X Troubles: Inside the SEC Hack and The Hacked CertiK’s Phishing Scam 🕵️‍♂️

2e8t...NrEm
10 Jan 2024
41

PRDT Weekly Deep Dive — 10 January 2024
Social media allows businesses and government agencies to connect with the public directly. However, it also opens them up to new risks — as the U.S. Securities and Exchange Commission (SEC) and blockchain security company CertiK recently learned.

Only a few days into 2024, but two X/Twitter related significant security breach incidents have occurred just days apart, the official X/Twitter accounts of both organizations were hacked by unknown attackers. The takeovers only lasted briefly before being detected and mitigated. But they highlight lingering dangers even for accounts with strong protections.

A Slick Scam Hits CertiK’s Account 🚨
On January 5th, CertiK revealed in a X/Twitter thread that their account had fallen prey to a “large scale ongoing phishing attack.” Posing as a reporter from a major media outlet, the hacker contacted an employee and was able to gain login credentials.


Several scam messages were posted promoting a fake website called “Revoke.cash.” They falsely claimed that popular decentralized finance (DeFi) platform Uniswap had been compromised. Users were urged to connect their wallet and revoke trading approvals via the fake site.

In reality, Revoke.cash was designed to steal funds from victims caught up in the ruse. Crypto security researcher ZachXBT shared an alleged screenshot of the phishing message originally used on the employee. It came from an account impersonating deceased Forbes journalist Mark Beech.


A Tweet reply by ZachXBT calling out the recklessness of Certik’s X account manager
According to CertiK, suspicious activity was spotted within 7 minutes. But it still took 37 minutes to entirely lock down the account and delete posts. ZachXBT has questioned if CertiK should reimburse anyone impacted by the scam tweets during this window. CertiK has invited victims to reach out for assistance.

The strategy mirrored an attack detailed by NFT collector NFT_Dreww.eth in December 2022. He described receiving a near identical pitch requesting a meeting to be scheduled via the calendar service Calendly. However, the provided link went to a phony lookalike domain designed to steal X/Twitter login credentials.

SEC Account Tricked by Bitcoin Rumors 📈
Just days after CertiK’s incident, the SEC fell prey to hackers as well. On January 10th, a series of Tweets were sent from the SEC’s account claiming that Bitcoin exchange-traded funds (ETFs) had been approved by the agency.


Screenshot of the Deleted Tweet
This would have huge implications, finally allowing mainstream investor exposure to Bitcoin via brokerage accounts. But the SEC soon confirmed the account had been compromised by an unknown party, and that no such decision had been made regarding crypto ETFs.

According to X/Twitter’s security team, the SECGov account lacked two-factor authentication. This oversight gave hackers an opening to gain access and post the fabricated approval announcement.


The timing made the scam especially believable, with crypto media widely reporting that a long-awaited Bitcoin ETF decision was imminent. However, SEC Chair Gary Gensler stated plainly on his personal account that “The SEC has not approved the listing and trading of spot bitcoin exchange-traded products.”

In a further statement, the SEC said it will work alongside law enforcement to determine the source of the unauthorized account access and bring accountability. No internal or public SEC system was compromised in the incident.

Similar Handprints, Different Motives 🔄
Despite some clear similarities in how access was obtained, the goals of each hack diverge when analyzed more closely:

- CertiK Case: An intricate phishing plot to push users to a fake website and directly steal funds. Cashing in on DeFi hype for profit seems the likely motive.

- SEC Case: Spreading misinformation to move cryptocurrency markets by falsely claiming a long-awaited regulatory approval. Chaos and attention could have been the objective rather than money.

And while both attacks showed technical sophistication, the SEC hack especially underscores social engineering risks. Even extensive account safeguards can fail if employees are tricked by a crafty impersonation scheme.

The every day Crypto Enthusiast 🌐
For everyday crypto enthusiasts active on X/Twitter, account takeovers of major brands or agencies can introduce another layer of uncertainty. Seeing an official handle post breaking news or urge urgent action triggers an instinctive response for many.

