Ethereum co-founder Vitalik Buterin confirmed that his X (formerly Twitter) account was breached via a sim-swap attack, according to a Sept. 11 post on Warpcast.
A sim-swap attack is a scheme that exploits a vulnerability in specific two-factor authentication methods, where a phone call or text message serves as the second authentication step. This method enables attackers to access their victims’ text messages, emails, contact lists, bank accounts, social media profiles, and other sensitive and private data.
Buterin explained that he did not know that phone numbers were sufficient to password reset a Twitter account even if not used as two-factor authentication. He added:
“A phone number is sufficient to password reset a Twitter account even if not used as 2FA. Can completely remove phone from Twitter. I had seen the “phone numbers are insecure, don’t authenticate with them” advice before, but did not realize this.”
According to him, he might have added his mobile number to the social media platform when he was registering for Twitter Blue. Twitter Blue is a subscription service that grants users access to premium app features and exclusive benefits like expanded reach, prioritized tweets, and other features on the X application.
Meanwhile, Buterin expressed joy in being on Farcaster, a decentralized social media protocol that allows users to recover their accounts via an Ethereum address. Warpcast is built on this protocol.
Buterin did not provide additional information on whether he would ever return to X.
On Sept. 9, Buterin’s X account was used to promote a phishing link that stole digital assets, including non-fungible tokens (NFTs) from wallets that interacted with it. The incident led to the loss of around $700,000.
Following the hack, Binance CEO Changpeng Zhao urged the crypto community to take caution when reading social media posts and advised the platform to introduce more security features. He added:
“Twitter’s account security is not designed as financial platforms. It needs quite a bit more features: 2FA, login id should be different from handle or email, etc.”