Telefonica Partners Chainlink to Mitigate SIM Swap Attacks in Web3

February 17, 2024 Bitcoin.com

Friend.tech adds new security upgrade in wake of SIM-swap attacks

October 10, 2023 Coin Telegraph

2FA

The 2FA security measure is optional for Friend.tech users seeking additional security on the platform.

The team behind the decentralized social media platform Friend.tech has added a new security feature amid attempts to stem a flood of SIM-swap attacks targeting its users.

“You can now add a 2FA password to your Friend.tech account for additional protection if your cell carrier or email service becomes compromised,” the team explained in an Oct. 9 post on X (formerly Twitter).

Friend.tech users will be prompted to add another password in when signing onto new devices.

“Neither the friendtech nor Privy teams can reset these passwords, so please use care when using this feature,” Friend.tech added.

You can now add a 2FA password to your https://t.co/YOHabcBL3H account for additional protection if your cell carrier or email service becomes compromised.

Neither the friendtech nor Privy teams can reset these passwords, so please use care when using this feature pic.twitter.com/g0m2E4att2
— friend.tech (@friendtech) October 9, 2023

The latest change follows several SIM-swap attacks targeting Friend.tech users since September.

On Sept. 30, froggie.eth was among the first in a string of Friend.tech users to be compromised by a SIM-swap attack, urging others to stay vigilant.

got swim swapped for 20+ ETH (they drained my https://t.co/xb5o31p3Yy)... stay vigilant out there bros

set a PIN on your sim even if you don't think you need to
— froggie.eth (@brypto_) September 30, 2023

More Friend.tech users came forward with similar stories in the following days with an estimated 109 Ether (ETH), worth around $172,000, stolen from four users within a week. Another four users were targeted over a 24-hour period just days later, with another $385,000 worth of Ether stolen.

Friend.tech had already updated its security once on Oct. 4 to allow users to add or remove various login methods in an attempt to mitigate the risk of SIM-swap exploits.

Several observers criticized Friend.tech for not implementing the solution sooner.

“Finally,” one user said, while another said: “took you long enough.”

However, a prominent creator on Friend.tech, 0xCaptainLevi, was more optimistic, stressing that 2FA is a “big deal” and can help push the social media platform to unseen heights:

2FA is a big deal. Road to $100M TVL never seemed brighter❤️‍ https://t.co/bxd3V3M3mx
— Levi ⚡️ (@0xCaptainLevi) October 10, 2023

In an Oct. 8 X thread, Blockworks founder Jason Yanowitz revealed one of the ways the SIM-swap attacks are being orchestrated. The process involves a text message that asks the user for a number change request, where users can reply with “YES” to approve the change or “NO” to decline it.

If the user responds with “NO” — the user is then sent a real verification code from Friend.tech and is prompted to send the code to the scammer’s number.

“If we do not hear a response within 2 hours, the change will proceed as requested,” a follow-up message shows.

"In reality, if I sent the code, my account would get wiped," he said.

Someone is trying to hack my @friendtech

1) Text sent saying they’re changing my number

2) I respond no

3) They say to confirm no, send the verification code

4) Receive actual verification code from friend tech

5) After no response, they text again saying they’ll auto… pic.twitter.com/j76vI969jP
— Yano (@JasonYanowitz) October 8, 2023

The total value locked on Friend.tech currently sits at $43.9 million, down 15.5% from its all-time high of $52 million on Oct. 2, according to DefiLlama.

*Change in total value locked on Friend.tech since Aug. 10. Source: DefiLlama.*

Cointelegraph reached out to Friend.tech for comment but did not receive an immediate response.

Magazine: Blockchain detectives — Mt. Gox collapse saw birth of Chainalysis

Friend.tech SIM-swap scourge continues as scammer nets $385K in Ether

October 5, 2023 Coin Telegraph

Friend.tech SIM-swap scourge continues as scammer nets 5K in Ether

Coin Telegraph

Leaked mobile phone numbers have given scammers an easy way to drain Friend.tech user accounts.

