Ethereum creator Vitalik Buterin appears to have fallen victim to a hacker on Twitter, who went on to steal $691,000 from users who followed a corrupted link posted to his feed.
The hack was first noticed on Saturday when a post appeared on Buterin’s post announcing the launch of a set of commemorative non-fungible tokens (NFTs) from software provider Consensys. This malicious link—which could have been shown to many of his 4.9 million followers—prompted victims to connect their wallets to mint the NFT, but in reality, it simply created a vacuum for the hacker to make off with their funds.
On Crypto Twitter, users were quick to raise the alarm about the fake link, but the first apparent acknowledgment that Buterin was hacked came from his father, Dmitriy “Dima” Buterin.
The post has since been deleted, but the damage was done, as a number of victims reported losing access to funds from their wallets. Within the hour, the hacker appeared to make off with more than $147,000, but that quickly increased to $691,000, according to blockchain investigator @ZachXBT.
In the day since the hack was first reported, Buterin has not yet commented publicly on the incident, his most recent post again being a retweet of a Sept. 6 post. @ZachZPT reported that the hacker subsequently sent a stolen NFT to Buterin.
It is unknown just how many users were affected, but this latest incident adds to a growing list of hacks over social media that have netted millions in tokens.
After so many losses, there has been a debate on how victims should be compensated for their losses by developers themselves. Twitter’s own security also came into question, including by Binance CEO Changpeng Zhao, who wrote that the platform’s account security “is not designed” well compared to traditional financial accounts.
“It needs quite a bit more features: 2FA, login ID should be different from handle or email, etc.,” wrote Zhao, referring to two-factor authentication. “In the past, I have had my Twitter account locked a few times due to hackers trying to brute-force it (trying different passwords repeatedly). This was before the ‘Elon era.’”
Two-factor authentication is a widely recommended defense method for users to require two sets of information to verify their identity before accessing an account. It is supported by Twitter, but only for users who pay for Twitter Blue. Brute forcing is a tactic where hackers bombard an account with access requests until one eventually breaks through.