Internet scammers are using hacked Twitter Inc. accounts to promote dubious cryptocurrency platforms that, once installed, allow them to compromise victims’ sensitive data, according to new findings provided exclusively to Bloomberg News.
Since March, fraudsters have impersonated journalists, crypto apps, and a variety of non-fungible token (NFT) projects on Twitter to steal virtual currency, usernames, and password credentials from people. users, according to research by Satnam Narang, Research Engineer within Cybersecurity. Tenable Inc. Many targeted accounts are verified, which tells investigators that scammers are hacking specific pages, paying for illicit access, or both.
As part of the alleged scam, the thieves posed as members of the Bored Ape Yacht Club, a popular NFT collection, as well as the Azuki Collection, the MoonBirds Project, and the Okay Bears NFT community, which includes more than 150,000 Twitter followers, Narang found.
In one case, scammers posed as a legal affairs reporter from The Age, an Australia-based news service, asking users to visit a suspicious link to claim a small amount of Ethereum virtual currency, according to the research. Intruders also appear to have temporarily taken over the Twitter page of a freelance journalist who covers the gaming industry and created profiles that appear similar to the real ones, according to the results.
Impostor Twitter accounts typically encouraged followers to visit specific links or download new apps, Narang said. These apps often trick users into providing access to their mobile cryptocurrency wallets, from which attackers can quickly mine funds. Each of the scammers’ pages, whether it’s an app or a phishing link, is carefully crafted to look like legitimate and trustworthy websites as per the results.
The tactic represents an upgrade from a more traditional fraud technique of mass-mailing social media users or impersonating famous people, such as Tesla Inc. CEO Elon Musk, an outdated tactic relatively simple to detect, Narang said in an interview. Using verified Twitter accounts adds a layer of legitimacy, and the ability to seize an opportunity to make money in cryptocurrency adds urgency to the system, Narang said.
“They seem indistinguishable from real apps, and people just don’t look closely at the links,” he said.
When a reporter from Bloomberg News analyzed an app believed to be for Azuki, an anime-themed NFT project with over 300,000 subscribers, it was flagged as malware.
In May, scammers used a fraudulent Twitter page @OlthersideMeta, which led users to believe it was @OthersideMeta, a legitimate site that mixes video games with the metaverse, according to research.
Losses from the scams are hard to quantify, but the activity is the latest example of attackers leveraging cryptocurrency — and the hype surrounding popular projects — to generate funds. Americans reported more than $1.6 billion in cryptocurrency-related fraud in 2021, a massive increase from $246 million the previous year, according to the Crime Complaint Center report on FBI Internet. The real figure is likely much higher, as many would-be investors flock to speculative-type schemes and fail to report cases of fraud, Narang said.
“Scam artists are so adept at pivoting to what people care about,” he added. “This is a small sample of what’s going on in this space.”
This article was provided by Bloomberg News.