This article is more than six months old

The hack trend haunting the SEC and crypto firms. ‘We should know better’

The hack trend haunting the SEC and crypto firms. ‘We should know better’
Web3People & Culture
DeFi Kingdoms, a role playing game with characaters like the one above, struggled to recover its X account. Credit: Andrés Tapia
  • Hackers used an old gambit to take over DeFi Kingdoms' X account for 10 days.
  • The bogus tweet on approval of the Bitcoin ETFs on January 9 embarrassed the SEC.
  • Spate of attacks casts spotlight on weaknesses in Elon Musk's X.

Halfway through a meeting on January 8, Bolon Soron lost his signal on his phone. This wasn’t a normal interruption.

Soron, the pseudonymous director of Kingdom Studios, creator of the popular web3 game DeFi Kingdoms, realised his phone had been SIM swapped.

Soon enough a hacker accessed the game’s X account and locked out the entire team. For 10 days, the culprit disseminated phishing links to the game’s 114,000 X followers before order was restored.

The worst part: Soron said he could not get through to X representatives to help him take back control of the account.

Crypto targeted

SIM swapping isn’t new. It entails tricking a telecom company customer service rep into transferring a target’s phone number to a new device controlled by a hacker.

Yet over the last few years, perpetrators have increasingly switched to using the tactic to access social media accounts. And crypto has become a happy hunting ground.

‘That’s on us and we should know better.’

—  Boron Soron, DeFi Kingdoms

Moreover, X, under the ownership and direction of Elon Musk, has removed many of the measures that used to help non-paying account holders protect themselves from security breaches.

SIM swapping stormed back into the headlines on January 9 when hackers seized control of the US Securities and Exchange Commission’s X account and tweeted the premature approval of Bitcoin exchange traded funds.

Join the community to get our latest stories and updates

The bogus tweet was live for about 26 minutes before SEC staff alerted the public, the agency said.

“Commission staff are still assessing the impacts of this incident on the agency, investors, and the marketplace but recognise that those impacts include concerns about the security of the SEC’s social media accounts,” SEC Chair Gary Gensler said in a statement.

Ethereum creator Vitalik Buterin fell prey to a SIM swap attack in September. The hacker posted a fake NFT promo that resulted in the loss of almost $700,000 for those that clicked on it, according to ZachXBT, an online sleuth.

The incident spurred recommendations from cybersecurity experts not to link phone numbers to social media accounts.

Chief among those, of course, is using two-factor authentication, or 2FA, to authorise access to social media accounts.

New weaknesses in X

Neither the SEC nor DeFi Kingdoms used 2FA. “That’s on us and we should know better,” Soron told DL News in an interview.

In a statement sent to DL News, the SEC confirmed it was stung by a SIM swapping hack. An agency spokesman said its technicians had disabled ‘multi-factor authentication’ for its X account in July due to difficulties accessing and managing the account. The agency reinstated the process after the hack.

The spate of SIM swapping cases also highlights new weaknesses in X.

Since February 2023, X has only permitted verified or paid accounts to use 2FA. But Soron explained it can be cumbersome when multiple people are posting from the same account — which appears to be why the SEC removed it.

Once a hack has taken place, a lack of response from X makes it hard to rectify the situation, he said. Attempts to contact X’s security team resulted in slow responses and automated messages that failed to address the issue effectively.

Press representatives from X did not respond to a request for comment.

Phishing links

“One of the problems that we were running into was when we said, ‘Our account is compromised,’ and we would just get an automatic response saying we had did have access to our account,” Soron said.

On another occasion, an automated response asked for additional information but they never heard back.

All the while the hacker — who had demanded 5 ETH for the return of the account — posted phishing links to the account’s followers.

With the help of a contact inside X, the best the team could do was temporarily lock the account, but the phishing link remained in their bio, Soron said.

‘There really isn’t any assurance that you’re going to get through to X and get your account back.’

—  Boron Soron

DeFi Kingdoms was eventually able to get its account back but the experience was stressful.

“There really isn’t any assurance that you’re going to get through to X and get your account back,” Soron said.

As far as Soron knows, nobody lost money from the phishing links. For him, the biggest downside of the automated process was not being able to talk to an actual person, which may have made the process quicker.

“At least if I call my bank, I can yell at the robot enough that it will give me a person eventually,” he said. “But if that exists through X, I couldn’t find it.”

Got an Asia crypto story? Get in touch with DL News’ Asia Correspondent at callan@dlnews.com.