Bitcoin Forum

Economy => Exchanges => Topic started by: Rikafip on April 24, 2023, 05:38:54 AM



Title: Kucoin Twitter account hacked, $22k lost
Post by: Rikafip on April 24, 2023, 05:38:54 AM
As you can see from the screenshots below, Kucoin Twitter account giot hacked last night and attacked managed to get $22k from unsuspected Kucoin followers. Luckily they regained the control after ~45 minutes so loss is not too big, but its still an embarassment, especially since they allegedly had 2FA enabled as well.


https://i.postimg.cc/FHzbJdK8/Screenshot-2023-04-24-at-08-34-15-KUCOIN-on-Twitter.png
https://twitter.com/kucoincom/status/1650336619730436099?s=46&t=3zlK3OjWylVjTyH2vaBQHA


Title: Re: Kucoin Twitter account hacked, $22k lost
Post by: Oshosondy on April 24, 2023, 06:31:25 AM
It is a shame, we know how follows can be scammed if such account is hacked because their followers can believe what the hacker is tweeting and be lured.

But people should be very careful too, so people that have experience and know about this type of scam can easily be suspecting that the account as been hacked because the hackers can tweet that people should pay certain amount of money to receive double, or asking for what that can result to money loss from you which any Kucoin official will never ask.

It is a shame on Kucoin because the exchange failed to protect its official Twitter account, but also humans should have the experience to stop being greedy. As for me, I can not fall for this cheap scam, it is even not a new scam.


Title: Re: Kucoin Twitter account hacked, $22k lost
Post by: rat03gopoh on April 24, 2023, 11:03:59 AM
Kucoin had to make unnecessary expenses due to the negligence of social media managers. The return allocation is quite large if it is used for visibility for several days.

It is a shame on Kucoin because the exchange failed to protect its official Twitter account, but also humans should have the experience to stop being greedy. As for me, I can not fall for this cheap scam, it is even not a new scam.
It is unexpected for followers that they will be scammed, after all Twitter is a medium which is quite actively used for legitimate giveaways.


Title: Re: Kucoin Twitter account hacked, $22k lost
Post by: Accardo on April 24, 2023, 02:16:03 PM
Isn't it supposed to be an inside job, since they claim without any proofs that they had twitter 2fa enabled? Aside that, I don't think they had twitter 2FA enabled and they've just enabled it after the hack. Kucoin must have focused their security on the exchange and didn't bother much about their twitter account. Well according to this source  (https://www.bsc.news/post/kucoin-twitter-account-hacked-scammers-steal-22-628-usdt-and-some-eth)the scammers also received 4 ETH in this address 0xd1cd69FCC79fC46B4BBe1AAF2a05F1f014F53965 added to the 22k USDT


Title: Re: Kucoin Twitter account hacked, $22k lost
Post by: Rikafip on April 24, 2023, 08:27:53 PM
Isn't it supposed to be an inside job, since they claim without any proofs that they had twitter 2fa enabled?
If it was an inside job, then it was a pretty bad one. 22k is nothing compoared to some bigger hacks and somehow I doubt that someone from Kucoin would risk so much for so little. By the way, how exactly could they prove that they had 2FA enabled? You either belive what they claim, or not.


Aside that, I don't think they had twitter 2FA enabled and they've just enabled it after the hack. Kucoin must have focused their security on the exchange and didn't bother much about their twitter account.
Contrary to popular belief 2FA is not impenetrable, especially if they used mobile phone number.


Title: Re: Kucoin Twitter account hacked, $22k lost
Post by: carlfebz2 on April 24, 2023, 08:34:37 PM
As you can see from the screenshots below, Kucoin Twitter account giot hacked last night and attacked managed to get $22k from unsuspected Kucoin followers. Luckily they regained the control after ~45 minutes so loss is not too big, but its still an embarassment, especially since they allegedly had 2FA enabled as well.


Anything on this online world could really be hacked and this is why any tweets and words came from known platforms or person
wont really be that 100% that you could trust up but in just on some personal opinion about on how common sense does work on each individual then it would
really be that impossible that you couldnt spot out that there's something wrong.