A single scammer has reportedly managed to steal around $385,000 worth of Ether (ETH) in less than 24 hours amid a scourge of SIM-swap hacks seemingly targeting Friend.tech users.

On Oct. 5, blockchain sleuth ZachXBT reported the same scammer had pilfered 234 ETH over the past 24 hours by SIM-swapping four different Friend.tech users.

The on-chain movement of crypto assets was traced back to the same hacker who drained the accounts of the four victims.

The same scammer profited $385K (234 ETH) in the past 24 hours off SIM swapping four different FriendTech users. pic.twitter.com/03BoBEqGax
— ZachXBT (@zachxbt) October 4, 2023

One of the reported victims of the most recent chain of SIM-swap attacks posted to X (Twitter) following the attack:

“Got sim swapped. Apparently, dude was able to do it from an Apple store and switched it to an iPhone SE. Don’t buy my keys, that wallet is compromised.”

X user “KingMgugga” reported an attack targeting them happening in real time, posting to X that they were “getting f---ing sim swapped watching it happen” and asking for help. Meanwhile, another X user, “holycryptoroni,” confirmed they were similarly attacked, lamenting, “I got swapped sorry.”

Earlier this week, a further four Friend.tech users claimed to have their accounts drained as a result of a SIM-swap or phishing attack, totaling around 109 ETH stolen.

I was just SIM swapped and robbed of 22 ETH via @friendtech

The 34 of my own keys that I owned were sold, rugging anyone who held my key, all the other keys I owned were sold, and the rest of the ETH in my wallet was drained.

If your Twitter account is doxxed to your real… pic.twitter.com/5wA86mjYEG
— daren (friend, friend) (@darengb) October 3, 2023

Friend.tech allows users to purchase “keys” of individuals, which grants access to private chat rooms with them.

The SIM-swap scam occurs when scammers gain access to the victim’s phone number and use it to acquire authentication, which enables them to access their social media and crypto accounts.

Manifold Trading, a firm building tools for the ecosystem, estimated that $20 million of Friend.tech’s $50 million of total value locked could be at risk. It called for the platform to beef up its account security measures by enabling two-factor authentication (2FA).

There have also been calls for X to implement 2FA security measures to prevent mobile phone numbers from getting leaked following the high-profile hack of Vitalik Buterin’s account in September, which was also due to a SIM swap attack.

“0xfoobar,” founder and CEO of wallet security firm Delegate, advised removing phone numbers from social media accounts.

crypto twitter is like a neighborhood where once a day somebody leaves their front door open, gets robbed, and everybody comes together to lament the loss, leaving their own front doors open. instead of retweeting the 75th simswap of the week go remove your phone from everything
— foobar (@0xfoobar) October 5, 2023

Magazine: Blockchain detectives — Mt. Gox collapse saw birth of Chainalysis

Friend.tech users blame SIM swaps after more than 100 ETH drained in a week

October 4, 2023 Coin Telegraph

attack

In a short period of time, four friend.tech users reported their accounts were compromised and drained after hackers seized control of their mobile numbers.

Friend.tech users are warning of possible SIM-swap attacks after a recent spate of supposed hacks resulting in nearly 109 Ether (ETH) worth around $178,000 being drained from four users in under a week.

On Sept. 30, the X (formerly Twitter) user known as “froggie.eth” warned their Friend.tech account was SIM-swapped — where exploiters gain control of a user’s mobile number to intercept two-factor authentication codes, then used to access accounts — and subsequently drained of over 20 ETH.

Days later, on Oct. 3, a string of Friend.tech users reported similar incidents, with musician Daren Broxmeyer saying he was SIM-swapped and drained of 22 ETH.

His phone was earlier “spammed with phone calls,” which he believed was to force him to miss a text from his service provider warning him that someone was trying to access his account.

I was just SIM swapped and robbed of 22 ETH via @friendtech

The 34 of my own keys that I owned were sold, rugging anyone who held my key, all the other keys I owned were sold, and the rest of the ETH in my wallet was drained.

