Ethereum’s Buterin says X account hacked in T-Mobile SIM swap

Ethereum co-founder Vitalik Buterin said someone “socially engineered” T-Mobile to take over his phone number, which was enough to hack into his X (Twitter) account.

Buterin said he had “finally” got his T-Mobile phone account back after it was used to hack into his X page and share a phishing scam that robbed victims of $690,000 worth of crypto.

The inventor and face of the Ethereum cryptocurrency confirmed what many have suspected after a crypto scam was posted to his five million followers on X on September 9th.

“Yes, it was a SIM swap, meaning that someone socially engineered T-Mobile itself to take over my phone number,” Buterin said in a message on Warpcast, a client of a decentralized social network Farcaster.

T-Mobile said it was investigating.

A SIM swap is a type of fraud that involves the unauthorized transfer of a victim’s phone number to a SIM card held by an attacker. It exploits a weakness in two-factor authentication (2FA) when the second verification step is based on a phone number.

However, Buterin said that a “phone number is sufficient to password reset a Twitter account even if not used as 2FA.” He added: “I had seen the ‘phone numbers are insecure, don’t authenticate with them’ advice before, but did not realize this.”

Buterin also said he couldn’t remember when he added his phone number to his Twitter account but noted it was probably required to sign up for Twitter Blue.

Twitter Blue, now X Premium, is a subscription service devised by the social network’s billionaire owner Elon Musk to fund his vision of X as a financial platform and an “everything app.”

X security in question

The hacking of Buterin’s account exposes security concerns that may well throw Musk’s vision into disarray.

“Twitter's account security is not designed as financial platforms. It needs quite a bit more features: 2FA, login ID should be different from handle or email, etc.,” Binance CEO Changpeng Zhao tweeted in response to the hacking of Buterin’s account.

“In the past, I have had my Twitter account locked a few times due to hackers trying to brute-force it (trying different passwords repeatedly),” he said, adding that it happened before the “Elon era.”

Binance, the world’s largest crypto exchange, and Zhao himself face charges by the Securities and Exchange Commission (SEC) over claims of “deception.”

X could not be reached for comment.

In December, the then-Twitter account of Daily Loud, a popular hip-hop and viral news outlet, was also hacked and posted scam messages to its two million followers.

In India, scammers reportedly monitored Twitter complaints to target users with phishing campaigns, another example of how the platform can be leveraged by cybercriminals.

$690,000 heist

The tweet posted on Buterin’s account promoted the fake crypto scheme and contained a compromised link urging the reader to follow it and “claim your piece of history.”

“To celebrate Proto-Danksharding coming to Ethereum, @Consensys is marking the moment with a commerotative NFT,” the tweet said. Proto-Danksharding is the name of the upcoming change to Ethereum’s protocol.

Instead of getting a free NFT, users who linked their wallets to the compromised account risked being drained of their crypto assets.

The tweet stayed for only 20 minutes, according to Web3 is Going Just Great, but the damage was done. Blockchain monitor ZachXBT reported that cybercriminals managed to steal over $690,000 in crypto tokens, including two high-value CryptoPunks.

ZachXBT has been raising alarm about the risks associated with SIM swaps for weeks. Their tweet in August said that $13.3 million had been stolen over the past four months as a result of 54 SIM swaps that targeted people in the crypto space.

“Never use SMS 2FA and instead use an authenticator app or security key to secure accounts,” they said.

Meanwhile, Buterin said he was “glad” to be on Farcaster, where account recovery is associated with Ethereum addresses. He rarely posts on X.