Warning Issued About Crypto Thefts Orchestrated by Fake Journalists

A security firm called SlowMist has recently issued a warning about a wave of cryptocurrency thefts that are being orchestrated by fake journalists. The first instance of this malicious campaign was reported on October 14 when a Twitter user named Masiwei alerted the community about a targeted attack on friend.tech for account theft.

SlowMist’s security team conducted an analysis and discovered that the attackers were sending links containing malicious JavaScript scripts. Their goal was to trick users into adding these links as bookmarks, laying the groundwork for future malicious activities.

On October 17, a victim named Double Wan reported that their assets on friend.tech were stolen. SlowMist Security Team immediately assisted the victim in tracking and investigating the theft. Through their efforts and the cooperation of OKX, the stolen funds were successfully intercepted.

The Tactics Used by the Attackers

In order to pull off the hack, the attackers posed as journalists from reputable news agencies, gaining a substantial following on Twitter. They targeted their victims with a malicious JavaScript script, primarily focusing on Key Opinion Leaders (KOLs) due to their popularity and the likelihood of receiving interview invitations.

Once an interview was scheduled, the attackers would guide the victims to join the conversation on Telegram, providing an interview outline to establish credibility. After the interview concluded, the attackers would ask the victims to fill out a form and open a phishing link provided. This link, disguised as a verification process, aimed to deceive users into revealing their friend.tech account information.

The victims were instructed to drag a seemingly innocuous “Verify” button to their bookmark bar. Unfortunately, this button contained a malicious JavaScript script. When clicked, the script would trick users into revealing their friend.tech account password and the associated tokens stored in the embedded wallet Privy, consequently putting both the account and funds at risk of being stolen.

Protecting Against Phishing Attacks

To protect against such phishing attacks, SlowMist recommends the following:

• Increasing awareness of social engineering attacks
• Exercising caution when clicking on unknown links
• Learning to identify phishing links by checking for misspellings or irregularities in domain names
• Installing anti-phishing plugins, like MetaMask’s recently-launched alert feature

It is important for users to be vigilant and take these preventive measures to ensure the safety of their cryptocurrency assets.

Furthermore, it has been reported that hackers have stolen millions worth of digital assets through SIM-swapping attacks on friend.tech users. According to Manifold Trading, a company dedicated to developing tools for the industry, $20 million out of friend.tech’s total locked value of $50 million is at risk.

“If you assume 1/3 of FriendTech accounts are connected to phone numbers, that’s $20M at risk from sim-swaps,” the company wrote in a recent post.

Manifold Trading also highlighted that friend.tech’s current setup technically allows a rogue developer to reconstruct private keys via Shamir-Secret-Sharing shares that they can recover from user data in their database. This puts the entire Total Value Locked (TVL) at risk.