If your Twitter account is doxxed to your real… pic.twitter.com/5wA86mjYEG
— daren (friend, friend) (@darengb) October 3, 2023

The same day another user, “dipper,” also said their account was compromised, adding they have “no idea” how exploiters could hack their account, as they use strong passwords.

The fourth user, “digging4doge,” was drained of around 60 ETH after falling for a phishing scam that tricked them into sharing a login code.

Friendtech user @digging4doge just got drained to the tune of ~60 eth worth of keys.

About an hour ago, he received a text informing him that a number change had been requested for his account.

He had two hours to respond or the request would be auto approved. This was, of… pic.twitter.com/L21Hr041kP
— quit (,) (@0xQuit) October 4, 2023

Crypto investment firm Manifold Trading explained that any hacker gaining access to a Friend.tech account is then able to “rug the whole account.”

Assuming that a third of Friend.tech accounts are connected to phone numbers, around $20 million is at risk of being exploited through Friend.tech user-focused exploits, they said.

Manifold also suggested that, technically, all of Friend.tech is at risk due to how the platform’s security is set up, and solving the issues “should honestly be the number 1 priority.”

If any hacker gains access to a FriendTech account via simswap/email hack, they can rug the whole account

If you assume 1/3 of FriendTech accounts are connected to phone numbers, that's $20M at risk from sim-swaps

FriendTech's current setup also technically allows a rogue dev… https://t.co/XgodMNSh2l
— Manifold (@ManifoldTrading) October 2, 2023

Manifold suggested Friend.tech allow users to add 2FA to logins, key decryptions and transactions.

Users should also be given the option to change the login method from a number to email and allow for third-party wallets to be used.

High-profile crypto figures have previously been successfully SIM-swapped, with their accounts used to carry out phishing attacks, such as Ethereum co-founder Vitalik Buterin’s X account in September.

Cointelegraph contacted Friend.tech for comment but did not immediately receive a response.

Magazine: Blockchain detectives — Mt. Gox collapse saw birth of Chainalysis

Vitalik Buterin reveals X account hack was caused by SIM-swap attack

September 12, 2023 Coin Telegraph

Coin Telegraph

The Ethereum co-founder has regained control of his T-Mobile account, confirming that a SIM-swap attack resulted in the hack of his X account.

Ethereum co-founder Vitalik Buterin has confirmed that the recent hack of his X (Twitter) account was the result of a SIM-swap attack.

Speaking on the decentralized social media network Farcaster on Sept. 12, Buterin said that he has finally recovered his T-Mobile account after the hacker managed to gain control of it via a SIM swap attack.

“Yes, it was a SIM swap, meaning that someone socially-engineered T-mobile itself to take over my phone number.”

The Ethereum co-founder added some lessons and learnings from his experience with X.

*Vitalik Buterin confirms how his X account was accessed by hackers. Source: Warpcast*

“A phone number is sufficient to password reset a Twitter account even if not used as 2FA,” he said, adding that users can “completely remove [a] phone from Twitter.”

“I had seen the ‘phone numbers are insecure, don't authenticate with them’ advice before, but did not realize this.”

On Sept. 9, Buterin’s X account was taken over by scammers who posted a fake NFT giveaway prompting users to click a malicious link which resulted in victims collectively losing over $691,000.

On Sept. 10, Ethereum developer Tim Beiko strongly recommended removing phone numbers from X accounts and having 2FA enabled. "Seems like a no-brainer to have this default on, or to default turn it on when an account reaches, say, >10k followers," he said to platform owner Elon Musk.

Twitter opsec PSA:

If you have a phone number linked on your account, even with other 2FA, it can be used to reset your PW. Need to specifically disable it + remove phone #.

If your Twitter account pre-dates crypto, strongly recommend double-checking, and adding strong 2FA! pic.twitter.com/uXrvHYhQvJ
— timbeiko.eth ☀️ (@TimBeiko) September 9, 2023

A SIM-swap or simjacking attack is a technique used by hackers to gain control of a victim’s mobile phone number. With control of the number, scammers can use two-factor authentication (2FA) to access social media, bank, and crypto accounts.

