Phishing Crypto Twitter Accounts Hide Under Gold Label

Immediately after falling victim to a phishing scam involving gold-labeled Twitter accounts, cryptocurrency users are at risk of being scammed by malicious actors offering assistance in fund recovery

A hacker wearing an official golden business suite
The Wormhole airdrop has led to an increase in incidents of phishing scams involving fake crypto Twitter accounts with gold checkmarks

Amidst preparations for the upcoming airdrop organized by interoperability platform Wormhole, the on-chain security solution Scam Sniffer warned the cryptocurrency community about phishing scams spread by gold-labeled X accounts.

"Every airdrop is also a scammer's carnival," SlowMist posted on X yesterday, adding "You wouldn't believe that the gold-labeled accounts are actually fake Wormhole accounts."

Unfortunately, many X users were confused by the gold-labeled Wormhole accounts, which are now publishing posts pretending to guide users through the airdrop. In reality, the posts contain malicious links causing the loss of funds, whereas the official Wormhole account only has a blue label.

Read also: Wallet Drainers Can Bypass Security by Exploiting EIP-712 Normalization

"Today I lost 90% of the on-chain portfolio I had built up over the last 3 years," Pnuts, one of the victims of the fake Wormhole phishing scam, shared with the X community. "I clicked a bad link to check my Wormhole eligibility, which looked like it was from the official account," Pnuts explained the incident.

Twitter accounts for sale
Source: SlowMist

The victim of the phishing scam claimed they knew to refrain from signing suspicious transactions and they did not even check the malicious link intentionally. Pnuts added that they clicked on the phishing ad accidentally, which led to the loss of assets.

Furthermore, Pnuts immediately found private messages from X account Vienn_ETH, who had already learned about the exploit and was offering their help. The mysterious assistant, whose X profile did not exist anymore at the time of publication, started a video call showing the scam victim the revoking process through Etherscan and asked for screenshots displaying the procedure executed on the victim’s computer.

"Turns out the screenshot he [Vienn_ETH] asked me to send him had my private key and he continues to drain all my remaining tokens in my wallet," Pnuts complained, adding that the actor also managed to steal the funds from the victim’s SOL wallet.

X user S3condson reported a similar situation of losing all their LUNA after signing a permit provided after clicking on the airdrop post from the fake Wormhole account. S3condson was also scammed by developers who pretended they wanted to help the scam victim recover the lost funds.

The issue of scammers impersonating legitimate Web3 projects and leveraging X icons that are supposed to be proof of the account's reliability has already been raised numerous times in the cryptocurrency community. One of the most recent reports on such exploits was made by the cybersecurity team SlowMist in January.

"Approximately 80% of comments on tweets from famous projects are occupied by phishing scam accounts," the on-chain security specialists made a remarkable discovery back then.

In its report, SlowMist claimed that Twitter accounts could be easily purchased through numerous dedicated Telegram groups and specialized websites, which "offer Twitter accounts from various years and support the purchase of specific, similar accounts."

After the purchase of an already existing account suited to the particular needs of a phishing campaign, scammers invest in promotional tools that facilitate increasing the account’s credibility through paid followers and interactions.

"These tools, also supporting cryptocurrency payments, offer services like likes, shares, and follower boosts for major international social platforms," SlowMist explains, adding that one of such services had already processed more than 1.3 million orders coming from approximately 20,000 customers.

When the Twitter account is set up, scammers put effort into mimicking the legitimate project they are currently interested in. A crucial part of the phishing campaign is played by automated bots, which follow the activities of the mimicked project, ensuring that scammers comment on posts from the legitimate project as soon as they are published, which will secure the visibility of the fake account and further confuse X users.

To avoid the exploits mentioned earlier, SlowMist recommends increasing personal security awareness, emphasizing that the use of security tools, while helpful, is not sufficient to protect cryptocurrency users from theft.

When dealing with crypto Twitter accounts, anything suspicious can be enough for a red flag. For example, in the case of the recent fake Wormhole exploits, it becomes obvious that the original Wormhole account uses an X name "Wormholecrypto". In contrast, two fake accounts identified by ScamSniffer are named "Sndrises" and "Yellowspeed_hq.

Read also: Web3 Security Jobs: Blockchain Security Industry Specialists Wanted

While this rule may not be applicable in all instances, and in many cases, scammers are more proficient in imitating the names of legitimate X accounts, this point alone should be verified.

Although it is not advisable to rely exclusively on security tools and to conduct your own assessment whenever you click on any link related to Web3 projects, such tools can provide you with an additional layer of protection. SlowMist emphasizes the importance of real-time alerts for phishing domains, which can signal the risk whenever a user opens a phishing page, thus "eliminating the possibility of deceitful signature requests and stopping the risk at its inception."

Finally, an additional security level is introduced by cryptocurrency wallets capable of detecting malicious signatures and displaying transaction details including amounts, recipients, and authorization information.