Vitalik Buterin, co-founder of Ethereum, confirmed that the recent hacking of his Twitter (X) account was the result of a SIM swap attack. Speaking on the decentralized social media network Farcaster on September 12, Buterin revealed that hackers had successfully taken control of his T-Mobile account through a SIM swap attack. He explained that a SIM swap involves social engineering to persuade the mobile carrier to transfer the phone number to a new SIM card.
Buterin also shared some insights and lessons learned from his Twitter hack experience. He highlighted that even if a phone number is not used for two-factor authentication (2FA), it can still be used to reset the password of a Twitter account. He encouraged users to consider removing their phone numbers entirely from their Twitter accounts. He admitted that he had seen advice cautioning against using a phone number as a security measure but hadn't fully appreciated the risks until this incident.
The hack of Buterin's Twitter account occurred on September 9, with scammers posting fake NFT giveaways and luring users into clicking on malicious links, resulting in victims losing over $691,000. Ethereum developer Tim Beiko strongly recommended removing phone numbers from Twitter accounts and enabling 2FA to enhance security. He suggested that this feature could be enabled by default, especially for accounts with a large number of followers.
SIM swapping, also known as SIM hijacking, is a method used by hackers to take control of a victim's mobile phone number. By gaining control of the phone number, scammers can access various accounts, including social media, banking, and cryptocurrency, especially if 2FA is in use. Notably, this is not the first time T-Mobile has been associated with such attacks, as the telecom company was previously sued for its alleged involvement in SIM swap attacks that led to the theft of millions of dollars worth of cryptocurrency.
