The cryptocurrency community faced a stark reminder on September 9, 2023, that no one is immune to social engineering attacks. Vitalik Buterin, the co-founder of Ethereum, had his X (formerly Twitter) account compromised by an unknown hacker who used the platform to distribute a malicious phishing link disguised as a commemorative NFT giveaway. Within hours, victims collectively lost over $691,000 in digital assets, including high-value CryptoPunk NFTs.
The Exploit Mechanics
The attacker gained unauthorized access to Buterin’s X account, which at the time boasted approximately 4.9 million followers. Rather than posting an obvious scam, the hacker crafted a seemingly legitimate tweet celebrating the arrival of Proto-Danksharding to the Ethereum network. The post announced that Consensys was issuing commemorative NFTs and included a malicious URL. When users clicked the link and connected their wallets to claim the supposed free NFTs, the attacker’s smart contract immediately drained all connected assets.
Blockchain investigator ZachXBT was among the first to publicly identify the attack. According to his analysis, the hacker moved quickly — within just one hour, approximately $147,000 had been siphoned. Ethereum developer Bok Khoo, known online as Bokky Poobah, suffered particularly heavy losses when several of his CryptoPunk NFTs were stolen. At the time, the floor price for a CryptoPunk stood at approximately 46.99 ETH, or roughly $76,837.
Affected Systems
The primary attack vector was a compromised social media account rather than a blockchain vulnerability. However, the downstream impact was entirely on-chain. Victims who connected their Ethereum wallets to the phishing site had their ERC-20 tokens, ETH, and NFTs transferred to attacker-controlled addresses. The attack exploited the trust that users place in verified, high-profile accounts — a form of authority-based social engineering.
Buterin himself suggested that the compromise may have involved a SIM-swap attack or an insider at a telecommunications provider. He publicly stated that he was unaware Twitter offered one-time password (OTP) authentication, having relied solely on standard two-factor authentication (2FA). ZachXBT noted that high-profile targets like Buterin are susceptible to insider attacks at mobile carriers or through SIM-swap panels, where attackers bribe employees to reassign phone numbers.
The Mitigation Strategy
In the aftermath, security researchers and the broader community emphasized several key mitigations. First, hardware security keys (such as YubiKey) provide far stronger protection than SMS-based 2FA, which remains vulnerable to SIM-swapping. Second, users should never connect wallets to links shared on social media, even from verified accounts — always navigate directly to known URLs. Third, enabling Twitter’s highest-tier security options, including OTP through an authenticator app or hardware key, significantly reduces the risk of account takeover.
For wallet protection specifically, the incident reinforced the principle of using separate wallets for different purposes. A wallet used for high-value holdings should never be the same one used to interact with unfamiliar smart contracts or NFT minting sites.
Lessons Learned
This incident highlights several critical lessons for the crypto community. Even the most technically sophisticated individuals can have their social media accounts compromised through carrier-level attacks. The trust placed in verified accounts creates an asymmetric risk — a single compromised account can reach millions of followers and cause cascading financial harm. The speed of the attack, with $147,000 stolen in the first hour alone, demonstrates that attackers are highly organized and prepared to exploit compromised accounts immediately.
User Action Required
If you connected your wallet to any link shared from Buterin’s account on September 9 or 10, 2023, immediately revoke all token approvals using a tool like Etherscan’s Token Approval Checker or Revoke.cash. Move any remaining assets to a fresh wallet with a new seed phrase. Enable hardware-key-based 2FA on all social media accounts. Consider using a dedicated device or browser profile for crypto-related social media activity to limit exposure to phishing attempts.
Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always conduct your own research before making security decisions.
vitalik getting hacked via social engineering is the ultimate reminder that opsec matters more than code audits. 691K gone from one tweet
ZachXBT traced it all within hours. That guy does more for crypto security than most audit firms combined.
^ literally this. zach is the only reason half these exploits even get public attention
zach traces wallets faster than most chain analysis firms. dude does it solo with coffee and a block explorer
The Proto-Danksharding angle was clever social engineering. Made the NFT claim feel legitimate. These are not amateur scammers anymore.
CryptoPunk NFTs drained through a fake airdrop link. If the co-founder of Ethereum can get compromised, regular users have zero excuse to skip hardware wallets.
hardware wallet wouldnt have helped the people who clicked the link. the drain happened through an approval exploit, not a seed phrase leak