- SIM-swap strikes again: Vitalik Buterin’s Twitter account hack stemmed from a SIM-swap attack, shedding light on the vulnerability of phone number-based security.
- Past precedents: T-Mobile has previously been implicated in other SIM-swap incidents leading to substantial crypto thefts.
The Anatomy of Buterin’s Recent Account Breach
Ethereum’s mastermind, Vitalik Buterin, unraveled the mystery behind the recent unauthorized access to his Twitter account. On September 12, while interacting on the decentralized platform Farcaster, Buterin elucidated that the cyber-intruders had orchestrated a SIM-swap attack, manipulating T-Mobile into transferring control of his phone number. He remarked,
“Someone socially-engineered T-mobile itself to take over my phone number.”
Buterin’s incident casts a discerning spotlight on a critical vulnerability: a phone number, albeit not deployed as a two-factor authentication (2FA) mechanism, can still be exploited to reset a Twitter account password. Expressing his own surprise, Buterin stated,
“I had seen the ‘phone numbers are insecure, don’t authenticate with them’ advice before but did not realize this.”
The ripple effect of this breach was felt on September 9, when ill-intentioned actors assumed Buterin’s Twitter identity, propagating a deceitful NFT giveaway. This ploy lured unsuspecting users to a malevolent link, culminating in an aggregate loss surpassing $691,000.
Understanding SIM-Swapping: The Latent Risks
Post the incident, Ethereum developer Tim Beiko was swift to voice a pertinent precaution: the prudence of decoupling phone numbers from Twitter profiles and fortifying accounts with 2FA. Highlighting the widespread ignorance around this vulnerability, Beiko suggested an automatic activation of enhanced security measures for profiles boasting significant follower counts.
Twitter opsec PSA:
If you have a phone number linked on your account, even with other 2FA, it can be used to reset your PW. Need to specifically disable it + remove phone #.
If your Twitter account pre-dates crypto, strongly recommend double-checking, and adding strong 2FA! pic.twitter.com/uXrvHYhQvJ
— timbeiko.eth ☀️ (@TimBeiko) September 9, 2023
For the uninitiated, a SIM-swap, colloquially termed ‘simjacking’, is a modus operandi wherein cyber-adversaries wrest control over an individual’s mobile number. Possession of this number often becomes the linchpin to override 2FA measures, paving the way to access a plethora of accounts ranging from social media to financial vaults.
Alarmingly, T-Mobile’s entanglement in such incidents isn’t unprecedented. The telecom behemoth faced legal heat in 2020 for purportedly facilitating crypto thefts amounting to $8.7 million via a series of SIM-swap incursions. The early months of 2021 saw them embroiled in another litigation following a customer’s loss of $450,000 in Bitcoin, stemming yet again from a SIM-swap operation.