Gutter Cat Gang Twitter Hacked, At Least $750K Worth of NFTs Swiped

Another day, another phishing attack in crypto.

The official Twitter account of the popular Ethereum NFT collection Gutter Cat Gang—and its co-founder's account—was hacked resulting in the loss of at least $750,000.

Others have suggested as much as $900,000 was lost to the exploit. At least one of the attacker's wallets has since sold the stolen assets for $640,000, as verified by AegisWeb3.

The wide range of estimates is likely due to the wide range of NFTs nabbed and their varying floor prices.

Put otherwise, at least 87 NFTs were stolen from 16 users with one address losing 36 NFTs, including a Bored Ape that sold for $125,000 back in September 2021.

The hacker tweeted Friday, promoting a "public airdrop" of GutterMelo—a legitimate Gutter Cat Gang collection released late last month. The hacker posted a phishing link to a fake airdrop that drained wallets that connected to the site.

"Most of the time [with an attack like this] a victim is interacting with a malicious contract to which the victim gives approval to that contract to spend the tokens on behalf of the user. That's how ‘transferFrom()’ works," Adrian Hetman, tech lead triager at Immunefi, told Decrypt. "From there, the hacker controlling the contract basically can transfer the user's NFTs as they want."

Two days later, the Gutter Cat Gang Twitter posted a debrief on the situation, expressing remorse, that they are working with law enforcement, and that they are taking steps to prevent an attack from happening again.

Fans of the project were disappointed to not see any mention of possible compensation for the victims.

Decrypt has contacted the Gutter Cat Gang team but they have not responded at the time of publication.

Gutter Cat Gang security?

Despite the hack, Gutter Cat Gang claims to have been using "multi-factor authentication and security measures."

It's unclear what multi-factor authentication and security measures the team was using. Twitter offers three multi-factor options: app-based authentication, SMS, or a dedicated key.

"The most secure option, by far, is app-based authentication using something like Authy, Microsoft Authenticator, or Google Authenticator," Cyber-security expert, James Bore told Decrypt. "The authentication code is never transmitted over any network, so there is no opportunity for someone to intercept it."

"A dedicated USB security key is a more secure option than a phone app, but often less popular due to the additional expense, inconvenience, and that you are more likely to lose or forget a hardware key than your phone," added Bore.

However, crypto sleuth ZachXBT claims that the team used SMS authentication, adding that, "it is gross negligence to have used SMS [two-factor authentication] on your socials after all of the recent SIM swaps."

"A SIM swap attack is where a fraudster takes over a victim's phone number by convincing their phone provider that the phone has been lost and the number needs to be ported to a new SIM," Andrew Whaley, senior technical director at social media security company Promon. "The new SIM, of course, is the fraudster's, and once ported, they have access to phone calls and SMS messages. In this case, Twitter allows password resets by texting a one-time code to the user’s phone. So the fraudster used this, following the SIM swap, to take over the Twitter account."

SIM swap attacks have been prevalent in the crypto world lately with ZachXBT claiming there have been, "30+ crypto-related SIM swaps in the past few weeks."

"This illustrates why SMS is not a particularly secure form of two-factor authentication (2FA)," Whaley said. "SIM swap attacks vary by country and mobile provider in how easy they are to pull off. In some countries, they are as easy as pressing '1' on the phone keypad."

How to stay protected?

This has raised questions about how crypto projects are securing their social media accounts.

Bore recommends using a "long, unique password" while using a hardware key for second-factor authentication.

Users should also turn on password reset protection which requires both your email and phone number before someone can attempt to reset an account's password.

For a final layer of protection, Bore recommends having a phone number that you only use for security, meaning you never give your number out to people to contact.