Isn't it supposed to be an inside job, since they claim without any proofs that they had twitter 2fa enabled? Aside that, I don't think they had twitter 2FA enabled and they've just enabled it after the hack. Kucoin must have focused their security on the exchange and didn't bother much about their twitter account. Well according to this source  (https://www.bsc.news/post/kucoin-twitter-account-hacked-scammers-steal-22-628-usdt-and-some-eth)the scammers also received 4 ETH in this address 0xd1cd69FCC79fC46B4BBe1AAF2a05F1f014F53965 added to the 22k USDT
I have this kind of thought too which this might be an inside job or possibly considering that Twitter account cant be possibly be that hacked so easily unless twitters security measures are shit
but thats not the case because there's no way that it could be bruteforced out and of course they wouldnt really be that careless unless if theres some inside job
who do knows but its mind boggling that it didnt last that long.  :D


Title: Re: Kucoin Twitter account hacked, $22k lost
Post by: PX-Z on April 24, 2023, 11:29:19 PM
What a shame, but still kudos reimbursing the users affected. I don't know how their handle was hacked, isn't 2fa is forcedrequired to every verified handle in twitter? How is it possible though to breach 2fa?

Contrary to popular belief 2FA is not impenetrable, especially if they used mobile phone number.
I guess sms 2fa is not available on twitter, i remember elon doesn't like 2fa and keep tweeting it previously.


Title: Re: Kucoin Twitter account hacked, $22k lost
Post by: yhiaali3 on April 25, 2023, 01:48:40 AM
Hacks always happen, the good thing this time is that the losses are not very big because the account was restored after a short period, also that Kucoin will compensate the affected users.

Hacking the account with 2FA enabled is not impossible, but it also indicates the possibility that the perpetrator is one of Kucoin's employees, but there is no evidence of such a possibility.

The important thing from this lesson is that users learn not to trust suspicious statements, even if they are from the official account, because it may be hacked in such a case.


Title: Re: Kucoin Twitter account hacked, $22k lost
Post by: Potato Chips on April 25, 2023, 02:44:08 AM
I don't know how their handle was hacked, isn't 2fa is forcedrequired to every verified handle in twitter? How is it possible though to breach 2fa?

Assuming it's not an inside job and the 2fa is not SMS, simplest way would be to launch a phishing attack to one of their twitter handlers. Even the strong password + TOTP combo would be rendered useless once an employee bites.

It's also possible the perps may just be mass sending phishing emails and SMS to leaked phone numbers/email and one of them happened to have access to kucoin's twitter account :D


Title: Re: Kucoin Twitter account hacked, $22k lost
Post by: Rikafip on April 25, 2023, 07:20:22 AM
I guess sms 2fa is not available on twitter, i remember elon doesn't like 2fa and keep tweeting it previously.
As a matter of fact, 2FA via SMS is available on Twitter (they have two more: authentication app and security key) and since SMS one is easiest to hack, my guess is that attacker did exactly that. We can only guess though since I doubt Kucoin will release more info on how exactly they lost control over their Twitter account.


The important thing from this lesson is that users learn not to trust suspicious statements, even if they are from the official account, because it may be hacked in such a case.
To be honest, I am surprised that more people didn't fall for this scam attempt and that only $22k was lost. Rest assured, people didn't learn much (if anything) from this and if it happens again people will lose more money.


Title: Re: Kucoin Twitter account hacked, $22k lost
Post by: Smack That Ace on April 25, 2023, 09:39:24 AM


Hacking the account with 2FA enabled is not impossible, but it also indicates the possibility that the perpetrator is one of Kucoin's employees, but there is no evidence of such a possibility.



I'm no tech expert, but hacking 2FA isn't easy. I am also very confused with this, even 2FA is easily broken, do we have a more secure solution for our accounts? I read this today, and I also suspect that the Kucoin staff did this and did not get hacked.
If hackers can attack 2FA-enabled accounts, why don't they choose Binance, Coinbase... the bigger exchanges, and even Elon's account. They only target smaller accounts, which makes me more suspicious this is done by company employees than hackers.


Title: Re: Kucoin Twitter account hacked, $22k lost
Post by: yhiaali3 on April 25, 2023, 10:23:08 AM
I'm no tech expert, but hacking 2FA isn't easy. I am also very confused with this, even 2FA is easily broken, do we have a more secure solution for our accounts? I read this today, and I also suspect that the Kucoin staff did this and did not get hacked.
If hackers can attack 2FA-enabled accounts, why don't they choose Binance, Coinbase... the bigger exchanges, and even Elon's account. They only target smaller accounts, which makes me more suspicious this is done by company employees than hackers.
Hacking 2FA is hard but not impossible, but this varies depending on the conditions Service, some of them have a strict policy in this regard, but others unfortunately suffice with an email or SMS for the linked account.

