Ethereum's Vitalik Buterin Says Sim-Swap Attack Behind $691K Hack of His X Account

Ethereum’s Vitalik Buterin Says Sim-Swap Attack Behind $691K Hack of His X Account

Updated: 12 September 2023

Disclosure

Don’t invest unless prepared to lose all the money you invest. This is a high-risk investment, you shouldn’t expect to be protected if something goes wrong.

Join Our Telegram channel to stay up to date on breaking news coverage

Ethereum co-founder Vitalik Buterin confirmed that the hacking of his X account was executed through a sim-swap attack that took over his mobile phone number and accessed his account.

Following the compromise of his X account on September 9, Buterin took to the decentralized social media network Warpcast on September 12 to address the issue. He said he had finally regained control of his T-Mobile account after he lost it to the attack.

“Finally got back my T-mobile account (yes, it was a sim swap, meaning that someone socially engineered T-mobile itself to take over my phone number),” he wrote.

The compromise of the X account was made public by Dmitry Buterin, Vitalik’s father, who stated that his son was actively trying to regain control of the account. During that time, scammers posted a phishing link accompanied by a false message that announced the release of a commemorative NFT by ConsenSys, celebrating Ethereum’s Proto-Danksharding introduction.

By clicking on the malicious link to get free NFTs, users gave the scammers access to their crypto wallets leading to the theft of assets worth over $691,000, according to data provided by Blockchain analyst ZachXBT. Of this amount, more than 73% was in the form of NFTs that users had been holding.

Update: $691k drained (another 33% in drainer fee address) pic.twitter.com/AVIShqDlMU

— ZachXBT (@zachxbt) September 9, 2023

Buterin Offers Takeaways

In the conversation on Warpcast, Buterin reflected on the incident and offered his takeaways to the crypto community, warning that a phone number is sufficient to password reset an X account even if it is not used as two-factor authentication (2FA).

He advised X users to completely remove their phone numbers from their X accounts, adding that he had seen “phone numbers are insecure, don’t authenticate with them” advice before, but had underestimated how much vulnerability is associated with phone numbers in this context.

The recommendation to remove phone numbers from X accounts was reiterated by Ethereum developer Tim Beiko who also asked users to enable their 2FA as an additional layer of security. “Seems like a no-brainer to have this default on, or to default turn it on when an account reaches, say, >10k followers,” he said to platform owner Elon Musk, referring to turning on 2FA as a default for accounts with large followings.

Twitter opsec PSA:

If you have a phone number linked on your account, even with other 2FA, it can be used to reset your PW. Need to specifically disable it + remove phone #.

If your Twitter account pre-dates crypto, strongly recommend double-checking, and adding strong 2FA! pic.twitter.com/uXrvHYhQvJ

— timbeiko.eth ☀️ (@TimBeiko) September 9, 2023

Increased Crypto Attacks

Sim swapping, also known as sim jacking, is an attack where hackers get access to the victim’s phone number. This commonly happens when scammers contact your mobile phone’s carrier and trick them into activating a SIM card that the fraudsters have.

Once they have access to your phone number, the hackers then take advantage of a weakness in two-factor authentication and verification and use the phone number to access accounts connected to the phone number, such as an X account in Buterin’s case, as well as banking and crypto accounts.

T-Mobile has previously been tied to similar attacks where victims’ T-Mobile accounts are compromised. The telecom operator was sued in 2020 on the grounds that a series of SIM-swap hacks allowed the theft of cryptocurrencies valued at $8.7 million.

In 2021, the company was sued again after a customer lost $450,000 in Bitcoin as a result of another SIM-swap attack.

Due to its credibility, especially regarding information from high-profile figures, X has also become prone to attacks targeting prominent figures in the crypto industry to spread fraudulent links.

Over the past few months, cyber-attacks have targeted figures such as OpenAI’s CTO Mira Murati, Uniswap founder Hayden Adams, Sandbox CEO Arthur Madrid, and renowned NFT artist Peeple.

Binance CEO Changpeng Zhao has voiced concerns over these cyber-attack surges urging users to be more alert and careful even with information posted by notable people.

Vitalik's Twitter account got hacked. Use common sense when reading content on social media, even from large KOLs.

Twitter's account security is not designed as financial platforms. It needs quite a bit more features: 2FA, login id should be different from handle or email, etc.… pic.twitter.com/oYQch8r2H0

— CZ 🔶 Binance (@cz_binance) September 10, 2023