Bored Apes, Other NFTs Are Stolen In Major Twitter Phishing Hack

Zinger Key Points
  • The attackers distributed their malicious payload through a fake Apecoin airdrop website that was promoted through multiple verified Twitter accounts that were compromised.
  • Blockchain analysis and cybersecurity firm AnChain.ai severely criticized Twitter's response, noting that “the fact that hacked verified accounts are not triggering Twitter’s spam detection when using a script to push out multiple tweets per second is absurd.”

At least 35 non-fungible tokens (NFTs) were stolen in a major Twitter Inc. TWTR phishing-propagated hack on their holders.

What Happened: The NFTs in question were stolen by promoting a website that exploited vulnerabilities in user's web browsers to send a transaction with their non-fungible tokens to the attacker without them prompting for it to happen, according to a Wednesday report in The Block Crypto. 

Data shared with the crypto news outlet by blockchain analysis firm Elliptic shows that NFTs stolen in the attack were worth at least $900,000 and included tokens from the Bored Ape, Mutant Ape and Bored Ape Kennel Club collections.

The attackers distributed their malicious payload through a fake Apecoin APE/USD airdrop website that was promoted through multiple verified Twitter accounts that were compromised — some of which had over 50,000 followers.

Blockchain analysis and cybersecurity firm AnChain.ai severely criticized Twitter's response, noting that “the fact that hacked verified accounts are not triggering Twitter’s spam detection when using a script to push out multiple tweets per second is absurd.”

Aaron Cadena, the co-founder of NFT-themed cannabis vaping company Gutter Bars, wrote that "the tweet looked strange, but this is someone that I had actually followed [previously] so I didn’t overthink it ... I clicked the link in the tweet and was immediately prompted to connect my wallet, which I did not do."

He explained that "after clicking cancel, the prompt kept popping up over and over again. I clicked cancel a few more times, then caught onto what was happening and tried leaving the site but my screen was locked. I ended up having to just force quit the browser, but then I got a notification that two assets were transferred from my wallet and it felt like a punch in the gut ..."

Hacks such as these are a reminder that — despite blockchains such as Ethereum's ETH/USD being exceptionally secure when compared to traditional server infrastructure — users and their local software that can interact with that blockchain is usually much easier to compromise for a skilled attacker.

One important step for protecting your cryptocurrencies is to keep your private keys away from your internet-connected devices that can easily be hacked such as computers and mobile devices through the use of hardware wallets. 

Market News and Data brought to you by Benzinga APIs
Comments
Loading...
Posted In:
Benzinga simplifies the market for smarter investing

Trade confidently with insights and alerts from analyst ratings, free reports and breaking news that affects the stocks you care about.

Join Now: Free!