Vitalik Buterin Discloses Twitter SIM Swap Attack That Drained $691K From Users’ Wallets
Ethereum co-founder Vitalik Buterin revealed that his recent Twitter (X) account hack, that wiped over $691,000 victims’ funds in a fake NFT promo, was a result of a “SIM swap” attack.
Blockchain analyst ZachXBT, which confirmed $691,000 had been drained from people’s wallets, declined to speculate whether Buterin was the victim of a “SIM swap.” The reply came as an X user, Satoshi 767, assumed that the hack could be a SIM Swap attack.
you do not know yet whether it was a SIM swap. Vitalik is a big enough target to where an insider could have been paid off or panel was used.
— ZachXBT (@zachxbt) September 10, 2023
Essentially, SIM swapping occurs when a SIM scammer gains control of a phone number by assuming the victim’s identity and persuading their mobile service provider. Once they have control over this, they pass any SMS-based two-factor authentication (2FA) processes for accounts associated with that number, gaining complete control.
Buterin Confirms ‘SIM Swap’
In a post on the decentralized social media Warpcast, Buterin revealed that someone “socially-engineered” his Twitter mobile taking control of his phone number.
“I had seen the ‘phone numbers are insecure, don’t authenticate with them’ advice before, but did not realize this.”
He said that the hack taught him to completely remove phone numbers from Twitter. A phone number is “sufficient to password reset a Twitter account even if not used as 2FA,” he added.
“I don’t remember when I *added* the number; my guess is that it was required to sign up for Twitter Blue.”
Twitter’s terms were updated in December 2022, which reflected that a verified phone number is required for a Twitter Blue subscription. If a user is not yet a Blue subscriber and hasn’t verified a phone number, the user will be prompted to verify a number when proceeding to sign up.
“Anyway, glad to be on Farcaster, where my account recovery can be controlled by a good wholesome Ethereum address :),” Buterin said, after gaining control of his account.
SIM Swap Isn’t New
SIM swap attacks have had a long history in the recent past in the crypto sector. The Federal Bureau of Investigations issued a warning in 2022 on the increasing SIM swap attacks that specifically targeted victims who were likely to own large amounts of cryptocurrency.
Per the FBI estimates, $72 million was stolen in SIM-swap attacks last year, up from $68 million in 2021.
Last month, Bart Stephens, managing partner of Blockchain Capital, claimed that he fell victim to a $6.3 million crypto hack resulting from a SIM-swap attack. The hacker allegedly stole Bitcoin (BTC), Ether (ETH) and other cryptocurrencies from his digital wallets.
Stephens has also backed influential crypto ventures like Worldcoin, Coinbase, and Kraken.
In yet another SIM swap heist, LayerZero CEO Bryan Pellegrino confirmed in early July, that hackers took over his Twitter account briefly.
And… we're back in. This was basically my life for the past 24 hours. Luckily we saw hack immediately and the battle began pic.twitter.com/pjrkMfQ2vT
— Bryan Pellegrino (@PrimordialAA) July 5, 2023
“Checked my phone and saw SOS status and realized it had been a sim swap,” Pellegrino wrote. “Lesson for me is that I need to be exceptionally careful about these things.”
