- Kucoin’s Twitter account was compromised overnight, leading to the loss of $22,750 in BTC and ETH from several users
- The hackers posted a fake giveaway poster and an accompanying Medium piece
- Kucoin has said it will refund all affected users
Crypto exchange Kucoin has revealed that its Twitter handle was compromised overnight morning and $22,750 stolen in a phishing attack. The company’s official Twitter feed was taken over and replaced with an image purporting to be a giveaway celebrating 10 million users. In fact, it linked to a phishing site that took the funds of anyone who submitted their Ethereum and Bitcoin addresses. The exchange acknowledged the breach in a tweet thread that reassured victims that they would all be refunded, but didn’t reveal how the hack occurred.
Hackers Seemed Prepared
Scams of this nature are nothing new, praying on the less crypto-educated individuals in the space, and they are certainly improving. In years gone by a compromised Twitter feed would see hurriedly written text promoting a giveaway with a plethora of emojis thrown in, the kind that an exchange would never send, but these hackers were much better prepared, creating a realistic-looking promotional picture for the feed:
❌️ KuCoin Twitter Compromised! ❌️
Do not interact ‼️‼️ pic.twitter.com/fRXqycQTtV
— GemsScope (@GemsScope) April 23, 2023
This shows an impressive amount of preparation, suggesting they acquired the login details well ahead of time. There were some clues as to the fraudulent nature of the post, however, such as the fact that Kucoin had given no notice of it and it was due to last only two hours. This element of time pressure is typical among scammers, as it makes potential victims feel like they will miss out if they don’t act soon.
The scammers accompanied the Twitter post with a fake Medium post, detailing the rationale behind the $10 million giveaway and lending it more authenticity.
Victims Will be Reimbursed
Kucoin revealed that the scam was operational for about 45 minutes, during which they the scammers managed to collect 0.23 BTC and 8.7 ETH worth a combined $22,750. Kucoin added that it will “fully reimburse all verified asset losses caused by the social media breach and the fake activity” and will “implement additional security measures to fortify the protection of our social media accounts.”
This, it said, would be in addition to the existing two-factor authentication already in place, which suggests that the hackers also managed to bypass that too.
