' fear of vulnerabilities, causing them to lower their guard against fraudulent links.
At 2 am yesterday, @0xcryptowizard's encounter with a social engineering attack once again sparked discussions in the crypto community. @0xcryptowizard promoted Arbitrum scripts in Chinese on social media platforms and attached a mint link. According to community members' reactions, the wallet was emptied instantly upon clicking the link.
In response, @0xcryptowizard stated in a post that the scammer took advantage of their rest time to release the phishing link. Subsequently, @0xcryptowizard added a reminder in their Twitter bio, "Will not post any links in the future; if there are links in the tweet, please do not click."
As for the reason for the theft, @0xcryptowizard stated that this was a carefully planned online fraud. The attacker @xincheneth disguised themselves as a journalist from the well-known cryptocurrency media Cointelegraph and contacted the target under the pretext of scheduling an interview. The attacker induced the target to click on what appeared to be a normal appointment link, which was disguised as a Calendly (a commonly used scheduling tool) appointment page. However, this was actually a disguised page, with the real purpose being to authorize @xincheneth's Twitter account in order to obtain their Twitter permissions.
During this process, even if there were suspicions about the link, the design and presentation of the page still led the target to believe it was a normal Calendly appointment interface. In fact, the page did not display any Twitter authorization interface, only showing the appointment time interface, which led to the target being misled. Looking back, @0xcryptowizard believed that the hacker may have cleverly disguised the page.
Finally, @0xcryptowizard reminded other well-known opinion leaders (KOLs) to be extra cautious and not to click on unfamiliar links easily, even if they appear to be normal service pages. The high concealment and deception of this fraudulent method pose a serious security risk.
Following @0xcryptowizard, co-founder of NextDAO, @0xSea, also experienced a social engineering attack, where a scammer claiming to be from the well-known crypto media company Decrypt privately messaged them for an interview, aiming to spread certain ideas to Chinese-speaking users.
However, learning from past experiences, @0xSea carefully noticed that the characters in the phrase "authorize Calendlỵ to access your account" in the Calendly.com authorization page sent by the other party were "ỵ," not the letter "y," similar to the previous fake "sats" situation where the ending character was actually "ʦ" instead of "ts." Based on this, it was determined that this was a fake account impersonation.
Well-trained cryptocurrency hacker group Pink Drainer
In the attack on @0xcryptowizard, SlowMist's Yu Xian pointed out the fraudulent group Pink Drainer. It is reported that Pink Drainer is a Malware-as-a-Service (MaaS) that allows users to quickly establish malicious websites to obtain illegal assets through this malicious software.
According to the blockchain security company Beosin, the phishing website uses a tool to steal encrypted wallets, enticing users to sign requests. Once the request is signed, the attacker will be able to transfer NFTs and ERC-20 tokens from the victim's wallet. "Pink Drainer" charges users stolen assets as a fee, reportedly up to 30% of the stolen assets.
The Pink Drainer team is notorious for its high-profile attacks on platforms such as Twitter and Discord, involving events related to Evomos, Pika Protocol, and Orbiter Finance.
On June 2nd last year, hackers used Pink Drainer to invade the Twitter account of Mira Murati, the technical lead of OpenAI, to post fake news claiming that OpenAI was about to launch the "OPENAI token," based on AI language models, and attached a link instructing netizens to check if their Ethereum wallet address was eligible for an airdrop. To prevent others from exposing the scam in the comments section, the hacker specifically disabled public reply functions.
Although this fake news was deleted after being posted for an hour, it had already reached over 80,000 Twitter users. Data displayed by Scam Sniffer indicated that the hacker gained approximately $110,000 in illegal income from this incident.
At the end of last year, Pink Drainer was involved in a highly sophisticated phishing scam, resulting in the theft of $4.4 million worth of Chainlink (LINK) tokens. This network theft targeted a single victim who was deceived into signing a transaction related to the "increase authorization" function. Pink Drainer exploited the standard procedure in the crypto field, the "increase authorization" function, which allows users to set limits on the number of tokens that can be transferred from other wallets.
In the victims' unawareness, this action resulted in 275,700 LINK tokens being transferred without authorization in two separate transactions. Detailed information from the cryptocurrency security platform Scam Sniffer shows that initially, 68,925 LINK tokens were transferred to a wallet marked as "PinkDrainer: Wallet 2" by Etherscan; the remaining 206,775 LINK tokens were sent to another address ending with "E70e".
Although it is currently unclear how they induced the victims to authorize the token transfers. Scam Sniffer has discovered at least 10 new scam websites related to Pink Drainer in the past 24 hours since the theft occurred.
Today, Pink Drainer's activities are still on the rise. According to Dune data, as of the time of writing, Pinkdrainer has accumulated fraudulent activities exceeding $25 million, with tens of thousands of victims in total.
Frequent Hacking of Official Project Twitter Accounts
Moreover, in the past month, there have been frequent incidents of official project Twitter accounts being hacked:
On December 22nd, the official X platform account of the ARPG dark brush treasure-like chain game "SERAPH: In the Darkness" was suspected to be hacked. Users are advised not to click on any links posted by this account for the time being.
On December 25th, the official Twitter account of the decentralized finance protocol Set Protocol was suspected to be hacked and posted multiple tweets containing phishing links.
On December 30th, the official Twitter account of the DeFi lending platform Compound was suspected to be hacked and posted tweets containing phishing links, but did not open comment permissions. BlockBeats reminds users to pay attention to asset security and not to click on phishing links.
Even security companies are not immune. On January 5th, CertiK's Twitter account was compromised. False information was posted claiming to have discovered a reentrancy vulnerability in the Uniswap router contract. A phishing link for RevokeCash was attached. In response to the hacking incident, CertiK stated on its social platform, "A verified account related to a well-known media contacted a CertiK employee, but the account seems to have been compromised, leading to our employee being targeted by a phishing attack. CertiK quickly discovered the vulnerability and deleted the related tweets within minutes. The investigation revealed that this was a large-scale ongoing attack. According to the investigation, this incident did not cause significant losses."
On January 6th, according to community feedback, the official Twitter account of the Solana ecosystem NFT lending protocol Sharky was hacked and posted phishing links. Users are advised not to click on any links posted by this official account.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
