SlowMist Warns About Fake Journalists Orchestrating Crypto Thefts

Security firm SlowMist has issued a warning about a wave of crypto thefts orchestrated by fake journalists. 

In a recent Medium post, the company said the first instance of this malicious campaign was reported on October 14 when a Twitter user named Masiwei alerted the community about a targeted attack on friend.tech for account theft. 

SlowMist’s security team conducted an analysis and discovered that the attackers were sending links containing malicious JavaScript scripts. 

The goal was to trick users into adding these links as bookmarks, laying the groundwork for future malicious activities. 

Shortly after, on October 17, a victim named Double Wan reported that their assets on friend.tech were stolen.

“The SlowMist Security Team immediately assisted the victim in tracking and investigating the theft. Through the efforts of the SlowMist team and the cooperation of OKX, the stolen funds were successfully intercepted,” the report said. 

How Did the Attackers Pulled Off the Hacks?

In order to pull off the hack, the attackers posed as journalists from reputable news agencies and even managed to accumulate a substantial following on Twitter.

They then targeted their victims with a malicious JavaScript script. The attackers focused on Key Opinion Leaders (KOLs) as their primary targets, banking on their popularity and the likelihood of receiving interview invitations.

Once an interview was scheduled, the attackers would guide the victims to join the conversation on Telegram, providing an interview outline to establish credibility.

After the interview concluded, the attackers would ask the victims to fill out a form and open a phishing link provided. 

This link, under the guise of verification, aimed to deceive users into revealing their friend.tech account information. 

The victims were instructed to drag a seemingly innocuous “Verify” button to their bookmark bar, which contained the malicious JavaScript script. 

When clicked, this script would trick users into revealing their friend.tech account password and the associated tokens stored in the embedded wallet Privy, putting both the account and funds at risk of being stolen.

How to Protect Against Phishing Scams

To protect against such phishing attacks, SlowMist recommended users to increase awareness of social engineering attacks, exercise caution when clicking on unknown links, and learn to identify phishing links by checking for misspellings or irregularities in domain names. 

Furthermore, users are advised to install anti-phishing plugins, like MetaMask’s recently-launched alert feature.

As reported, hackers have stolen millions worth of digital assets by performing SIM-swapping attacks on friend.tech users. 

According to Manifold Trading, a company dedicated to developing tools for the industry, $20 million out of friend.tech’s total locked value of $50 million is at risk. 

“If you assume 1/3 of FriendTech accounts are connected to phone numbers, that’s $20M at risk from sim-swaps,” the company wrote in a recent post on X. 

Manifold Trading also noted that friend.tech’s current setup “technically allows a rogue dev to reconstruct private keys via Shamir-Secret-Sharing shares that they can recover from user data in their database,” concluding that the whole TVL is at risk.