Vitalik Buterin: X account hack caused by SIM-swap attack

The co-founder of Ethereum has regained control of his T-Mobile account, verifying that a SIM-swap attack compromised his X account.

Vitalik Buterin, the co-founder of Ethereum, has officially verified that the recent breach of his X (Twitter) account resulted from a SIM-swap attack.

Buterin made this statement on the decentralized social media platform Farcaster on September 12th, revealing that he has successfully regained control of his T-Mobile account following the hacker’s exploitation of a SIM swap attack.

“Yes, it was a SIM swap, meaning that someone socially-engineered T-mobile itself to take over my phone number.”

During his discussion, the Ethereum co-founder shared valuable insights and lessons from his encounter with the security breach.

“I had seen the ‘phone numbers are insecure, don’t authenticate with them’ advice before, but did not realize this.”

On September 9th, scammers took over Buterin’s Twitter account, where they posted a fraudulent NFT giveaway, enticing users to click on a malicious link. This scheme resulted in victims collectively losing over $691,000.

On September 10th, Ethereum developer Tim Beiko strongly recommended the removal of phone numbers from Twitter accounts and emphasized the importance of enabling two-factor authentication (2FA).

Twitter opsec PSA:

If you have a phone number linked on your account, even with other 2FA, it can be used to reset your PW. Need to specifically disable it + remove phone #.

If your Twitter account pre-dates crypto, strongly recommend double-checking, and adding strong 2FA! pic.twitter.com/uXrvHYhQvJ

— timbeiko.eth (@TimBeiko) September 9, 2023

Beiko urged platform owner Elon Musk to consider making 2FA a default setting, particularly for accounts with over 10,000 followers.

A SIM-swap or simjacking attack is used by hackers to gain control of a target’s mobile phone number.

By hijacking the phone number, scammers can exploit two-factor authentication (2FA) to access social media, banking, and cryptocurrency accounts.

This incident is not the first instance involving T-Mobile and such attack vectors.

In 2020, the telecommunications giant faced legal action for allegedly facilitating the theft of $8.7 million worth of cryptocurrency through a series of SIM-swap attacks.

T-Mobile was embroiled in another lawsuit in February 2021 when a customer lost $450,000 in Bitcoin due to another SIM-swap attack.