- Vitalik Buterin confirms hack on his X account was due to a sim-swap attack on his T-mobile account.
- The attack led to the loss of more than $690,000 by various users.
- Almost 75% of the stolen assets were in the form of NFTs.
Ethereum co-founder Vitalik Buterin, has revealed that the hack on his X account was as a result of a sim-swap attack that took over his mobile phone number and accessed his account.
Buterin’s T-Mobile Account Hijacked in Sim-Swap Attack
After his X account was compromised on September 9, Buterin took to Warpcast, a decentralized social media platform, on September 12 to address the issue where he confirmed that the hack was due to a sim-swap attack.
The Ethereum co-founder said that he had finally regained control of his T-mobile account from the attackers. “Finally got back my T-mobile account (yes, it was a sim swap, meaning that someone socially engineered T-mobile itself to take over my phone number),” he wrote.
It was Dmitry Buterin, Vitalik’s father, who made the compromise of the account public, stating that his son was actively trying to regain control of the account.
During the attack, the fraudsters posted a phishing link accompanied by a false message announcing the release of a commemorative NFT by ConsenSys, celebrating Ethereum’s Proto-Danksharding introduction.
Once users clicked on the malicious links with the hopes of getting free NFTs, they granted the attackers access to their crypto wallets. This phishing attack resulted in the loss of digital assets worth more than $690,000, according to data by Blockchain analyst ZachXBT. More than 73% of this amount was in the form of NFTs that users had been holding.
ZachXBT, however, kept away from mentioning whether the Vitalik was the target of the “SIM swap” attack stating that the Ethereum co-founder, who has 4.9 million followers on giant social media platform X, is a “big enough target to where an insider could have been paid off or panel was used.”
Buterin Shares Lessons Learnt from the Attack
In his interview on Warpcast, Buterin reflected on the incident and shared what he had learnt with the crypto community. He warned that a phone number is sufficient to password reset an X account even if it is not used as two-factor authentication (2FA).
He advised users to completely remove their phone numbers from their X accounts adding from his experience, “phone numbers are insecure, don’t authenticate with them”. Even though he has given the same advice before, he had underestimated how much vulnerability is associated with phone numbers in this context.
Similar sentiments were shared by Ethereum developer Tim Beiko who also asked users to enable their 2FA as an additional layer of security. In his post on X, Beiko said, “Seems like a no-brainer to have this default on, or to default turn it on when an account reaches, say, >10k followers,” he said to platform owner Elon Musk, referring to turning on 2FA as a default for accounts with large followings.
This is just the latest in increased attacks on the crypto space where investors lose money on a daily basis.
Cyber-attacks have targeted figures such as OpenAI‘s CTO Mira Murati, Uniswap founder Hayden Adams, Sandbox CEO Arthur Madrid, and renowned NFT artist Peeple, over the last few months.
Binance CEO Changpeng Zhao has voiced concerns over these cyber-attack surges urging users to be more alert and careful even with information posted by notable people.
