Fraud researchers impersonated on X to push crypto-stealing sites

Multiple fake accounts impersonating cryptocurrency scam investigators and blockchain security companies are promoting phishing pages to drain wallets in an ongoing campaign on X (former Twitter).

To lure potential victims, the scammer uses a breach on major cryptocurrency exchange platforms. The scenario urges users to act swiftly to safeguard their digital assets from potential theft.

The scammers impersonate accounts on X belonging to blockchain analytics or crypto fraud investigation firms and researchers, like CertiK, ZachXBT, and Scam Sniffer, to promote  fabricated security breaches on Uniswap and Opensea.

To impersonate the legitimate accounts, the threat actors created new X accounts with similar account names. For example, ZachXBT has the account @zachxbt, while the threat actors created and tweeted from @zacheryxbt.

Many legitimate X users fell for the trick and shared the scam on their accounts, some with hundreds of thousands of followers without double-checking the validity of the claims.

One example is a tweet from malware analysis platform vx-underground, whose admins falsely assumed the information came from a trustworthy account. In the tweet below, VX-Underground clarifies how they fell for the trick.

The scale of the campaign is also notable, with bot accounts promoting hashtags like #UniswapExploit to the point of them reaching top trending topics in the U.S. on X.

ZachXBT, one of the accounts impersonated in this scam, told BleepingComputer that the first time he saw this threat group utilizing this tactic was on November 9th.

This was when Hayden Adams - the developer of Uniswap's web application interface, warned the cryptocurrency community of the scam, clarifying that there was no Uniswap exploit leveraged in the wild and that tweets about this came from fake X accounts impersonating ZachXBT, Certik, and other well-known users in the cryptocurrency community.

Operation details

The scammers impersonate accounts on X belonging to blockchain analytics and investigation firms or users, like CertiK, ZachXBT, and Scam Sniffer, to promote a fabricated security breach on Uniswap or Opensea.

Fake X accounts promoting the crypto phishing page
source: BleepingComputer

The scenario alleges that hackers exploited a signature verification vulnerability in the said protocols/exchanges to steal tokens.

Users are advised to revoke the permissions as soon as possible to prevent losing their assets by following a link to a malicious website at 'revoketokens[.]io' or 'revokea[.]sh' which are still online at the time of writing.

Once visitors click on the ‘Revoke Approvals’ button and connect their wallet, the scam drains their funds, which is a non-reversible process.

Phishing page draining cryptocurrency wallets (BleepingComputer)

Impersonation risk

Impersonating the ‘good guys’ is a powerful deception trick capable of increasing success rate of the scam.

In July 2022, phishing actors were seen impersonating cybersecurity companies to gain initial access to corporate networks.

In June 2023, hackers created fake accounts on GitHub that impersonated existing cybersecurity researchers, even linking to fake X accounts for added legitimacy.

The repositories contained malware downloaders disguised as proof-of-concept (PoC) exploits for popular software.

There’s no precaution more effective than double-checking that an account is authentic and that its claims accurately represent the truth. Because even legitimate accounts can be compromised to propagate scams, users should verify the claims from official sources.

Finally, never connect your wallet to dubious or unofficial platforms, and avoid signing smart contracts you don’t fully understand.

If you’re overly worried about the likelihood of losing your digital assets to hacks and breaches, consider moving them to a cold wallet.