Certike X’s account was briefly hacked by a Forbes impersonator
A phisher posing as a Forbes reporter briefly gained access to X's (formerly Twitter) blockchain security platform CertiK and used it to post messages promoting a malicious Web3 app on Jan. 5, according to a post from X's CertiK.
A verified account linked to a prominent media outlet contacted one of our employees. Unfortunately, this account appears to have been compromised, leading to a phishing attack against our staff.
We quickly discovered the breach and deleted the relevant tweets within minutes. Our… pic.twitter.com/aO7GQjXEz2
— CertiK (@CertiK) January 5, 2024
“A verified account linked to a prominent media outlet contacted one of our employees,” the post said. The account was found to be compromised, causing the employee to be tricked and “relevant tweets” to be posted to the account, he wrote.
The malicious messages have now been deleted. In a Jan. 5 posting to X on the blockchain security forum, Syvers said he saw the messages before they were deleted. According to them, the messages state that Uniswap's router is compromised and users need to revoke all authorizations for Uniswap using Revoke.cash. It led to a fake version of Revoke.cash that tried to steal users' crypto.
ALERT We're seeing reports that @CertiK's X account has been compromised!
Do not click on any links that are advertised! #CyversAlert pic.twitter.com/4M3JNNaJ53
— CyversAlerts (@CyversAlerts) January 5, 2024
The malicious messages were discovered within seven minutes of being posted, CertiK said, and the team immediately began a remediation process to remove access to the attacker's X account. Within 14 minutes, the team was able to delete the first of the malicious posts. After 37 minutes, the team's investigation was completed and the accident was neutralized.
CertiK said the scam was part of a “large-scale ongoing attack” similar to that described in a Dec. 21 post by X user NFT_Drew.eth. NFT_Drew.eth describes a phishing scam in which an attacker impersonates a Forbes reporter and asks victims to link their X account to the Calandly calendar app to schedule a meeting. The links do not actually go to the official website of Calendly. Instead, they went to a fake Calendley site with a misspelled URL. Once the victim “links” their X account to the fraudulent site, they unknowingly approve permissions for the attacker to post to X on their behalf.
In response to Certike's post, on-chain sleuth ZachXBT shared a screenshot of the message used to bait Certike. The message It appears to be from someone impersonating former Forbes and Bloomberg contributor Mark Beach, who passed away in 2020.
ZachXBT has asked CertiK if they will refund victims of fraud to their CertiK accounts due to a malicious post on their blog. In response, Certike said, “We encourage those affected by the recent Twitter incident to reach out to us.”
Phishing attacks have compromised several high-profile crypto X accounts in the past two weeks. On December 29, Compound Finance's account was compromised. On January 4, the founder of Polychain Capital was also hit.
