13
10
Halfway through a meeting on January 8, Bolon Soron lost his signal on his phone. This wasnât a normal interruption.
Soron, the pseudonymous director of Kingdom Studios, creator of the popular web3 game DeFi Kingdoms, realised his phone had been SIM swapped.
Soon enough a hacker accessed the gameâs X account and locked out the entire team. For 10 days, the culprit disseminated phishing links to the gameâs 114,000 X followers before order was restored.
The worst part: Soron said he could not get through to X representatives to help him take back control of the account.
SIM swapping isnât new. It entails tricking a telecom company customer service rep into transferring a targetâs phone number to a new device controlled by a hacker.
Yet over the last few years, perpetrators have increasingly switched to using the tactic to access social media accounts. And crypto has become a happy hunting ground.
âThatâs on us and we should know better.â
Boron Soron, DeFi Kingdoms
Moreover, X, under the ownership and direction of Elon Musk, has removed many of the measures that used to help non-paying account holders protect themselves from security breaches.
SIM swapping stormed back into the headlines on January 9 when hackers seized control of the US Securities and Exchange Commissionâs X account and tweeted the premature approval of Bitcoin exchange traded funds.
The bogus tweet was live for about 26 minutes before SEC staff alerted the public, the agency said.
âCommission staff are still assessing the impacts of this incident on the agency, investors, and the marketplace but recognise that those impacts include concerns about the security of the SECâs social media accounts,â SEC Chair Gary Gensler said in a statement.
Ethereum creator Vitalik Buterin fell prey to a SIM swap attack in September. The hacker posted a fake NFT promo that resulted in the loss of almost $700,000 for those that clicked on it, according to ZachXBT, an online sleuth.
The incident spurred recommendations from cybersecurity experts not to link phone numbers to social media accounts.
Chief among those, of course, is using two-factor authentication, or 2FA, to authorise access to social media accounts.
Neither the SEC nor DeFi Kingdoms used 2FA. âThatâs on us and we should know better,â Soron told DL News in an interview.
In a statement sent to DL News, the SEC confirmed it was stung by a SIM swapping hack. An agency spokesman said its technicians had disabled âmulti-factor authenticationâ for its X account in July due to difficulties accessing and managing the account. The agency reinstated the process after the hack.
The spate of SIM swapping cases also highlights new weaknesses in X.
Since February 2023, X has only permitted verified or paid accounts to use 2FA. But Soron explained it can be cumbersome when multiple people are posting from the same account â which appears to be why the SEC removed it.
Once a hack has taken place, a lack of response from X makes it hard to rectify the situation, he said. Attempts to contact Xâs security team resulted in slow responses and automated messages that failed to address the issue effectively.
Press representatives from X did not respond to a request for comment.
âOne of the problems that we were running into was when we said, âOur account is compromised,â and we would just get an automatic response saying we had did have access to our account,â Soron said.
On another occasion, an automated response asked for additional information but they never heard back.
All the while the hacker â who had demanded 5 ETH for the return of the account â posted phishing links to the accountâs followers.
With the help of a contact inside X, the best the team could do was temporarily lock the account, but the phishing link remained in their bio, Soron said.
âThere really isnât any assurance that youâre going to get through to X and get your account back.â
Boron Soron
DeFi Kingdoms was eventually able to get its account back but the experience was stressful.
âThere really isnât any assurance that youâre going to get through to X and get your account back,â Soron said.
As far as Soron knows, nobody lost money from the phishing links. For him, the biggest downside of the automated process was not being able to talk to an actual person, which may have made the process quicker.
âAt least if I call my bank, I can yell at the robot enough that it will give me a person eventually,â he said. âBut if that exists through X, I couldnât find it.â
Got an Asia crypto story? Get in touch with DL Newsâ Asia Correspondent at callan@dlnews.com.
13
10
Manage all your crypto, NFT and DeFi from one placeSecurely connect the portfolio youâre using to start.
