Last night, Ethereum co-founder Vitalik Buterin’s X (formerly Twitter) account was taken over and used to steal $700,000 in crypto and NFTs.
When the account was taken over, it was used to advertise a fake commemorative NFT mint that supposedly had a time limit, encouraging users to mint them quickly. Yet the link was to a phishing website that would drain cryptocurrencies and NFTs from wallets that interacted with it.
Through this phishing attack, around $700,000 in crypto and NFTs were lost, according to estimates from crypto sleuth ZachXBT and on-chain data. This included one CryptoPunk NFT worth 153 ETH ($250,000) and hundreds of ether from multiple individuals. Most of the NFTs have been sold, with many of the proceeds from the attack remaining in the hacker’s wallet.
The murky world of NFT drainer software
It seems that the hacker used the popular Pink drainer software to carry out the attack, according to on-chain interactions between the attacker’s wallet and a wallet labeled by crypto wallet explorer Zapper as belonging to Pink. As The Block reported, there is an underworld of bad actors who create and sell NFT draining software to those that want to carry out phishing attacks. Typically, those that buy the software give a portion of rewards back to the creator of the drainer. In some cases, the creator will carry out attacks using their own software.
While a relatively new drainer, Pink has been widely used for multiple big phishing attacks throughout this year. This includes attacks on the Discords of Orbiter Finance, LiFi, Flare and Evmos, as well as Steve Aoki’s X account and others.
Those carrying out the attacks often pose as journalists, pretending to be associated with crypto media organizations. One tactic they use is encouraging the target to bookmark a document in their browser, according to ScamSniffer, which enables the malicious code to gain a foothold.
One way to fight such attacks is by keeping valuable NFTs and large amounts of crypto in cold storage, as opposed to in hot wallets. Emerging tools like Delegate Cash are also letting NFT owners delegate rights from their NFTs to other wallets, enabling them to access gated NFT community areas — like Discord servers — without signing in regularly with the wallet actually holding the NFT.
Buterin’s account takeover is the latest in a string of phishing attacks that have been carried out on X over the last few years. Multiple big name crypto individuals and company accounts have been targeted, from NFT project Azuki to the Aptos Foundation.
© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.