Even with tight security, it is still possible to "get caught." Once an account is found to be hacked, the speed of response will determine the extent of the loss.

In recent months, an increasing number of cryptocurrency projects, practitioners, as well as politicians and celebrities have had their social media accounts hacked, subsequently posting scam information. Recently, some Bitget employees experienced similar phishing attacks. After recovering their accounts, we gradually unraveled the situation and discovered that hackers' new attack methods are continuously evolving, becoming highly deceptive and covert. Therefore, we have prepared this article in hopes of contributing to the security protection of the entire industry.

Bitget Employees Encounter Phishing Attacks

In mid-May, a Bitget employee responsible for business development received a Twitter direct message from a partner, inviting him to discuss a potential collaboration. The two quickly agreed on a meeting time and held the meeting. During the meeting, the other party sent some installation files under the guise of "function testing," inviting the Bitget employee to try them out.

In the following days, the employee received inquiries from friends and industry partners—"Did you send me a strange Twitter direct message?" Realizing something was wrong, he quickly acted with the Bitget security team and recovered his account using information such as the linked email.

Hacker Attacks and Profit Methods Targeting Cryptocurrency Twitter Accounts

In the subsequent security investigation, we gradually pieced together the detailed hacking methods and how they profited from them:

Step 1: The hacker sends a direct message to the "victim" from a social media account they already control, guiding them to contact a specific Telegram account for further collaboration discussions.

❗ Security Reminder:

1. These direct messages may not necessarily come from suspicious accounts; they could even come from verified official accounts, but the scam messages are not sent by the official team.

2. At this point, the hacker has quietly gained access to these official accounts and is guiding the victim to Telegram for the next step of the scam.

3. Hackers usually delete the direct messages immediately after sending them, so even if they have sent hundreds of messages, the account owner may not notice.

Step 2: After the victim contacts the hacker on Telegram, the hacker will propose an online meeting and invite them to download and install specific documents during the meeting.

❗ Security Reminder:

1. The hacker's Telegram account often masquerades as a real employee, and the relevant information may come from platforms like LinkedIn. Their account ID may closely resemble that of a real employee, such as confusing I (uppercase i) and l (lowercase L).

2. The hacker embeds malicious code in the installation files, tricking the victim into installing them, thereby gaining access to their computer and further stealing social media accounts, and even cryptocurrency or fiat assets.

Step 3: After gaining access to the victim's device, the hacker will first attempt to directly steal assets. Subsequently, they will use the victim's Twitter and Telegram accounts to identify new victims and send direct messages from that account, guiding them to contact the hacker-controlled Telegram account for further scams.

❗ Security Reminder:

1. As previously mentioned, hackers will delete the direct messages immediately after sending them, making it difficult for the account owner to notice that their account has been compromised.

2. This also explains why scam messages may come from verified official accounts, and these accounts have not taken any action— they are still unaware.

Step 4: When the next victim establishes contact with the hacker on Telegram, the hacker will choose an appropriate scam method based on their disguised identity.

❗ Security Reminder:

1. If the hacker is impersonating an exchange employee, they will usually lure the victim into transferring funds under the pretext of a coin listing collaboration.

2. If the hacker is impersonating a project team member, they will typically entice the victim to transfer funds under the guise of participating in early investments.

3. If the hacker is impersonating an investment institution employee, they will usually deceive the victim into transferring funds under the pretext of investment cooperation.

4. If their disguised identity cannot directly profit from money, they will use this as a stepping stone to trick others in their network into installing Trojan programs, thereby gaining access to their accounts and becoming new tools for the hacker's scams.

Summary

The hacking and profit methods mentioned in this article share similarities with past incidents, as hackers still need to implant Trojans (install specific files) to gain control over the victim's device. However, the hackers have optimized their methods in several ways:

1. By sending direct messages to victims from verified Twitter accounts they control, they can significantly increase credibility and improve the success rate of scams.

2. Deleting messages immediately after sending them allows the account owner to remain unaware of any anomalies, enabling the hacker to remain dormant in the account for an extended period— in past cases, hackers would often immediately post scam tweets after gaining access to an account, quickly harvesting funds through fake activities or scam tokens, but this method would alert the account owner and the public, raising awareness.

3. The Telegram accounts used by hackers for further communication with victims are also carefully disguised, often using IDs that closely resemble those of official personnel.

How to Identify and Prevent Similar Phishing Attacks

1. Be cautious of various invitations, even if they come from "official" accounts. When receiving an invitation, confirm the identity of the inviter through other channels. If it’s from a "familiar person," check if previous chat records still exist before chatting.

2. Do not casually download and open files sent to you during meetings. If you need to install meeting clients like Teams or Zoom, please download them from the official Teams or Zoom website; this is very important.

3. During communication, only grant video and audio permissions. Do not give Zoom or Teams any other permissions to prevent hackers from remotely controlling your computer.

4. Do not leave your computer unattended for any reason during communication. If you must, find someone else to watch the screen with you, as hackers may take advantage of your absence to operate your computer.

5. Do not back up recovery phrases on your computer or phone. Enable MFA (multi-factor authentication) wherever possible.

6. For funds-related activities, use an iPhone and upgrade to the latest version. Enable lock mode, use it as little as possible for external communication, and keep it separate from work and social computers or phones.

Account Hacked? How to Respond Quickly and Minimize Losses

Even with tight security, it is still possible to "get caught." Once an account is found to be hacked, the speed of response will determine the extent of the loss.

1. Shut down the computer and disconnect from the internet to promptly block the hacker's access to the computer.

2. Conduct a security check on funds (such as wallet authorizations). The attacker may have accessed your local wallet (like browser plugins or private key storage), so you should immediately transfer assets to a new wallet (it is recommended to regenerate the private key and not use the same recovery phrase).

3. Immediately recover the account on other devices/emails. While the account is still logged in, use the linked email or phone number to log in and reset the password, and immediately log out of all other devices. Once the account is recovered, promptly revoke all third-party login authorizations to prevent the hacker from continuing to control the account.

4. Notify and warn those around you. Remind others not to trust recent direct message content, and mark suspicious accounts to inform more people and avoid a chain of victims.

The above case is not an isolated incident but a challenge that every user in the cryptocurrency industry may face. At Bitget, we not only build protective mechanisms but also hope to work with you to truly turn "security awareness" into capability. Bitget's "Anti-Fraud Month" is currently underway, and we have launched a series of anti-fraud content and interactive activities. We welcome you to visit the event page to enhance your ability to identify scams and safeguard security boundaries together.

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。