But recent hijackings are a sobering reminder to raise the bar for skepticism — no matter the source. Scammers are experts at disguising links and mimicking tones of authority. They know which topics will go viral fastest when tied to an “Official Account”.

So before liking, retweeting or clicking anything endorsed by an account with influence, take an extra beat. Check the handle making the post. Verify the claim being made through other sources before acting. Visit links yourself rather than assuming they’re safe or official.

No one wants to miss out on the latest drama or price-moving scoop. But a few seconds of caution could save followers from becoming the next victims as creative hackers explore new social engineering tactics across Crypto X/Twitter.

The Need for Better Security Hygiene 🔐
Blockchain platforms like CertiK rightly market enhanced security as a prime feature. So having their official account compromised is highly embarrassing and damaging to their reputation.

The SEC hack similarly hurts public trust in the agency tasked with overseeing financial markets — and now crypto. Their delayed adoption of two-factor authentication raises questions about the government’s understanding of cyber risks.


Both incidents serve as urgent reminders to elevate security strategies before disaster strikes. Some best practices that apply whether overseeing a DeFi protocol or government regulatory body:

- Activate two-factor authentication across all accounts to require secondary credentials when logging in from a new device. SMS or hardware security keys are ideal.

- Institute organization-wide phishing awareness training. Teach how to identify deceptive domain names, urgent threats demanding quick action, and requests for login credentials or sensitive data.

- Limit administrative permissions and access. Provide higher clearance only when critical for specific roles. Revoke promptly when no longer justified.

- Perform periodic external penetration testing and request an intrusion attempt to surface vulnerabilities in systems. Ethical hackers can uncover oversights and improve resilience.

The Next Target Awaits 🎯
While the CertiK and SEC cases grabbed headlines, countless lower profile crypto X/Twitter accounts face threats daily. From founders to influencers to everyday users, anyone is a potential target.

And the incidents reveal hackers are willing to go to elaborate lengths to profit. Phishing lures will only grow more sophisticated and personalized after these successful proof of concepts.

For potential victims, maintaining vigilance is key:

- Always verify login links go to legitimate domains before entering credentials.

- Enable X/Twitter’s Advanced Security for stronger protection including account recovery options.

- Be wary of personalized messages making bold claims or demanding immediate action. Verify independently before proceeding.

The Cryptoverse Welcomes New Risks 🌐
As crypto adoption advances, tying digital assets to established social platforms creates crossover points for security failures. Hacking groups clearly recognize X/Twitter’s power to move markets and execute direct theft.

Government agencies grappling with blockchain technology face their own elevated risks requiring updated best practices. And for companies like CertiK that stake their business on security, any breach jeopardizes their credibility.

In an evolving landscape filled with immense potential and hype, people remain the weakest link. Bount takeovers could hopefully be avoided across the cryptoverse.

Conclusion 🌄
As we progress further into 2024, the cryptoverse will undoubtedly continue seeing social engineering threats evolve across platforms like X. The recent SEC and CertiK breaches highlight lingering vulnerabilities that allow bad actors to profit from deception, market manipulation, and stolen funds. For both private companies and government agencies, deterring future attacks requires learning from past incidents to inform updated protocols and best practices.

And for everyday crypto users, staying vigilant against sophisticated phishing schemes will remain crucial to personal protection. Though daunting, acknowledging these realities is the first step toward creating a more transparent, accountable landscape less prone to the ripple effects of account takeovers. By taking collective responsibility and proactively addressing points of weakness, the worst impacts of future scams might just be avoidable.

Disclaimer: The information presented in this article is for educational and informational purposes only. It should not be taken as financial or investment advice. Always conduct your research and consider consulting a qualified professional before making investment decisions.ut with greater awareness and proactive precautions, the worst impacts of future X ac

Write & Read to Earn with BULB

Learn More
Enjoy this blog? Subscribe to hulyakara88x

2 Comments

B
No comments yet.
Most relevant comments are displayed, so some may have been filtered out.