Unfortunately for Twitter, after the Elon Musk takeover, there is a huge flaw in two-factor authentication because Elon Musk announced plans to prevent people from using SMS-based two-factor authentication to secure their accounts — unless they start paying for a Twitter Blue subscription.
Quote
Elon Musk's latest Twitter ownership bizarre move compromises the security of millions of accounts. On February 17, Twitter announced plans to block people from using SMS-based two-factor authentication to secure their accounts — unless they start paying for a Twitter Blue subscription. However, there are safer, free, and easier ways to continue protecting your Twitter account with two-factor authentication.
The full article can be read here:
How to Protect Yourself From Twitter’s 2FA Crackdown
https://www.wired.com/story/twitter-2fa-sms-alternatives-twitter-blue/


Title: Re: Kucoin Twitter account hacked, $22k lost
Post by: Rikafip on April 25, 2023, 11:07:19 AM
I'm no tech expert, but hacking 2FA isn't easy. I am also very confused with this, even 2FA is easily broken, do we have a more secure solution for our accounts?
2FA is good enough as long as you don't use SMS option.


If hackers can attack 2FA-enabled accounts, why don't they choose Binance, Coinbase... the bigger exchanges, and even Elon's account. They only target smaller accounts, which makes me more suspicious this is done by company employees than hackers.
And who says that they are not trying? Its one thing to try to hack 2FA and entirely different thing to actually succeed in it, and bigger the account (presumably) better the protection. Btw, Kucoin Twitter account is far from small.


Unfortunately for Twitter, after the Elon Musk takeover, there is a huge flaw in two-factor authentication because Elon Musk announced plans to prevent people from using SMS-based two-factor authentication to secure their accounts — unless they start paying for a Twitter Blue subscription.
Its a douchebag move for sure, but Elon is inadvertently doing them a favor by making them move from SMS based one since its the least secure form of 2FA.



Title: Re: Kucoin Twitter account hacked, $22k lost
Post by: TopTort777 on April 25, 2023, 12:10:52 PM
So how exactly people have lost those 22k? With famous "Elon Musk donation" scam, that was and still popular in YouTube? It is unbelievable how people still got caught for that. Of course that is due to greed, but KuCoin and Twitter are also responsible for letting that happen.

Since people pay more than a thousand bucks per month for that golden twitter mark (https://www.reuters.com/business/media-telecom/new-york-times-says-it-wont-pay-twitter-verified-check-marks-2023-04-02/), I believe that twitter should take park of responsibility for such lame security options. Otherwise Twitter service does not look to worth so much to be paid.


Title: Re: Kucoin Twitter account hacked, $22k lost
Post by: Dr.Bitcoin_Strange on April 25, 2023, 05:50:42 PM
At least it's good that they gain access back on time; the $22k loss is huge too, but it would have been worse had it extend to $$ billion, which may have even resulted in their exchange collapse. Mostly, these reasons are why Bitcoiners are advised not to keep their assets on CEX unless active traders, like future traders.

2FA is good enough as long as you don't use SMS option

So practically, Google 2FA is the best? or one can even enable the three types of 2FA if possible, such as SMS, email, and Google 2FA?


Title: Re: Kucoin Twitter account hacked, $22k lost
Post by: tabas on April 25, 2023, 06:16:39 PM
This made me remember the hack that has also affected a lot of Twitter users that have followed the advice of those known personalities to deposit into certain address and that was made by just a young one. Although for some standards, 45 minutes of getting back the account was still a nice gesture and refunding all of those verified funds that has been sent by the victims is the best that they can. These hackers may soon not gonna target users directly but these huge accounts from official exchanges or personalities which is gonna make everyone gullible since they're known.

2FA is good enough as long as you don't use SMS option
So practically, Google 2FA is the best? or one can even enable the three types of 2FA if possible, such as SMS, email, and Google 2FA?
Others are using Authy and yes, through SMS and email can easily be accessed by hackers once your data has been breached. There's this known sim-swap attack that does the thing.


