For 69 minutes on Monday November 27th, the Code4rena Twitter (“X”) account was hijacked by sim swap and used to send a phishing link.
Based on intel shared by ZachXBT, we have every reason to believe the attacker was the same individual behind other high-profile SIM swaps that have taken place this year.
In transparency, we want to share the details of the incident.
Timeline
Monday Nov 27th, 2023
3:33 PM PST — Attacker login post sim swap
3:33 PM PST — Code4rena security and leaders informed by marketing director
3:34 PM PST — Original phishing tweet posted
3:36 PM PST — DM’s started linking the following url hxxps://t.co/2U7dhntEXN (hxxps://x.com/code4rena/status/1729282511325348237?s=20)
3:40 PM PST — DM’s ended (47 direct messages were sent)
3:42 PM PST — War room created, MetaMask blacklist PR landed (Thank you, Frankie and samczsun)
3:42 PM PST — Reported to Google Safebrowsing
3:47 PM PST — Confirmed that staff retained access to manage tweets via third party tooling
3:47 PM PST — C4 staff deleted original phishing tweet
3:47 PM PST — Attackers respond by reposting the tweet
3:55 PM PST — Initial reach out to Twitter support as other methods of recovery have failed
4:03 PM PST — Community announcement via Discord
4:26 PM PST — Confirmation that MetaMask warning is in place
4:30 PM PST — Brought in ZachXBT for additional assistance.
4:42 PM PST — With assistance from ZachXBT, Twitter Support gains control of the account and deletes tweet and third party access.
Impact
A total of 47 people received phishing DMs from the attacker, who set up a malicious mirror of code4rena.com and used Pink Drainer.
Because the attackers left an image from a unique deployment in their copy, we were able to identify that 37 unique IP addresses visited the phishing site during the window of compromise.
Further analysis identified 2 individuals authorized a malicious wallet transaction on the fake website at the linked address, resulting in $1175 in assets stolen.
Code4rena has been able to make direct contact with 1 of 2 impacted parties based on their wallet ENS and is voluntarily providing compensation in exchange for their assistance in documenting and analyzing the attack.
What we’ll do from here
We hold Code4rena to high-security standards. It is our posture to view any incident as an opportunity to continue to raise the bar for ourselves.
Code4rena already has policy in place and checks requiring 2FA wherever possible on all staff accounts. Unfortunately, access control for Twitter was missed based on assumptions in our internal review. As a result, the SIM swap provided the attacker sufficient access to take over the account.
Code4rena has engaged in further access control review and is enforcing more thorough policy to require non-SMS 2FA in any places we can.
In order to best protect yourself and organizations you are associated with, we encourage you to review samczsun’s Twitter Security Self-Audit.
Thanks
Thank you to samczsun, Frankie, Caitlin, and ZachXBT and others for your support and quick action. Thank you also to bytes032, ustas, and LadBoy for additional assistance analyzing the exploit.
