Social media scams are thriving in the crypto space, and NFT collectors are losing their assets to attacks perpetrated through hijacked accounts. The latest example happened last night, with dozens of NFTs and about $30,000 worth of cryptocurrency stolen through a scam shared through the account of a well-known Web3 game developer.
On Wednesday, the Twitter account of Gabriel Leydon—co-founder and CEO of Limit Break, the gaming startup behind anime-inspired Ethereum NFT project, DigiDaigaku—was apparently taken over by an unauthorized user. The account proceeded to share a link to what was billed as access to an allowlist to secure a mint for a free DigiDaigaku NFT.
Holy shit they hijacked account somehow and it asks for approvals for all your NFTs pic.twitter.com/rbxU0Rqf91
— state (@statelayer) November 3, 2022
Instead, when users interacted with the website and approved the transaction prompted by the smart contract—that is, the code that powers NFTs and autonomous decentralized apps—an attacker instead stole NFTs and cryptocurrency from their respective wallets. Transactions made on blockchain networks cannot be reversed by a third party, like a bank or credit card company would in the event of fraud or theft.
The attacker pilfered dozens of NFTs from users, potentially worth tens of thousands of dollars’ worth of Ethereum in total. The most valuable of them by far was a Mutant Ape Yacht Club NFT, which the attacker quickly sold for 12.39 ETH (about $19,100 at the time). Additionally, the wallet appears to have taken about $30,000 worth of crypto from users.
Leydon has since recovered his Twitter account and pointed blame at mobile carrier AT&T in a voice message shared via tweet. Leydon claimed that an AT&T employee “did [an] override on all of my security protections and performed [an] unauthorized SIM swap.”
A SIM swap attack is typically used to bypass two-factor authorization protocols on accounts. The attacker is able to take over the mobile phone number in question, and then use it to gain access to protected accounts—including social media, where they can then impersonate the account owner.
A message to the people 🫡 pic.twitter.com/SdxjmBdOvo
— Gabriel Leydon (FREE,OWN) (@gabrielleydon) November 3, 2022
Leydon claimed that an employee “went around” protections set to his AT&T account, and said that Limit Break is in contact with the company over the allegations.
