Four user accounts on friend.tech were compromised and drained after hackers gained control of their mobile numbers, in a short period.
Users of Friend. tech has issued a warning about possible SIM-swap attacks following a spate of alleged breaches that resulted in nearly 109 ETH worth approximately $178,000 being drained from four users in less than a week.
On September 30, the X (formerly Twitter) user known as “froggie. eth” warned their Friend. tech account was SIM-swapped — where attackers obtain control of a user’s mobile number to intercept two-factor authentication codes, which are then used to access accounts — and over 20 ETH were subsequently stolen.
On October 3, a series of Friend.Tech users reported similar incidents, with musician Daren Broxmeyer claiming his SIM card was swapped and 22 ETH were stolen.
His phone had previously been “spammed with phone calls,” which he believed was an attempt to prevent him from receiving a text message from his service provider warning him that someone was attempting to access his account.
I was just SIM swapped and robbed of 22 ETH via @friendtech
The 34 of my own keys that I owned were sold, rugging anyone who held my key, all the other keys I owned were sold, and the rest of the ETH in my wallet was drained.
If your Twitter account is doxxed to your real… pic.twitter.com/5wA86mjYEG
— daren (friend, friend) (@darengb) October 3, 2023The same day, another user, “dipper,” reported that their account had been compromised, adding that they had “no idea” how their account could have been hacked because they use robust passwords.
The fourth victim, “digging4doge,” lost approximately 60 ETH after falling victim to a phishing scheme that involved sharing a login code.
Friendtech user @digging4doge just got drained to the tune of ~60 eth worth of keys.
About an hour ago, he received a text informing him that a number change had been requested for his account.
He had two hours to respond or the request would be auto approved. This was, of… pic.twitter.com/L21Hr041kP
— quit (👀,🦄) (@0xQuit) October 4, 2023The crypto investment firm Manifold Trading explained that any intruder who gains access to a Friend. tech account can “rug the whole account.”
Using the assumption that one-third of Friend.tech accounts are linked to phone numbers, they estimate that $20 million is at risk of being exploited via Friend. Tech user-focused exploits.
Manifold also indicated that technically, the entirety of Friend. Tech is at risk due to the platform’s security configuration, and resolving the issues “should honestly be the number 1 priority.”
My FT account was just compromised, hacker dumped all keys and moved everything to another address. Was about 6.5e total. Wallet address here: 0x8D8557e4A7512b81C74efD2874107a7C4e29fE26
— dipper (@d1pp3r__) October 2, 2023Manifold recommended that Friend. Tech enables 2FA for logins, key decryptions, and transactions. Users should also be able to change the login mechanism from a number to an email address, and third-party wallets should be permitted.
Before September, the X account of Ethereum co-founder Vitalik Buterin was effectively SIM-swapped and used for phishing attacks, as were the accounts of other prominent crypto figures.
