The Friend.Tech code itself was not exploited. No users are at immediate risk. The application lets holders buy "shares" of people who hold an account on X which grants buyers certain privileges.
The attacks have since continued and worsened: In the past 24 hours, three influential accounts from social app X, formerly Twitter, claimed they had been exploited, with the attacker making away with ether held by those accounts.
SIM Swap attacks are a common occurrence and happen when criminals take over control of a mobile phone by tricking service providers to connect that phone number to a SIM card in the hacker’s possession. Swapped phones can then be used for fraudulent activity.
“Been trying to debug and tried every possible email I could've used, can not recover the account anyhow,” X user @SalsaTekila said. “Lost all the ETH there, then on top people trading my worthless keys. Support doesn't help, regurgitates the same automated response.”
Security experts speak
Social application Friend.Tech has become one of the most popular crypto platforms this year, despite the bear market, generating steady revenues and profits for its creators. The application amassed over 100,000 users in under two weeks after going live.
However, security risks remain a large cause of concern for any crypto platform. Hackers may employ techniques from smart contract manipulation or flash loan attacks, to using a traditional method to exploit wealthy users.
Players of the mobile industry-focused crypto project told CoinDesk in a message that while such SIM swap-based risks remain, there is a small window wherein a potential exploit can be mitigated.
"When a hacker attempts a SIM swap, defending against it can be straightforward: initiate full re-authentication, encompassing both email and ID, as though it were a new account setup," shared Micky Watkins, founder of World Mobile Group, in a message to CoinDesk. "A challenge arises when a number port is involved. An attacker could visit a mobile store, impersonate the account holder using a business card, and then request to port in their mobile number."
"The porting process has a tight window, and during this period, the genuine user might miss crucial warning signs. Once the attacker successfully ports the number, they can intercept two-factor mobile-based authentications. Hence, a robust defence mechanism involves using dual –BOTH– authentication methods: email and phone number for any new device, or better yet, implementing two-factor APP-based authentication," Watkins added.
CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk offers all employees above a certain salary threshold, including journalists, stock options in Bullish Group as part of their compensation.