It is not the first time T-Mobile has been involved in this type of attack vector. In 2020, the telecoms giant was sued for allegedly enabling the theft of $8.7 million worth of crypto in a series of SIM-swap attacks.

T-Mobile was also sued again in February 2021 when a customer lost $450,000 in Bitcoin in another SIM-swap attack.

Article updated to include additional comments from Tim Beiko.

Magazine: How to protect your crypto in a volatile market: Bitcoin OGs and experts weigh in

Over $765K worth of NFTs stolen after SIM swap attack on GutterCatGang

July 8, 2023 Coin Telegraph

Over 5K worth of NFTs stolen after SIM swap attack on GutterCatGang

Coin Telegraph

The bad actors utilized a fake GutterCatGang airdrop scam to drain people’s wallets, with at least $700,000 worth of NFTs being stolen from a single address.

More than $765,000 worth of nonfungible tokens has been stolen as part of a reported SIM swap attack on the GutterCatGang NFT project.

The security breach was highlighted by several NFT community members at around 8 pm UTC on July 7, with GutterCatGang co-founder @GutterMitch tweeting out a warning that: “Our Twitter has been compromised please do not interact with any links.”

Our Twitter has been compromised please do not interact with any links
— Gutter Mitch (@GutterMitch) July 7, 2023

Alongside the official GutterCatGang account, co-founder @gutterric was also hacked.

The hacker, or hackers used the accounts to share links to fake “limited edition” GutterCatGang NFT sneaker airdrops that essentially drained people’s hot wallets when they clicked on them.

In an effort to make the fictitious links look more legitimate, the tweets included recent GutterCatGang branding and imagery from the project's phygital sneaker drop in partnership with Puma and NBA/Charlotte Hornets star LaMelo Ball.

GutterCatGang Twitter account has been compromised please do not interact with it. #GutterCatGang @gutterdan_ @GutterCatGang —-> ⚠️⛔️ pic.twitter.com/tBu9fwBI7m
— Burden © (@0x_burden) July 7, 2023

Responding to Gutter Mitch’s thread, prominent blockchain sleuth ZachXBT asserted that the team was hacked via a SIM swap attack, as he questioned the team’s cyber security practices.

“Your team better look at a compensation plan for victims as it is gross negligence to have used SMS 2FA on your socials after all of the recent SIM swaps,” ZachXBT said.

In a separate thread, ZachXBT highlighted two victims of the attack, with one losing a Bored Ape Yacht Club NFT worth $65,913 at current floor prices, and another losing a whopping $700,000 worth of NFTs from a host of blue chip collections.

Someone else just lost $700k of assets (couple BAYCs, MAYC, Doodles, BAKCs, etc) pic.twitter.com/noNvkqkw9U
— ZachXBT (@zachxbt) July 7, 2023

Providing an update on the matter, GutterCatGang co-founder @gutterdan_ stated: “We are working with Twitter to regain access to the compromised Gutter-affiliated Twitter accounts.”

“We deeply sympathize with all those impacted and want to assure you that we are taking this matter very seriously and are working with law enforcement to investigate the hack and security breach,” he wrote.

We are working with Twitter to regain access to the compromised Gutter-affiliated Twitter accounts. We deeply sympathize with all those impacted and want to assure you that we are taking this matter very seriously and are working with law enforcement to investigate the hack and…
— Gutter Dan (@gutterdan_) July 7, 2023

At the time of writing, it appears that the accounts are still compromised.

GutterCatGang was launched in mid-2021 and consists of 3000 unique NFT cartoon cat avatars. The current floor price sits at 0.5 Ether (ETH), up almost 615% from the initial cost to mint, according to NFT Price Floor.