Title: Re: Kucoin Twitter account hacked, $22k lost
Post by: dkbit98 on April 25, 2023, 08:54:34 PM
As you can see from the screenshots below, Kucoin Twitter account giot hacked last night and attacked managed to get $22k from unsuspected Kucoin followers. Luckily they regained the control after ~45 minutes so loss is not too big, but its still an embarassment, especially since they allegedly had 2FA enabled as well.
Well they have ''blue checkmark'' sign of ''trust'' and because of that brainwashed people are going to send money to scammers without thinking, because thinking is luxury and it's hard  :P
It was stupid mistake by Kucoin admins, but I wouldn't say 22k is small amount for 45 minutes of control, imagine the damage they would do if they had 24 hours or more control...


Title: Re: Kucoin Twitter account hacked, $22k lost
Post by: Potato Chips on April 25, 2023, 11:57:18 PM
So practically, Google 2FA is the best? or one can even enable the three types of 2FA if possible, such as SMS, email, and Google 2FA?

Compared to SMS and email, TOTP/auth app is way better however, I suggest Aegis rather than Google Auth. It offers encryption, easier import/export function and less likely to be neglected by devs, see: https://getaegis.app/

Looks like you can enable more than one 2fa but I suggest not connecting any phone number in your account since it could be used to reset your password. It wouldn't be advisable to be careless about our passwords just because we have 2fa. I also suggest using an email provider where you can pair your account with TOTP.


Title: Re: Kucoin Twitter account hacked, $22k lost
Post by: Rikafip on April 26, 2023, 07:26:32 AM
Well they have ''blue checkmark'' sign of ''trust'' and because of that brainwashed people are going to send money to scammers without thinking, because thinking is luxury and it's hard  :P
To be more precise, Kucoin twitter account has that golden/yellow mark that is reserved for businesses, but even without that mark people would still send the money as its posted from the official Kucoin account. But yeah, thinking is hard.  ::)


It was stupid mistake by Kucoin admins, but I wouldn't say 22k is small amount for 45 minutes of control, imagine the damage they would do if they had 24 hours or more control...
Dunno, considering how big and popular Kucoin is I think that they should be lucky that only 22k was lost. They said that they will reimburse the loss so lets hope they actually do that.


Title: Re: Kucoin Twitter account hacked, $22k lost
Post by: joniboini on April 26, 2023, 12:46:25 PM
So how exactly people have lost those 22k? With famous "Elon Musk donation" scam, that was and still popular in YouTube? It is unbelievable how people still got caught for that. Of course that is due to greed, but KuCoin and Twitter are also responsible for letting that happen.
According to some news, when the hacker was in control of the Kucoin account they tweeted some phishing websites. So it is safe to assume some users assume it was a legit one, connect their hot wallet to it, and then they lost their funds. I can't verify it myself, but there have been many similar phishing scams in the past, so it is not unlikely. People should've learned by now to never connect their account/wallet to some shady website even if it was posted by a famous account.


Title: Re: Kucoin Twitter account hacked, $22k lost
Post by: Accardo on April 28, 2023, 05:45:59 PM
Isn't it supposed to be an inside job, since they claim without any proofs that they had twitter 2fa enabled?
If it was an inside job, then it was a pretty bad one. 22k is nothing compoared to some bigger hacks and somehow I doubt that someone from Kucoin would risk so much for so little. By the way, how exactly could they prove that they had 2FA enabled? You either belive what they claim, or not.


Inside job in such scam as this one, isn't one sided, it could also be from the twitter side. I could remember when the likes of Barack Obama's twitter account was hijacked and used for a similar scam, the hackers, teenage boys, when apprehended said that they tricked, through spearphishing, an insider on twitter who helped them execute the task and bypassed them to tweet with accounts owned by top celebrities. A scam, however severely, is simply bad. Hence, the stolen amount shouldn't be considered as the only reason why their twitter account was hijacked. They could be some information that the hacker needed to get on the Kucoin twitter page, exaggerating, then dropped the tweet. And I don't think they were right about how long the account was on the hacker's custody, as they judged from the moment the tweet was made to the time they were aware of what's happening.


