In a recent statement, Ethereum co-founder Vitalik Buterin revealed that hackers had accessed his X (Twitter) account through a SIM-swap attack, gaining control of his phone number to bypass security measures on the account.
During a discussion on the decentralized social media platform, Farcaster, Buterin disclosed that he had regained control of his T-Mobile account after a hacker had successfully executed a SIM-swap attack.
In addition to detailing the attack, Buterin shared some key takeaways and lessons he learned from the experience.
Buterin highlighted that even if a phone number isn’t used for two-factor authentication (2FA), it can still be used to reset a Twitter account’s password. He also stressed that users can actively remove their phone numbers from their X accounts, making it more challenging for hackers to gain access.
According to Buterin, scammers compromised his X account on September 9, using it to post a fraudulent NFT giveaway. They directed users to visit a malicious website where they could “mint” the NFT for free. However, the website actually phished user data and collected wallet addresses, resulting in the loss of over $691,000 in user funds.
On Sept. 10, Tim Beiko, an Ethereum network developer, publicly urged Elon Musk, the new owner of X, to set the default option for users to remove their phone numbers from the platform and enable 2FA. Beiko further proposed that Twitter should automatically enable 2FA for accounts with over 10,000 followers.
A SIM-swapping attack, also known as SIM hijacking or SIM jacking, involves hackers gaining control of a victim’s phone number by tricking or bribing their phone company into transferring the number to a SIM card controlled by the hackers.
The issue of SIM-swapping attacks involving T-Mobile is not new. In 2020, T-Mobile faced a lawsuit alleging it enabled the theft of $8.7 million worth of cryptocurrency.
T-Mobile’s security issues persisted in February 2021 when another customer lost $450,000 worth of Bitcoin in a SIM-swapping attack. As a result, the victim filed a lawsuit against the firm.