Magazine: NFT Collector: Snoop’s NFT nostalgia, The Goose draws Gen Y to Sotheby’s

$794K SIM swap hacker PlugwalkJoe sentenced to five years in prison

June 25, 2023 Coin Telegraph

Coin Telegraph

The hacker managed to steal $794,000 worth of crypto from an exchange via a SIM swap attack on an exec, but ultimately he didn’t cover his tracks well.

British Hacker Joseph O’Connor, also known online as PlugwalkJoe, has been sentenced to five years in U.S. prison for his role in stealing $794,000 worth of cryptocurrency via a SIM swap attack on a crypto exchange executive back in April 2019.

O’Connor was initially arrested in Spain in July 2021 and was extradited to the U.S. on April 26, 2023. In May he pled guilty to a slew of charges relating to conspiracy to commit computer intrusions, conspiracy to commit wire fraud, and conspiracy to commit money laundering, to name a few.

plugwalkjoe is getting his sentence in 5 days, so it’s time to bring this gem back pic.twitter.com/OOBqD2FaFA
— rip @ironic (@ripironic) June 18, 2023

The prison sentence was highlighted in a June 23 statement from the U.S. Attorney's Office of the Southern District of New York.

“In addition to the prison term, O’Connor was sentenced to three years of supervised release. O’Connor was further ordered to pay $794,012.64 in forfeiture,” the statement reads.

The hacked crypto exec has not been named, however after SIM swapping them, O’Connor gained unauthorized access to accounts and computing systems belonging to the exchange that the exec worked at.

“After stealing and fraudulently diverting the stolen cryptocurrency, O’Connor and his co-conspirators laundered it through dozens of transfers and transactions and exchanged some of it for Bitcoin using cryptocurrency exchange services.”

“Ultimately, a portion of the stolen cryptocurrency was deposited into a cryptocurrency exchange account controlled by O’Connor,” the statement adds.

O’Connor’s sentence also covers offenses relating to the major Twitter hack of July 2020, which ultimately fetched him and his crew around $120,000 worth of ill-gotten crypto gains.

1/ Time for a story that combines the craziness of crypto, the perils of hacking, and the consequences of shady actions. Buckle up as we explore the case of Joseph James O'Connor, aka PlugwalkJoe, the mastermind behind the infamous Twitter hack of July 2020!#Crypto
— Crypto Camel (@CamelChronicles) June 24, 2023

The hackers deployed a series of “social engineering techniques” and SIM-swapping attacks to hijack around 130 prominent Twitter accounts, along with two large accounts on TikTok and Snapchat.

“In some instances, the co-conspirators took control themselves and used that control to launch a scheme to defraud other Twitter users. In other instances, the co-conspirators sold access to Twitter accounts to others,” the statement reads.

As part of this scheme, O’Connor attempted to blackmail the Snapchat victim by threatening to publicly release private messages if they didn’t make posts promoting O’Connor’s online persona.

Additionally, O’Connor also “stalked and threatened” a victim, and “orchestrated a series of swatting attacks” on them by falsely reporting emergencies to authorities.

SIM swaps are still a big issue

A SIM swap attack involves a bad actor taking control of a victim’s phone number by linking it to another sim card controlled by them.

As a result, the bad actors can then re-route the victim’s calls and messages to a device controlled by them, and gain access to any accounts the victim uses SMS-based two-factor authentication on.

The scheme is generally used to dupe followers of prominent accounts into clicking phishing links that ultimately end up swiping their crypto assets.

Despite O’Connor’s antics occurring roughly three years ago, SIM swapping attacks continue to be a significant issue in the crypto sector.

Earlier this month blockchain sleuth ZachXBT identified a group of scammers that SIM-swapped at least eight accounts belonging to well-known figures in crypto, including Pudgy Penguins founder Cole Villemain, DJ and NFT collector Steve Aoki and Bitcoin Magazine editor Pete Rizzo.

According to ZachXBT, the group stole almost $1 million by promoting phishing links from the hacked accounts.

Magazine: ‘Moral responsibility’ — Can blockchain really improve trust in AI?