Ethereum co-founder Vitalik Buterin has confirmed that the recent hack of his X (Twitter) account was the result of a SIM-swap attack.
Speaking on the decentralized social media network Farcaster on Sept. 12, Buterin said that he has finally recovered his T-Mobile account after the hacker managed to gain control of it via a SIM swap attack.
“Yes, it was a SIM swap, meaning that someone socially-engineered T-mobile itself to take over my phone number.”
The Ethereum co-founder added some lessons and learnings from his experience with X.
“A phone number is sufficient to password reset a Twitter account even if not used as 2FA,” he said be for adding that users can “completely remove phone from Twitter.”
“I had seen the ‘phone numbers are insecure, don't authenticate with them’ advice before, but did not realize this.”
On Sept. 9, Buterin’s X account was taken over by scammers who posted a fake NFT giveaway prompting users to click a malicious link which resulted in victims collectively losing over $691,000.
A SIM-swap or simjacking attack is a technique used by hackers to gain control of a victim’s mobile phone number. With control of the number, scammers can use two-factor authentication (2FA) to access social media, bank, and crypto accounts.
It is not the first time T-Mobile has been involved in this type of attack vector. In 2020, the telecoms giant was sued for allegedly enabling the theft of $8.7 million worth of crypto in a series of SIM-swap attacks.