InfoNesia.xyz – Social media scams are thriving in the crypto space, and NFT collectors are losing their assets to attacks perpetrated through hijacked accounts. The latest example happened last night, with dozens of NFTs and about $30,000 worth of cryptocurrency stolen through a scam shared through the account of a well-known Web3 game developer.
On Wednesday, the Twitter account of Gabriel Leydon—co-founder and CEO of Limit Break, the gaming startup behind anime-inspired Ethereum NFT project, DigiDaigaku—was apparently taken over by an unauthorized user. The account proceeded to share a link to what was billed as access to an allowlist to secure a mint for a free DigiDaigaku NFT.
Instead, when users interacted with the website and approved the transaction prompted by the smart contract
—that is, the code that powers NFTs and autonomous decentralized apps—an attacker instead stole NFTs and cryptocurrency from their respective wallets
. Transactions made on blockchain networks cannot be reversed by a third party, like a bank or credit card company would in the event of fraud or theft.
Holy shit they hijacked account somehow and it asks for approvals for all your NFTs pic.twitter.com/rbxU0Rqf91
— state (@statelayer) November 3, 2022
The attacker pilfered dozens of NFTs from users, potentially worth tens of thousands of dollars’ worth of Ethereum in total. The most valuable of them by far was a Mutant Ape Yacht Club NFT, which the attacker quickly sold for 12.39 ETH (about $19,100 at the time). Additionally, the wallet appears to have taken about $30,000 worth of crypto from users.
Leydon has since recovered his Twitter account and pointed blame at mobile carrier AT&T in a voice message shared via tweet. In a direct message to Decrypt, Leydon claimed that an AT&T employee “did [an] override on all of my security protections and performed [an] unauthorized SIM swap.”
A SIM swap attack is typically used to bypass two-factor authorization protocols on accounts. The attacker is able to take over the mobile phone number in question, and then use it to gain access to protected accounts—including social media, where they can then impersonate the account owner.
A message to the people pic.twitter.com/SdxjmBdOvo
— Gabriel Leydon (FREE,OWN) (@gabrielleydon) November 3, 2022
Leydon claimed that an employee “went around” protections set to his AT&T account, and said that Limit Break is in contact with the company over the allegations. AT&T representatives did not immediately return Decrypt’s request for comment.
The Limit Break CEO told Decrypt that the studio is investigating the attack, and that it will work to assist users whose assets were stolen. “It’s a terrible situation, and once we verify the person was attacked, we will help that person,” Leydon said.
ZachXBT, a well-known pseudonymous blockchain investigator, tweeted that the attack appears to be linked to Monkey Drainer, a scammer that has recently snatched millions of dollars’ worth of NFTs and crypto assets.
Twitter has been besieged by similar attacks over the past several months. In some cases, a notable NFT artist or project creator’s account is hacked and used to spread these so-called “wallet drainer” scams. The rise of these scams has prompted a debate over the responsibility that Web3 creators have to compensate users who lose their assets as a result.
At other times, verified accounts of unaffiliated users—such as journalists—have been hijacked, rebranded as official project accounts, and used to spread exploits. That happened more frequently earlier this year, especially around projects like Azuki and Otherside, but it appears that Twitter addressed whatever security hole facilitated those verified account exploits.
Limit Break was founded in 2021 by Leydon and Halbert Nakagawa, previously co-founders of mobile game studio Machine Zone, which has produced successful titles like Game of War: Fire Age and Mobile Strike. The Web3 startup raised $200 million, as announced in August, from firms like FTX, Coinbase Ventures, and Paradigm.