Ethereum co-founder Vitalik Buterin has confirmed that a T-Mobile SIM-swap attack was the reason behind his X account being hacked on 9 September.
T-mobile is known for providing wireless telecom services, as well as a host of other services, including voice, text messaging, video calling, and data communications. The telecoms giant has been sued for enabling multiple SIM-swap attacks in the past.
Hackers can gain control of a victim’s mobile phone number through a SIM-swap attack, which is also known as simjacking. By having control over the number, scammers can easily use two-factor authentication (2FA) to access social media, bank, and crypto accounts.
The same happened to the Ethereum co-founder, who confirmed recovering his T-Mobile account speaking on the decentralised social media network Farcaster on 12 September: “Yes, it was a SIM swap, meaning that someone socially-engineered T-mobile itself to take over my phone number.”
He then went on to suggest a few tweaks that one can make to their accounts on X (formerly Twitter) to avoid experiencing a similar situation.
“A phone number is sufficient to password reset a Twitter account even if not used as 2FA,” he said, adding that users can “completely remove [a] phone from Twitter”.
He also admitted seeing the “phone numbers are insecure, don’t authenticate with them” advice before, but failed to realise the gravity of the matter.
A day after Buterin’s account was hacked, fellow Ethereum developer, Tim Beiko, strongly recommended removing phone numbers from X accounts and having 2FA enabled. Tagging the social media platform owner, Elon Musk, Beiko stated that it “seems like a no-brainer to have this default on, or to default turn it on when an account reaches, say, >10k followers”.
As soon as Buterin’s account was compromised, a post claiming to celebrate the arrival of ‘Proto-Danksharding coming to Ethereum’ was published by the hacker. They then shared a malicious link to an alleged free commemorative non-fungible token (NFT) available, enticing victims to connect their wallets before ultimately stealing all their funds.
As reported by prominent blockchain investigator ZachXBT, the incident led to victims collectively losing over $691,000 after clicking on the malicious link. Buterin’s father, Dmitry Buterin, also took to the space to disregard the malicious post, announcing that his son’s account had been hacked. The post shared by the hacker has now been deleted.
The broader cryptocurrency market was already on a downtrend during this time. The compromise of the Ethereum co-founder’s account seemed to negatively affect the price of $ETH further as the altcoin dropped down in price significantly.
$ETH tumbled to as low as $1,540 at one point in the past 24 hours, marking a six-month low for the token. The altcoin’s price has been on a consistent downward trajectory from its mid-August peak at $1,850.
Even at the time of press, it was seen trading in the red. $ETH is currently changing hands for $1,578, down by almost 3% weekly.
Telecoms giant T-Mobile is on a hot seat too following the hack of Buterin’s high-profile account. Back in 2020, it was sued for allegedly enabling the theft of $8.7million worth of crypto in a series of SIM-swap attacks. A similar incident happened again in 2021 when a customer lost $450,000 in Bitcoin ($BTC) in another SIM-swap attack. T-Mobile was sued again for this in February that year.