Gutter Cat Gang Twitter Hacked, At Least $750K Worth of NFTs Swiped

One other day, one other phishing assault in crypto.

The official Twitter account of the favored Ethereum NFT assortment Gutter Cat Gang—and its co-founder’s account—was hacked ensuing within the lack of a minimum of $750,000. Different estimates

Others have instructed as a lot as $900,000 was misplaced to the exploit. At the very least one of many attacker’s wallets has since offered the stolen property for $640,000, as verified by AegisWeb3.

The big selection of estimates is probably going because of the big selection of NFTs nabbed and their various ground costs.

Put in any other case, a minimum of 87 NFTs have been stolen from 16 customers with one deal with dropping 36 NFTs, together with a Bored Ape that offered for $125,000 again in September 2021.

The hacker tweeted Friday, selling a “public airdrop” of GutterMelo—a reputable Gutter Cat Gang assortment launched late final month. The hacker posted a phishing hyperlink to a faux airdrop that drained wallets that related to the location.

“More often than not [with an attack like this] a sufferer is interacting with a malicious contract to which the sufferer provides approval to that contract to spend the tokens on behalf of the person. That is how ‘transferFrom()’ works,” Adrian Hetman, tech lead triager at Immunefi, instructed Decrypt. “From there, the hacker controlling the contract mainly can switch the person’s NFTs as they need.”

Two days later, the Gutter Cat Gang Twitter posted a debrief on the state of affairs, expressing regret, that they’re working with legislation enforcement, and that they’re taking steps to forestall an assault from taking place once more.

Followers of the undertaking have been disenchanted to not see any point out of potential compensation for the victims.

Decrypt has contacted the Gutter Cat Gang crew however they haven’t responded on the time of publication.

Gutter Cat Gang safety?

Regardless of the hack, Gutter Cat Gang claims to have been utilizing “multi-factor authentication and safety measures.”

It is unclear what multi-factor authentication and safety measures the crew was utilizing. Twitter affords three multi-factor choices: app-based authentication, SMS, or a devoted key.

“Probably the most safe choice, by far, is app-based authentication utilizing one thing like Authy, Microsoft Authenticator, or Google Authenticator,” Cyber-security professional, James Bore instructed Decrypt. “The authentication code isn’t transmitted over any community, so there isn’t any alternative for somebody to intercept it.”

“A devoted USB safety secret’s a safer choice than a telephone app, however usually much less in style because of the extra expense, inconvenience, and that you’re extra prone to lose or neglect a {hardware} key than your telephone,” added Bore.

Nevertheless, crypto sleuth ZachXBT claims that the crew used SMS authentication, including that, “it’s gross negligence to have used SMS [two-factor authentication] in your socials after the entire latest SIM swaps.”

“A SIM swap assault is the place a fraudster takes over a sufferer’s telephone quantity by convincing their telephone supplier that the telephone has been misplaced and the quantity must be ported to a brand new SIM,” Andrew Whaley, senior technical director at social media safety firm Promon. “The brand new SIM, after all, is the fraudster’s, and as soon as ported, they’ve entry to telephone calls and SMS messages. On this case, Twitter permits password resets by texting a one-time code to the person’s telephone. So the fraudster used this, following the SIM swap, to take over the Twitter account.”

SIM swap assaults have been prevalent within the crypto world these days with ZachXBT claiming there have been, “30+ crypto-related SIM swaps prior to now few weeks.”

“This illustrates why SMS is just not a very safe type of two-factor authentication (2FA),” Whaley mentioned. “SIM swap assaults fluctuate by nation and cellular supplier in how straightforward they’re to tug off. In some international locations, they’re as straightforward as urgent ‘1’ on the telephone keypad.”

The way to keep protected?

This has raised questions on how crypto initiatives are securing their social media accounts.

Bore recommends utilizing a “lengthy, distinctive password” whereas utilizing a {hardware} key for second-factor authentication.

Customers must also activate password reset safety which requires each your e mail and telephone quantity earlier than somebody can try to reset an account’s password.

For a ultimate layer of safety, Bore recommends having a telephone quantity that you just solely use for safety, that means you by no means give your quantity out to folks to contact.