Some users of Friend.tech, a decentralized social network that lets people buy and sell “keys” linked to their X accounts, reported being exploited in a SIM swap attack on Tuesday.
A SIM swap attack occurs when a scammer tricks a phone carrier into switching another user’s mobile number to a SIM in his or her possession. Once the scammer has gained control over the user’s mobile number, they can change the passwords to all of the victim’s accounts that require two-factor authentication.
Got sim swapped. Apparently dude was able to do it from an apple store and switched it to an iphone SE. Don't buy my keys, that wallet is compromised.@friendtech
— sumfattytuna 🤠 (@sumfattytuna) October 4, 2023
I was just SIM swapped and robbed of 22 ETH via @friendtech
The 34 of my own keys that I owned were sold, rugging anyone who held my key, all the other keys I owned were sold, and the rest of the ETH in my wallet was drained.
If your Twitter account is doxxed to your real… pic.twitter.com/5wA86mjYEG
— daren (@darengb) October 3, 2023
A number of users targeted by the SIM-swap attacker reported having their ETH stolen from their accounts on the Friend.tech platform.
“If your Twitter account is doxxed to your real name, your phone number can be found, and this could happen to you,” wrote X user “@darengb.”
“I opened FriendTech and thought there was a bug because my Chat was empty, I tried looking at Octav and then saw someone else’s tweet about SIM swapping on FT [Friend.tech] and that’s when I realized what had happened.”
Reports of funds being drained on Friend.tech started as early as last week, but the attacker doesn’t seem to be close to stopping. The scammer has netted over 234 ETH, worth around $385,000, from four different Friend.tech users over a 24-hour period, according to blockchain transaction data traced by on-chain sleuth ZachXBT.
The same scammer profited $385K (234 ETH) in the past 24 hours off SIM swapping four different FriendTech users. pic.twitter.com/03BoBEqGax
— ZachXBT (@zachxbt) October 4, 2023
ZachXBT has previously warned of SIM swap attacks that have targeted people in the crypto space, with a reported $13.3 million having been stolen through 54 SIM swaps. Included in the list of SIM Swap victims were the Aptos Network, PleasrDAO and Metis DAO.
It is worth noting that Friend.tech itself is not at risk, nor has the code on its platform been exploited by hackers. Although SMS two-factor authentication is widely regarded as an added safety measure, in this case, it seems that it was the downfall of users who added that as a security option.
“When an account is compromised, scammers attempt to create a sense of urgency with a fake claim to drain your assets. Never use SMS 2FA and instead use an authenticator app or security key to secure accounts,” said ZachXBT in an August X post.