- Hackers used an old maneuver to take over a DeFi Kingdoms X account for 10 days.
- The bogus tweet about approval of Bitcoin ETFs on January 9 embarrassed the SEC.
- A series of attacks highlights the weaknesses of Elon Musk's “X” character.
In the middle of the meeting on January 8, Polun Sorun lost his phone signal. This was no ordinary interruption.
Sauron, the pseudonymous director of Kingdom Studios and creator of the popular Web 3 game DeFi Kingdoms, realized that his phone had been SIM swapped.
Soon, a hacker gained access to X's game account and shut down the entire team. For 10 days, the perpetrator posted phishing links to the game's 114,000 X followers before the system was restored.
The worst part: Soron said he was unable to reach X representatives to help him regain control of the account.
Stay ahead of the game with our weekly newsletters
Targeted encryption
SIM swapping is nothing new. It involves tricking a telecom company's customer service representative into porting a target's phone number to a new device controlled by a hacker.
However, over the past few years, perpetrators have increasingly turned to using this tactic to gain access to social media accounts. Cryptocurrencies have become a happy hunting ground.
“This is on us and we should know better.”
— Burun Sauron, DeFi Kingdoms
Furthermore, X, under the ownership and direction of Elon Musk, has removed several measures that were used to help unpaid account holders protect themselves from security breaches.
SIM swapping returned to the headlines on January 9 when hackers took control of the SEC's X account and tweeted out early approval of Bitcoin exchange-traded funds.
Join the community to get our latest stories and updates
The fake tweet remained live for about 26 minutes before SEC staff alerted the public, the agency said.
“SEC staff is still assessing the impacts of this incident on the agency, investors and the market, but recognizes that those impacts include concerns about the security of the SEC’s social media accounts,” SEC Chairman Gary Gensler said in a statement.
Read now
:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/dlnews/4DBOPSEOMVB2ZEKQHXE6HDTAGA.jpg)
Ethereum creator Vitalik Buterin fell prey to a SIM swap attack in September. The hacker posted a fake NFT promotion that resulted in those who clicked on it losing nearly $700,000, according to ZachXBT, an online sleuth.
The incident led to recommendations from cybersecurity experts not to link phone numbers to social media accounts.
The most important of which is of course the use of two-factor authentication, or 2FA, to allow access to social media accounts.
New vulnerabilities in X
Neither the SEC nor the DeFi kingdom has used two-factor authentication (2FA). “This is on us and we should know better,” Sauron said. DL News In an interview.
In a statement sent to DL NewsThe Securities and Exchange Commission has confirmed that it has been hit by a SIM card hack. A spokesperson for the agency said its technicians disabled “multi-factor authentication” for her X account in July due to difficulties accessing and managing the account. The agency restarted the process after the hack.
The wave of SIM swap cases also highlights new vulnerabilities in the X.
Read now
:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/dlnews/FJLOP4EU7NA4ROJVMXGA7R5C54.jpg)
Since February 2023, X has only allowed verified or paid accounts to use two-factor authentication. But Soron explained that it can be stressful when multiple people are posting from the same account — and that's apparently why the SEC removed it.
Once the breach occurs, the lack of response from X makes it difficult to rectify the situation, he said. Attempts to contact the X security team resulted in slow responses and automated messages that failed to effectively address the issue.
Press representatives from X did not respond to a request for comment.
Phishing links
“One issue we ran into was when we said, ‘Our account was hacked,’ and we would get an automated response saying we had access to our account,” Soron said.
On another occasion, the automated response requested additional information but they received no response.
All the while, the hacker – who demanded 5 ETH in exchange for reinstating the account – posted phishing links to the account's followers.
With the help of a contact within X, the best the team could do was temporarily lock the account, but the phishing link remained in his bio, Soron said.
“There's really no guarantee that you'll get to X and get your account back.”
— Boron row
DeFi Kingdoms was eventually able to get its account back but the experience was stressful.
“There is no guarantee that you will reach X and recover your account,” Soron said.
As far as Sauron knows, no one has lost money from phishing links. For him, the biggest downside to the automated process is not being able to talk to a real person, which might have made the process faster.
“At least if I call my bank, I can yell at the robot enough to eventually give me one,” he said. “But if it exists through X, I won't be able to find it.”
Do you have a crypto story in Asia? Contact DL News Asia correspondent on callan@dlnews.com.
