A phishing scammer who posed as a Forbes reporter briefly gained access to the X (formerly Twitter) account of blockchain security platform CertiK and used it to post messages advertising a malicious Web3 app, according to a Jan. 5 X post from CertiK.
A verified account, associated with a well-known media, contacted one of our employees. Unfortunately, it appears that this account was compromised, leading to a phishing attack on our employee.
— CertiK (@CertiK) January 5, 2024
We quickly detected the breach and deleted the related tweets within minutes. Our… pic.twitter.com/aO7GQjXEz2
The post stated that a “verified account, associated with a well-known media, contacted one of our employees.” The account turned out to have been compromised, which resulted in the employee getting phished and “related tweets” being posted to the account, the post claimed.
The malicious messages have now been deleted. In a Jan. 5 post to X, blockchain security platform Cyvers claimed to have seen the messages before they were deleted. According to it, the messages stated that Uniswap’s router had been compromised and that users needed to revoke all approvals for Uniswap using Revoke.cash.However, the provided link led to a fake version of Revoke.cash that attempted to steal users’ crypto.
ALERTWe are seeing reports that @CertiK's X account has been compromised!
— Cyvers Alerts (@CyversAlerts) January 5, 2024
Do NOT click any links promoted! #CyversAlert pic.twitter.com/4M3JNNaJ53
The malicious messages were discovered within seven minutes of them being posted, CertiK claimed, and the team immediately began a recovery process to remove the attacker’s access to its X account. Within 14 minutes, the team managed to delete the first of the malicious posts. After 37 minutes, the team’s investigation was over, and the danger was neutralized.
CertiK claimed that the scam was part of “a large scale ongoing attack” similar to the one described by X user NFT_Dreww.eth in a Dec. 21 post outlining a phishing scam in which the attacker posed as a Forbes reporter and asked victims to connect their X accounts to the Calendly calendar app to schedule a meeting. The links did not actually go to Calendly’s official website. Instead, they went to a fake Calendly site with a misspelled URL. Once the victim “connected” their X account to the fake site, they unwittingly approved permissions for the attacker to post to X on their behalf.
In a reply to CertiK’s post, on-chain sleuth ZachXBT shared an alleged screenshot of the message used to phish CertiK. The message appears to be from a person impersonating former Forbes and Bloomberg contributor Mark Beech, who passed away in 2020.
In their post, ZachXBT asked CertiK if they would reimburse victims who may have been phished as a result of the malicious post to CertiK’s account. In response, CertiK stated, “We encourage those affected during the recent Twitter incident to reach out to us.”
Phishing attacks have compromised several high-profile crypto X accounts over the past two weeks. On Dec. 29, Compound Finance’s account was compromised. On Jan. 4, the founder of Polychain Capital was hit as well.