New Trends in Hacker Phishing from the Bitget Case: Identification of High-Fidelity Accounts and Security Protection Guide

Author: Bitget
In recent months, an increasing number of cryptocurrency projects, practitioners, as well as social media accounts of politicians and celebrities have been hacked, subsequently posting scam information. Recently, some Bitget employees experienced similar phishing attacks. After recovering their accounts, we gradually unraveled the situation and discovered that hackers' new attack methods are continuously evolving, becoming highly deceptive and covert. Therefore, we have prepared this article to contribute to the security protection of the entire industry.

Bitget Employees Encounter Phishing Attacks

In mid-May, a Bitget employee responsible for business development received a Twitter direct message from a partner, inviting him to discuss a potential collaboration. The two quickly agreed on a meeting time and held the meeting. During the meeting, the other party sent some installation files under the guise of "function testing," inviting the Bitget employee to try them out.
In the following days, the employee received inquiries from friends and industry partners—"Did you send me a strange Twitter direct message?" Realizing something was wrong, he quickly took action with the Bitget security team and recovered his account through linked email and other information.

Hacker Attacks and Profit Methods Targeting Cryptocurrency Twitter Accounts

In the subsequent security investigation, we gradually pieced together the detailed hacker attack methods and how they profit from them:
Step 1: Hackers send direct messages to the "victim" from social media accounts they have already compromised, guiding them to contact a specific Telegram account for further collaboration discussions

❗ Security Reminder :

1. These direct messages may not necessarily come from suspicious accounts; they could even come from verified official accounts, but the scam messages are not sent by the official team.
2. At this point, the hackers have quietly gained access to these official accounts and are guiding the victims to Telegram for the next step of the scam.
3. Hackers usually delete the direct messages immediately after sending them, so even if they may have sent hundreds of messages, the account owner remains unaware.
   Step 2: After the victim contacts the hacker's Telegram, the other party will suggest an online meeting and invite them to download and install specific documents during the meeting
   ❗ Security Reminder :
4. The hacker's Telegram usually impersonates a real employee, and relevant information may come from platforms like LinkedIn; their account ID may closely resemble that of a real employee, such as confusing I (uppercase i) and l (lowercase L).
5. Hackers embed malicious code in the installation files, tricking victims into installing them, thereby gaining access to their computers and further stealing social media accounts, and even cryptocurrency or fiat assets.
   Step 3: After gaining access to the victim's device, hackers will first attempt to directly steal assets. Subsequently, they will use the victim's Twitter and Telegram accounts to identify new victims and send Twitter direct messages from that account, guiding them to contact the hacker-controlled Telegram account for further scams
   ❗ Security Reminder :
6. As previously mentioned, hackers will delete the direct messages immediately after sending them, making it difficult for the account owner to notice that their account has been compromised.
7. This also explains why scam messages may come from verified official accounts, yet these accounts have not taken any action—because they are still in the dark.
   Step 4: Once a new victim establishes contact with the hacker on Telegram, the hacker will choose an appropriate scam method based on their disguised identity
   ❗ Security Reminder :
8. If the hacker impersonates an exchange employee, they will usually lure the victim into transferring funds under the pretext of a coin listing collaboration.
9. If the hacker impersonates a project team member, they will typically entice the victim to transfer funds under the guise of participating in early investments.
10. If the hacker impersonates an investment institution employee, they will usually deceive the victim into transferring funds under the pretext of investment collaboration.
11. If their disguised identity cannot directly profit from money, they will use this as a stepping stone to lure others in their network to install Trojan programs, thereby gaining access to their accounts and becoming new tools for the hacker's scams.

Summary

The hacker attacks and profit methods mentioned in this article share similarities with past incidents, as hackers still need to implant Trojans (install specific files) to gain control over the victim's device. However, the difference lies in the numerous optimizations hackers have made in their methods:

1. By sending direct messages to victims from verified Twitter accounts they already control, they can significantly increase credibility and improve the success rate of scams.
2. Deleting direct messages immediately after sending them prevents the account owner from noticing any anomalies, allowing the hacker to remain dormant in the account for a long time—previous cases showed that hackers would immediately post scam tweets after gaining access to an account, quickly harvesting victims, but this method would also alert the account owner and the public, raising awareness.
3. The Telegram accounts used by hackers for further communication with victims are also carefully disguised, often using IDs that closely resemble those of official personnel.

How to Identify and Prevent Similar Phishing Attacks

1. Be cautious of various invitations, even if they come from "official" accounts. When receiving an invitation, confirm the identity of the inviter through other channels. If it’s a "familiar person," check previous chat records before starting a conversation.
2. Do not randomly download and open files sent to you during the meeting. If you need to install meeting clients like Teams or Zoom, please download them from the official websites; this is very important.
3. During communication, only grant permissions for video and audio. Do not give Zoom or Teams any other permissions to prevent hackers from remotely controlling your computer.
4. Do not leave your computer for any reason during the conversation. If absolutely necessary, find someone else to watch the screen with you, as hackers may take advantage of your absence to operate your computer.
5. Do not back up recovery phrases on your computer or phone, and enable MFA (multi-factor authentication) wherever possible.
6. For mobile devices involving funds, use an iPhone and upgrade to the latest version, enable lock mode, use it as little as possible for external communication, and keep it separate from work and social computers or phones.

Account Hacked? How to Respond Quickly and Minimize Losses

Even with tight security, it is still possible to "fall victim." Once you discover that your account has been hacked, your response speed will determine the extent of the loss.

1. Turn off your computer, disconnect from the internet, and promptly cut off the hacker's access to your computer.
2. Conduct a security check on your funds (such as wallet authorizations); attackers may have accessed your local wallet (like browser plugins, private key storage), so you should immediately transfer assets to a new wallet (it is recommended to regenerate the private key and not use the same recovery phrase).
3. Immediately recover your account on other devices/emails. While the account is still logged in, use the linked email or phone number to log in and reset the password, and immediately log out of all other devices. Once you recover the account, promptly revoke all third-party login authorizations to prevent hackers from continuing to control the account.
4. Inform and warn those around you. Remind others not to trust recent direct messages, and mark suspicious accounts to inform more people and avoid a chain of victims.