A phishing scammer who posed as a Forbes reporter briefly gained access to the X (formerly Twitter) account of blockchain security platform CertiK and used it to post messages advertising a malicious Web3 app, according to an X post from CertiK on Jan. 5.
The post stated that a “verified account, associated with a well-known media, contacted one of our employees.”
The account turned out to have been compromised, which resulted in the employee getting phished and “related tweets” being posted to the account, the post claimed.
The malicious messages have now been deleted. In a Jan. 5 post to X, blockchain security platform Cyvers claimed to have seen the messages before they were deleted.
🚨ALERT🚨We are seeing reports that @CertiK's X account has been compromised!
— 🚨 Cyvers Alerts 🚨 (@CyversAlerts) January 5, 2024
According to them, the messages stated that Uniswap’s router had been compromised and that users needed to revoke all approvals for Uniswap using Revoke.cash. It led to a fake version of Revoke.cash that attempted to steal users’ crypto.
The malicious messages were discovered within seven minutes of them being posted, CertiK claimed, and the team immediately began a recovery process to remove the attacker’s access to its X account.
Within 14 minutes, the team managed to delete the first of the malicious posts. After 37 minutes, the team’s investigation was over and the danger was neutralized.
CertiK claimed that the scam was part of “a large-scale ongoing attack” similar to the one described by X user NFT_Dreww.eth in a Dec. 21 post.
NFT_Dreww.eth had described a phishing scam in which the attacker posed as a Forbes reporter and asked victims to connect their X accounts to the Calendly calendar app to schedule a meeting.
⛔ 𝐂𝐚𝐥𝐞𝐧𝐝𝐥𝐲 𝐒𝐨𝐜𝐢𝐚𝐥 𝐄𝐧𝐠𝐢𝐧𝐞𝐞𝐫𝐢𝐧𝐠 𝐒𝐜𝐚𝐦 ⛔
Have you been contacted by a 'Forbes Employee' or someone who wants to interview you for an article, partnership, or job? Are they asking you to connect your wallet or twitter account to Calendly? If so, DON'T… pic.twitter.com/FNKyl9ZsGr
— NFT_Dreww.eth (@nft_dreww) December 21, 2023
The links did not actually go to Calendly’s official website. Instead, they went to a fake Calendly site with a misspelled URL.
Once the victim “connected” their X account to the fake site, they unwittingly approved permissions for the attacker to post to X on their behalf.
In a reply to CertiK’s post, on-chain sleuth ZachXBT shared an alleged screenshot of the message used to phish CertiK.
Here is the leaked DM Certik got phished by.
Why did you not find the “well-known media” account which contacted you suspicious since they had not posted since April 2020 (clearly compromised)?
Will Certik be reimbursing victims? pic.twitter.com/ys1HcQgPCT
— ZachXBT (@zachxbt) January 5, 2024
The message appears to be from a person impersonating former Forbes and Bloomberg contributor Mark Beech, who passed away in 2020.
In their post, ZachXBT asked CertiK if they would reimburse victims who may have been phished as a result of the malicious post to CertiK’s account. In response, CertiK stated “We encourage those affected during the recent Twitter incident to reach out to us.”
Thank you, ZachXBT, for sharing further details from the scammer. While it’s easy to point the finger after a phishing attack, the reality is that these scams are designed to exploit human trust and vulnerabilities. That is why we are dedicated to build strong security systems…
— CertiK (@CertiK) January 5, 2024
Phishing attacks have compromised several high-profile crypto X accounts over the past two weeks. On Dec. 29, Compound Finance’s account was compromised. On Jan. 4, the founder of Polychain Capital was hit as well.