The cryptocurrency industry is witnessing a fundamental shift in attack vectors during September 2023, as social engineering and SIM swap attacks increasingly replace direct protocol exploits as the primary method used by malicious actors. The September 7 compromise of Ordinals Wallet’s Twitter account through a SIM swap, attributed to the PinkDrainer phishing gang, represents just one example of a growing trend that threatens both projects and individual holders alike.
The Threat Landscape
During the first week of September 2023, the crypto ecosystem experienced at least 10 distinct security incidents resulting in approximately $42.5 million in combined losses. While the $41 million Stake.com hack dominated headlines, a quieter but equally concerning pattern emerged: the systematic targeting of project communication channels through social engineering.
The Ordinals Wallet incident on September 7 saw attackers execute a SIM swap — convincing a mobile carrier to transfer the victim’s phone number to a new SIM card — which then allowed them to bypass SMS-based two-factor authentication and seize control of the project’s Twitter account. The attackers posted links to a phishing site at ordinalswallet[.]to, designed to drain wallets of anyone who clicked through.
This attack was followed on September 9 by the PEPE token’s confirmation that its Telegram account had been hijacked, and on September 10 by the hacking of Ethereum co-founder Vitalik Buterin’s personal Twitter account. According to blockchain investigator ZachXBT, the Vitalik Buterin hack resulted in over $650,000 in stolen assets within just a few hours. The cumulative impact of these social engineering attacks — while individually smaller than protocol-level hacks — represents a pervasive threat to user trust and platform integrity.
With Bitcoin hovering around $25,896 and Ethereum at $1,635, the market’s relatively flat performance may be contributing to user vulnerability, as investors seeking returns may be more susceptible to clicking on fraudulent links promising exclusive opportunities.
Core Principles
Defending against SIM swap and social engineering attacks requires understanding several core security principles. The fundamental issue is that most crypto users and even project teams rely on phone-based authentication as a primary or secondary security layer. When an attacker can social-engineer a mobile carrier employee into transferring a phone number, they effectively bypass every account protected by SMS-based two-factor authentication.
The defense hierarchy should be built on three pillars: eliminating single points of failure, implementing hardware-based authentication, and maintaining operational security around personal information. SIM swap attacks succeed because attackers can gather enough personal information — often from public social media profiles, data breaches, or social engineering calls to carriers — to convince a carrier employee that they are the legitimate account holder.
For crypto projects specifically, the principle of defense in depth means that no single compromised account should be able to cause significant harm. Twitter accounts, Telegram channels, Discord servers, and websites should each have independent authentication mechanisms, and the ability to post links or make announcements should require multi-person approval.
Tooling and Setup
Implementing robust protection against social engineering attacks requires specific tools and configurations. For individual users, the most critical step is migrating away from SMS-based two-factor authentication entirely. Authentication apps like Google Authenticator, Authy, or hardware security keys like YubiKey provide significantly stronger protection because they do not depend on the phone network.
For crypto project teams, the following setup is recommended: First, use hardware security keys for all social media and communication platform accounts. Second, implement role-based access control where no single team member has administrative access to all platforms. Third, establish a public verification channel — such as a cryptographic signing protocol or a verified secondary communication method — that users can check to confirm whether announcements are legitimate.
Additionally, carrier-level protections should be enabled. Most major mobile carriers offer account-level PINs or port freezes that prevent unauthorized SIM transfers. These settings are typically free to enable but must be explicitly activated by the account holder.
For projects managing significant community funds, multi-signature wallet architectures add another layer of protection. Even if an attacker gains control of communication channels, they cannot directly access funds without compromising the separate key infrastructure.
Ongoing Vigilance
Security is not a one-time configuration but an ongoing process. The evolving tactics of groups like PinkDrainer demonstrate that attackers continuously adapt their methods. What worked as defense six months ago may be insufficient today.
Regular security audits should include not just smart contract code but also operational security practices around social media accounts, domain management, and communication channels. Phishing simulation exercises can help team members recognize and resist social engineering attempts. Monitoring services that watch for unauthorized domain registrations or social media impersonation can provide early warning of incoming attacks.
The broader crypto community also plays a role in defense. Rapid reporting of compromised accounts — as seen with the PEPE and Ordinals Wallet incidents — can limit the damage by alerting users before they interact with malicious content. Blockchain security researchers like ZachXBT provide invaluable service by tracking stolen funds and identifying attack patterns.
Final Takeaway
The shift toward social engineering as a primary attack vector against crypto projects reflects a maturing threat landscape. As protocol-level security improves through better auditing practices and formal verification, attackers naturally pivot toward the weakest link in the chain — the humans operating the systems. The events of September 2023 demonstrate that this pivot is well underway, and the industry must adapt its security practices accordingly.
The cost of inadequate social engineering defense extends beyond immediate financial losses. Each successful attack erodes user trust in the broader ecosystem, potentially discouraging adoption among the institutional and retail audiences that the industry is working to attract. For projects and users alike, investing in robust authentication, operational security, and ongoing vigilance is not optional — it is essential infrastructure.
Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always conduct your own research and consult with security professionals regarding the protection of digital assets.
SIM swap to bypass 2FA and take over Ordinals Wallet twitter. if your 2FA is SMS-based you basically have no 2FA
Been saying this for years. SMS 2FA is security theater. Authenticator apps or hardware keys are the only real protection.
^ preach. and carriers need to be held liable for SIM swaps. they hand over your number to anyone who knows your birthday
carriers in germany require in-person ID verification for SIM swaps. US carriers do it over the phone. the regulatory gap is the vulnerability
SMS 2FA is theater but carriers bear most of the blame. a fake ID and a sob story and they hand over your entire digital identity
carriers wont fix SIM swaps until class action lawsuits hit them. the liability is zero right now so they have no incentive to verify identity properly
PinkDrainer gang behind the Ordinals Wallet SIM swap too? These phishing groups are becoming more organized than the projects they target.
PinkDrainer has been linked to dozens of these attacks now. they operate like a proper criminal enterprise with specialized roles. phishing groups have more org structure than half the DeFi projects they target