Social media scams are thriving in the crypto space, and NFT collectors are losing their assets due to attacks carried out through hijacked accounts.
The latest case took place on Thursday night (3), with dozens of NFTs and about $30,000 in cryptocurrencies stolen in a scam shared through the account of a well-known game developer Web3.
On Thursday, the Twitter account of Gabriel Leydon—co-founder and CEO of Limit Break, the gaming startup behind the anime-based Ethereum NFTs project DigiDaigaku—has apparently been taken over by an unauthorized user. The account went on to share a link to what the criminal called access to an exclusive list which offered a free mint of an NFT DigiDaigaku.
But instead, when users interacted with the site and approved the transaction requested by the smart contract—that is, the code that powers NFTs and decentralized applications—an attacker would steal the NFTs and cryptocurrencies from their respective wallets.
Transactions made on blockchain networks cannot be reversed by a third party, as a bank or credit card company would in the event of fraud or theft.
Holy shit they hijacked account somehow and it asks for approvals for all your NFTs pic.twitter.com/rbxU0Rqf91— state (@statelayer) November 3, 2022
The attacker stole dozens of NFTs from users, potentially totaling tens of thousands of dollars worth of Ethereum. The most valuable of these was by far an NFT Mutant Ape Yacht Club, which the hacker quickly sold for 12.39 ETH (about $19,100 at the time of sale). Furthermore, the wallet appears to have received around $30K worth of cryptocurrencies from the stolen users.
Leydon has since regained his Twitter account and blamed mobile operator AT&T in a voice message shared via tweet. In a direct message to the decryptLeydon stated that an AT&T employee “overruled all my security protections and performed [uma] unauthorized SIM swap.”
A SIM swap attack is typically used to circumvent two-factor authorization protocols on accounts. The attacker is able to take over the cell phone number in question and then use it to gain access to protected accounts—including social media, where they can impersonate the account owner.
A message to the people pic.twitter.com/SdxjmBdOvo— Gabriel Leydon (FREE,OWN) (@gabrielleydon) November 3, 2022
Leydon claimed that an employee “circumvented” the protections set out on his AT&T account and said Limit Break is in contact with the company regarding the allegations. AT&T representatives did not immediately respond to requests for comment from AT&T. decrypt.
Limit Break’s CEO told the decrypt that the studio is investigating the attack and that it will work to help users whose assets were stolen. “It’s a terrible situation and as soon as we see that the person has been attacked, we will help them,” Leydon said.
Another Monkey Drainer attack
ZachXBT, a well-known blockchain detective, tweeted that the attack appears to be connected to Monkey Drainera scammer who recently kidnapped millions of dollars in NFTs and cryptocurrencies.
Twitter has been the target of similar attacks in recent months. In some cases, the account of a famous NFT artist or the creator of some NFT project is hacked and used to spread these so-called “cleaner wallets” scams. The rise of these scams has led to a debate over the responsibility that the creators of Web3 have to compensate users who lose their assets as a result.
On other occasions, the verified accounts of unaffiliated users—such as journalists—have been hijacked, renamed as official accounts for a project, and used to spread such exploits. This happened more often earlier this year, especially around projects like Azuki and Otherside, but apparently Twitter has fixed the security holes facilitated by these exploits of verified accounts.
Limit Break was founded in 2021 by Leydon and Halbert Nakagawa, formerly co-founders of mobile game studio Machine Zone, which produced hit titles like Game of War: Fire Age and Mobile Strike. The Web3-focused startup has raised $200 million, as announced in August, from the likes of FTX, Coinbase Ventures and Paradigm.
DigiDaigaku is billed as a “free-to-own” game intended to move away from the volatile play-to-earn model popularized by games like Axie Infinity. The original Genesis NFT profile photos (PFPs) of the project were released in August with a free mint and have generated over 9,000 ETH in trading volume to date, or around $14 million based on the current ETH price.
Limit Break claims it purchased commercial space for DigiDaigaku at Super Bowl LVII in February 2023 at a price of $6.5 million, investing heavily for a great opportunity to expose the Web3 project to an even wider audience.
*Translated by Gustavo Martins with permission from decrypt.