The Strange Details of the ApeCoin Twitter Scam from One Unlucky Victim

In the annals of phishing attacks that plague the crypto world, set a place aside for the incredible bad luck of Brian Fanzo.

A popular podcaster, Fanzo is about a third of the way through a project where he’s buying one non-fungible token, or NFT, every day for a year, with the collection to be auctioned off in November. He spends a lot of time on marketplaces like Open Sea, which is what he was doing on the evening of Sunday March 20 when his project came to a crashing halt.

He was trying to buy his latest NFT and had competition, so he was clicking to confirm transactions quite often on his MetaMask wallet. What he didn’t know was that a hacker had phished him and was spamming his wallet at that same time. Fanzo inadvertently hit confirm several times on requests from the hacker to move NFTs out of his wallet.

The scam has proliferated on Twitter and has again raised questions of why the social media company isn’t doing more to police fraud on its platform. Twitter should take more responsibility to ensure verified accounts are genuine and haven’t been hijacked — and if they have to fix the problem quickly — according to Geoff Golberg, founder of Social Forensics and an outside consultant to AnChainAI. In 2020, the verified Twitter accounts of high-profile people and companies such as Joe Biden, Bill Gates, Elon Musk, Apple and Uber were hijacked to run a Bitcoin scam. A Twitter representative didn’t immediately respond to a request for comment.

Fanzo was not the only person affected by the scam. AnChain AI, a blockchain security, risk and compliance firm, estimates the con duped 80 people and has earned proceeds of 260 Ether so far, worth about $815,000 at the current price. The fraud works like this: what appears to be verified Twitter users have been spamming crypto accounts with an offer to give free ApeCoin to people who hold NFTs or for purchase for 0.33 Ether. A link in the tweet leads to a page where you’re asked to connect your wallet for the Ether ApeCoin transfer.

A few hours after I spoke to Fanzo, the Twitter account of DeCential Media was spammed with the fake ApeCoin offering. (We laughed and didn’t click.)

Fanzo spent many years as a cyber security engineer helping the Defense Information Systems Agency, Army and Air Force, so he’s no slouch when it comes to being careful online. Yet he still fell victim to a rather sophisticated scam.

“My amount of transactions is extremely high, not to mention what I’m doing with my personal bag,” he said to me recently. “If I wasn’t buying an NFT off the floor of Open Sea for a project that just sold out, there’s no way I click that button more than once,” he explained. “The reason I hit that button is because I’d had three failed Open Sea purchases which was technically three authorizations to transfer my own NFT out.”

“I am the one that initiated those three, thinking that I was doing it on Open Sea,” he said. What’s worse, the hacker has made it so Fanzo can’t access the wallet that contains the NFTs for his 365-day project. He saved 86 of them before his wallet was hijacked, but his loss still stands at about $110,000; he’s had to watch helpless as some of his stolen NFTs were sold on Open Sea for a total of $39,000.

One part of the fraud Fanzo still isn’t entirely sure about is how the ApeCoin scammers got access to his MetaMask wallet in the first place. While he was tagged in one of the phishing tweets, he said he didn’t click on the link in the tweet. As we spoke, he recalled that on Sunday before the attack he’d visited two NFT web sites. It’s possible one of those sites had malicious code that could read his MetaMask public address because he runs his wallet in a web browser extension.

“The other part of it that I don’t understand is what happened between then [Sunday evening] and the next day when they truly hijacked my wallet,” he said. “They have everything now. They’re running a sweeper against the wallet right now where as soon as I send Ether to the wallet it’s drained out immediately, so I can’t do anything with the NFTs that are currently in that wallet.”

Nick Gans, head of research and development at Inca Digital, a crypto data analytics firm, likened the ApeCoin scam to the takeover of verified twitter accounts in 2020, but “this was far more sophisticated in design,” he said in an email. He also puzzled over the exact mechanics.

“People report clicking the link but not connecting their wallets and still losing funds,” Gans said. “If true - there may be a sophisticated browser-based hack on some of these websites which attempts to gain access over your wallet (and possibly other account credentials) without the victim initiating a connection themselves.”

Fanzo has 294 NFTs stuck in his hijacked wallet, and while none of them is particularly valuable, they are meant to be part of his 365-day collection.

“In a weird way, none of them are of high value but the fact that I can’t get them kind of sabotages the project,” he said. “I’m willing to pay to get those NFTs out because they’re part of a collection.” He’s filed a police report and said he felt “violated.”

“For me the part of it is, if the web site was never accessed how did I authenticate my wallet to that? That’s the thing that’s a little bit scary from my side.”