A project’s Twitter account is hacked. What do the scammers do next?

On the 18th October 2024 the EigenLayer Twitter account was compromised and used to promote a fake airdrop for the project. The link directed users to a phishing site that was designed to entice them to connect their wallet but then all their funds would be stolen!

The scammers used their access to the official Twitter account to post this original phishing tweet and then followed up 10 minutes later with a second post before a third “final call” post to try and create some FOMO. They included 7 post tweet treads and even a cute picture of a dog in a flower crown to try and convince restakers that the posts were legitimate.?

For those following the EigenLayer project, the season 2 stakedrop had ended the month before and so this should have rung some alarm bells. The crypto community mobilised quickly following the compromised account postings with the Eigen Labs team posting warnings not to click on the link and crypto investigators like ZachXBT sharing warnings about the compromised account.?

However sadly restakers did click on the link, with one victim losing around $800k worth of mETH: https://x.com/realScamSniffer/status/1847231510459670623?

But when this type of activity happens, it isn’t just the original scammers that you need to be wary of - often other scammers are waiting in the wings, ready to take advantage of the situation and who will try to double-tap strike you!

This was seen clearly when just the next day I got an email drop into my inbox allegedly from the EigenLayer team. It was piggybacking off the Twitter compromise and advising me to “verify” my account to ensure all was safe.

The email itself is pretty low quality with some questionable wording choices e.g “esteemed participant” ?? and plenty of nonsense wording e.g “We are handling all modifications” ??but the intentions are very clear, they are trying to convince me into connecting my wallet by worrying me that I might be at risk post the Twitter compromise.

The website set up to trap victims is branded like EigenLayer and even includes FAQ and blog links to the real Eigen Layer website. However the main contents of the site is to encourage you to check if you have been compromised by connecting your wallet and then confirming ownership - this later stage will be a Permit signature or ApprovalAll type request which is masked to appear as if you’re claiming ownership of the address when in reality you’re about to hand the keys to the scammer! In the 3rd stage they claim they will scan your wallet for breaches and any sign of compromise which they will definitely find since that’s what they will be doing to you at exactly that moment - transferring out all tokens, NFTs and crypto you have in there!

This type of scam-after-the-scam is intended to mop up anyone who didn’t fall victim to the first scam by playing on their concerns and potential confusion about whether they were affected.?

So even after a scam it’s important to watch out for any follow ups by other bad actors and, as always, avoid connecting your wallet unless you are absolutely sure that it’s the official channel of the project AND it’s not compromised still!?