A recent cyberattack has compromised Microsoft's official Twitter account in India, exposing over 211,000 followers to a cryptocurrency scam. The hackers, posing as Roaring Kitty—an alias for the popular trader Keith Gill—have aimed to trick users into connecting their cryptocurrency wallets to a malicious site. The breach was announced and detailed by X's Safety team.
By exploiting the account's gold verification checkmark, the attackers sought to establish trustworthiness. They have leveraged Keith Gill's recent online visibility to mislead users, directing them to a fake website (presaIe-roaringkitty[.]com) that purports to host a GameStop cryptocurrency presale. Users deceived into linking their wallets risk having their assets compromised by drainer malware.
We can confirm that the account @SECGov was compromised and we have completed a preliminary investigation. Based on our investigation, the compromise was not due to any breach of X's systems, but rather due to an unidentified individual obtaining control over a phone number…
— Safety (@Safety) January 10, 2024
Extending Reach with Retweet Bots
To maximize exposure, the scammers have employed bot accounts to retweet posts from the compromised handle, thereby increasing the malicious content's visibility. This method is designed to expand their potential victim pool by artificially boosting the posts' prominence.
There has been a noticeable uptick in the hijacking of verified Twitter accounts that belong to both governmental and business entities, often marked with ‘gold' or ‘grey' checkmarks. Such accounts are frequently used to lend authenticity to misleading tweets that guide users to phishing sites related to cryptocurrency scams or malware. An example includes the recent breach of the U.S. Securities and Exchange Commission's (SEC) Twitter through a SIM-swapping attack, which led to a false announcement about Bitcoin ETFs, temporarily influencing Bitcoin prices. The SEC's account lacked protection from two-factor authentication at that time.
Other similar incidents involve the Twitter accounts of companies like Netgear and Hyundai MEA, as well as the Web3 security firm CertiK, all being compromised to promote cryptocurrency wallet drainers. The trend of hacking verified accounts has been on the rise, providing scammers with a facade of credibility.
Surge in Malicious Crypto Advertisements
Twitter users have also faced a wave of malevolent cryptocurrency ads that result in scams, fake airdrops, and wallet drainers. According to blockchain threat analysis firm ScamSniffer, a notorious wallet drainer named ‘MS Drainer' has reportedly stolen around $59 million from approximately 63,000 individuals between March and November.
Hackers modified the description of Microsoft's hijacked account to focus on stock-picking and investment advice, with claims of live streams for educational purposes. Despite some fraudulent posts being removed, hackers persist in reposting from the compromised account, which remains unsecured.
The trend of targeting verified accounts can be attributed to the credibility these accounts inherently possess, making deceptive tactics more effective. Techniques such as SIM-swapping and social engineering underscore vulnerabilities in current security protocols. Additionally, the increasing prominence of cryptocurrency attracts cybercriminal activities.