Title: Re: Kucoin Twitter account hacked, $22k lost
Post by: Husires on April 29, 2023, 02:05:23 AM
Do any of you have any snapshots of the nature of the scam that happened? Are they links to access your account, double money scam, free gift trick or what? In just 45 minutes, and through tweets, a scammer can collect more than 20k USD, which is not a small amount, and it is additional evidence that many cryptocurrency users need more awareness and investment in learning than losing their money in such ways.

I wish their cold/hot storage is managed by a more professional team.


Title: Re: Kucoin Twitter account hacked, $22k lost
Post by: Rikafip on April 29, 2023, 06:45:31 AM
Do any of you have any snapshots of the nature of the scam that happened? Are they links to access your account, double money scam, free gift trick or what?
It was a pretty basic scam attempt in which attacker shared fake Kucoin website and promised free money. People fall for these type of scams even without announcement coming from the exchange's official Twitter account so I am actually surprised that more people didn't lose money.

https://i.postimg.cc/bvkqnw8S/Kucoin-twitter-hacked.png
https://twitter.com/NFTherder/status/1650272867785777153



Title: Re: Kucoin Twitter account hacked, $22k lost
Post by: eaLiTy on April 29, 2023, 07:40:03 PM
What a shame, but still kudos reimbursing the users affected. I don't know how their handle was hacked, isn't 2fa is forcedrequired to every verified handle in twitter? How is it possible though to breach 2fa?
It is surprising that Kucoin is reimbursing users that lost money because of the hack in Twitter as majority might have sent money thinking that they are doubling the amount, the usual scam that takes place in this space Posted a phishing link in their Twitter handle and thereby lost money and hence they are doing the right thing by reimbursing the users.

The verification process in Twitter changed after Elon Musk took over as anyone paying $8 can get verified, so i doubt there will be mandatory 2 FA.

It is surprising that Kucoin is reimbursing users that lost money because of the hack in Twitter
I don't think that its surprising at all since their account got hacked due their own mistake and no one else's. Imho, its the least that they could so.
I retracted my statement because it was a phishing link, when i initially posted them i thought it was a doubling scam and they are doing the right thing.

Fact remains that, it is not safe to click on any random link when you log into exchange even through their official social media handle. Users need to be responsible when financial assets are at stake to avoid these mishaps.


Title: Re: Kucoin Twitter account hacked, $22k lost
Post by: ololajulo on April 29, 2023, 08:10:19 PM
What a shame, but still kudos reimbursing the users affected. I don't know how their handle was hacked, isn't 2fa is forcedrequired to every verified handle in twitter? How is it possible though to breach 2fa?

Contrary to popular belief 2FA is not impenetrable, especially if they used mobile phone number.
I guess sms 2fa is not available on twitter, i remember elon doesn't like 2fa and keep tweeting it previously.
My apologies but how did the kucoin twitter account hack allow access to the exchange fund? Does this make a difference to everyone who has a Twitter account and cryptocurrency?


Title: Re: Kucoin Twitter account hacked, $22k lost
Post by: Rikafip on April 29, 2023, 08:15:13 PM
It is surprising that Kucoin is reimbursing users that lost money because of the hack in Twitter
I don't think that its surprising at all since their account got hacked due their own mistake and no one else's. Imho, its the least that they could so.


My apologies but how did the kucoin twitter account hack allow access to the exchange fund? Does this make a difference to everyone who has a Twitter account and cryptocurrency?
Its not the exchange that got hacked, but Kucoin Twitter account that attacker then used to share phishing link.


Title: Re: Kucoin Twitter account hacked, $22k lost
Post by: PX-Z on April 29, 2023, 10:19:24 PM
My apologies but how did the kucoin twitter account hack allow access to the exchange fund? Does this make a difference to everyone who has a Twitter account and cryptocurrency?
Its not the exchange that got hacked, but Kucoin Twitter account that attacker then used to share phishing link.
To be precise, kucoin twitter was hacked and tweet a fake giveaway scam that leads by accessing the phishing site and got scammed. So no exchange was hacked particularly.

It doesn't mention how the scam happened particularly if its the users send the funds particularly from their kucoin accounts or the scammers/hackers login to their users' account and withdraws their assets. If its the latter, kucoin should implement another security that it disabled from withdrawing in 24 hours after logging in a new device, or needs a sms, email and 2fa verification for withdrawals using a new logged in device.