Rob Behnke
January 17th, 2024
Several high-profile social media accounts have been hacked in the first couple of weeks of 2024. Some hacks with major implications for the crypto space include:
U.S. Securities and Exchange Commission (SEC): In advance of the official ruling regarding a Bitcoin ETF, someone compromised the SEC’s X account to post a fake approval. This attack was made possible by a failure to enable multi-factor authentication (MFA) on the account.
Mandiant: Mandiant is a cybersecurity company acquired by Google in 2022. Its X account — which also lacked MFA — was likely compromised via a brute-force password guessing attack. The attackers shared a link to a scam page on the account, resulting in thousands of dollars in stolen cryptocurrency on the Solana blockchain.
CoinGecko: The crypto platform suffered a breach of its X account — which did have MFA enabled — due to an employee accidentally clicking on a fraudulent Calendly link. The attacker then posted a fraudulent token airdrop using the compromised account.
Polychain Capital: The X account of Polychain Capital’s founder and CEO Olaf Carlson-Wee was hacked in January as well. The attackers used the compromised account to post fake airdrops leading to phishing pages.
CertiK: CertiK, a blockchain security firm, suffered a compromised X account as well. The attackers used the compromised account to post a link to a fake Revoke website that would drain value from victims’ wallets.
Ideally, a hack of a crypto socials account like the ones breached this January would be a two-part process. First, the attacker needs to learn the account’s password. Then, they must find a way to defeat the MFA on the account.
Passwords are the most common — and often the only — authentication factor used to protect online accounts. However, they can be compromised in various ways, including:
Password Brute Force: A weak password (too short, limited character set, based on a dictionary word, etc.) can sometimes be guessed using a brute force attack. While this should be impossible for a strong, random password, the Mandiant socials hack demonstrates that it’s possible.
Phishing Attacks: Phishing is a common method that cybercriminals use to steal passwords. Tricking a user into entering the password into a malicious site sends it straight to the attacker.
Reused Passwords: In some cases, the same password is reused across multiple accounts. This means that it only needs to be breached once to provide access to all those accounts.
Malware: Some cyberattacks are designed to install infostealer or keylogger malware on a computer. This malware can then steal passwords saved on the device or typed into it when a user accesses their account.
Multi-factor authentication is designed to protect against account takeover attacks. However, as demonstrated by the CoinGecko hack, it’s not a perfect solution. Phishing pages are one means of beating MFA since an attacker can trick a user into handing over both their password and MFA code.
However, in many of the recent crypto-related social media hacks, the accounts in question did not have MFA enabled for their X accounts. While this is a breach of basic cyber hygiene, a comment by Mandiant hinted that the failure might not entirely be the victims’ fault.
In February 2023, X announced that it would disable SMS-based MFA for non-Premium accounts effective March 21, 2023. While SMS-based authentication is a weak form of MFA, it’s also one of the most commonly used. By unilaterally stripping MFA from many users’ accounts, X increased their vulnerability to attack. This is likely why so many prominent X accounts lacked this basic protection.
However, this change from SMS-based MFA to no MFA also occurred over nine months before the attacks in question. This meant that X users had ample time to either switch to a supported form of MFA for free accounts or upgrade to a Premium account.
A social media hack has two sets of victims: the account owner and anyone who falls for the scam posts made by the compromised account. Some security best practices that can help protect you against falling into this first group include:
Set Strong Passwords: Some social media hacks — such as the Mandiant one — are believed to be the result of brute force password guessing attacks. Since these attacks are only feasible for weak passwords, implementing a long, random password can help to protect against this threat.
Enable MFA: The fact that MFA was disabled in most of the hacked X accounts hints at its effectiveness. Enable MFA wherever available, ideally using a stronger form of MFA than SMS.
Be Suspicious of Links: In some cases — like the CoinGecko hack — the attackers used malicious links to gain access to a social media account. Before clicking on a link or entering sensitive information, check the URL and verify that it’s a legitimate site.
Install an Antivirus: Some social media hacks are performed using malware to steal the account credentials. Installing and regularly scanning with an antivirus can help to prevent these types of attacks.
The other victims of social media hacks are the people who fall for the phishing scams performed using these trusted accounts. Some best practices to protect against these attacks include:
Beware of Giveaways: Many crypto phishing attacks pretend to be airdrops, which may require connecting a wallet to accept the tokens. While airdrops can be a legitimate marketing tool, there are also many scams, so do your research and verify that the airdrop is legitimate before accepting it.
Verify URLs: Phishing scams on social media often use lookalike accounts to masquerade as legitimate airdrops. Check that the URL is correct before clicking on or trusting it.
Protect Sensitive Data: The goal of most crypto phishing scams is gaining access to the private key used to protect a blockchain account. If a site asks you to enter or re-enter your private key or password after clicking a link, it might be part of a crypto scam.
The recent slew of crypto social media hacks demonstrates that anyone can be the victim of such an attack, including organizations that specialize in security. With attacks on the rise, it’s a good idea to take additional steps to secure your account today.