The Symbiotic X account has been compromised, promoting a phishing scheme for several days. Security researchers at Crypto-Sec have found that malware is infecting SVG image files, leading to crypto theft.
Symbiotic X Compromised: Phishing Alert
On October 5, 2024, PeckShield reported that Symbiotic’s X (formerly Twitter) account was hacked. The staking protocol’s official website confirmed the account was still under hacker control as of October 7. The attackers are using the compromised account to direct users to a fake site with a deceptive “points” system.
The phishing post directs users to an imposter website, network-symbiotic[.]fi, instead of the legitimate URL symbiotic.fi. The fake site claims users can check their “points” balance by connecting their crypto wallets. Once users connect, the site falsely indicates they have accumulated thousands of points, regardless of their past activity with the Symbiotic platform.
Phishing Tactics: How It Works
The fake page urges users to click a prominent green “Redeem” button, claiming they need to redeem their points immediately or risk losing them. If a user with an empty wallet tries to redeem, they receive a standard phishing error message, suggesting they try another wallet. The message includes a request for a signature, a common tactic to gain wallet access.
If the wallet contains Symbiotic tokens, the site likely prompts the user to sign a message. Once signed, the attackers can use this authorization to drain the wallet’s tokens. Crypto-Sec and other security experts caution users against signing code-based messages, as these are often associated with phishing attempts.
Symbiotic’s official website currently warns users about the compromised X account and urges them not to engage with any links shared through it.
Protecting Against X Account Hacks and Phishing Scams
Hacks on X accounts have become increasingly common in the crypto space. To safeguard their assets, users should consider bookmarking trusted URLs for their frequently used platforms rather than clicking on links shared via social media, though this method is not foolproof. Crypto users are also advised to stay vigilant when prompted to sign messages, especially those written in code, as these often signal phishing attacks.
