The Twitter/X account of blockchain security firm CertiK was hijacked today to redirect the company’s more than 343,000 followers to a malicious website pushing a cryptocurrency wallet drainer.
CertiK’s gold-verified X account was compromised in a social engineering attack by a threat actor using another hacked account described by the company as “associated with a well-known media.”
“We are currently investigating a compromise of our X account @CertiK. Do not interact with any posts until we have confirmed the account is secure,” the company warned via its CertiKAlert account.
Crypto fraud sleuth ZachXBT later leaked screenshots of the DMs from the phishing attack, showing that the attacker used the hacked account of a journalist, dormant since 2020 and with over 1 million followers, to send the phishing message.
Using this hacked account, the threat actors reached out to Certik about an alleged article they were doing for Forbes, asking to schedule an interview. However, the link to the scheduling site was actually a phishing site used to steal the Certik employee’s credentials.
After hijacking CertiK’s account, the attackers posted a phishing message linking to a wallet drainer.
“WARNING: Our team has found the Uniswap Router contract to be vulnerable to a re-entrancy exploit, allowing attackers to move anyone’s tokens if approved to the Uniswap contract. Use @RevokeCash in order to revoke any vulnerable approvals,” the malicious message said.
Revoke.cash almost immediately cautioned that CertiK’s X account had been compromised and that the malicious tweet sent people to a fake Revoke website.
​CertiK says it deleted the malicious tweet 15 minutes after it was posted by the threat actor, adding that a subsequent investigation found this to be part of a large-scale ongoing social engineering campaign that already led to the compromise of many other accounts.
“While it’s easy to point the finger after a phishing attack, the reality is that these scams are designed to exploit human trust and vulnerabilities,” CertiK said.
The company also encouraged those who were affected during this incident to reach out.
As BleepingComputer reported on Thursday, verified X accounts with ‘gold’ and ‘grey’ checkmarks belonging to government and business entities are increasingly being hijacked to push cryptocurrency scams and phishing sites directing potential victims to crypto drainers.
For instance, the account of Google subsidiary and cybersecurity company Mandiant was hijacked on Wednesday even though it had two-factor authentication (2FA) enabled.
The threat actor impersonated the Phantom crypto wallet and shared a crypto scam, leading targets to a fake airdrop page that emptied their cryptocurrency wallets.
Scammers also used the official Twitter account for Bloomberg Crypto to redirect almost 1 million followers to a malicious website that stole their Discord credentials.
BleepingComputer reached out to Certik to determine if 2FA was configured on the company’s X account but has yet to hear back.