NFTs, crypto stolen after Web3 Gaming CEO Gabriel Leydon’s Twitter hack
by James · November 3, 2022
- Limit Break CEO Gabriel Leydon’s Twitter account was hacked on Wednesday and used to spread a scam link.
- The attacker stole NFTs and crypto from users who interacted with the scam link. Leydon alleges wrongdoing by an AT&T employee.
Fraud on social media thrive in the crypto spaceand NFT collectors lose their assets to attacks carried out through hijacked accounts. The latest example happened last night, with dozens of NFTs and $30,000 worth of cryptocurrency stolen through a scam shared through the account of a well-known Web3 game developer.
On Wednesday, the Twitter account was created Gabriel Leydon—Co-founder and CEO of Limit Break, the anime-inspired gaming startup Ethereum the NFT project, DigiDaigaku– was apparently taken over by an unauthorized user. The account went on to share a link to what was billed as access to an approval list to secure a coin for a free DigiDaigaku NFT.
Instead, when users interacted with the site and authorized the transaction requested by smart contract– that is, the code that drives NFTs and autonomous decentralized apps— an attacker instead stole NFTs and cryptocurrency from their respective wallets. Transactions made on blockchain networks cannot be reversed by a third party, as a bank or credit card company would in the event of fraud or theft.
The attacker stole dozens of NFTs from users, potentially worth tens of thousands of dollars in Ethereum in total. By far the most valuable of them was one Mutant Ape Yacht Club NFT, as the attacker quickly sold for 12.39 ETH (about $19,100 at the time). In addition, it appears that the wallet has took about $30,000 worth of crypto from users.
Leydon has since restored his Twitter account and pointed the blame at mobile operator AT&T in a voice message shared via tweet. In a direct message to DecryptLeydon claimed that an AT&T employee “did it [an] override all my security protections and done [an] unauthorized SIM switching.”
A SIM swapping attack is typically used to bypass two-factor authorization protocols on accounts. The attacker is able to take over the mobile phone number in question, and then use it to access protected accounts – including social media, where they can then impersonate the account owner.
Leydon claimed an employee “bypassed” protections set to his AT&T account, and said Limit Break is in contact with the company about the allegations. AT&T representatives did not immediately return calls Decryptits request for comment.
The Limit Break CEO told Decrypt that the studio is investigating the attack and that it will work to assist users whose assets were stolen. “It’s a terrible situation and once we’ve confirmed that the person was attacked, we will help that person,” Leydon said.
ZachXBT, a well-known pseudonymous blockchain researcher, tweeted that the attack appears to be related to Monkey Drainera scammer who recently has snapped up for millions of dollars of NFTs and crypto-assets.
Twitter has been besieged by similar attacks in recent months. In some cases, a notable NFT artist or project creator’s account is hacked and used to spread these so-called “wallet drainer” scams. The rise of these scams has led to a debate about the responsibilities of Web3 creators to compensate users who lose their assets as a result.
Other times, verified accounts of non-affiliated users – such as journalists – have been hijacked, renamed official project accounts, and used to spread businesses. It happened more often earlier this year, especially around projects such as Azuki and The other sidebut it appears that Twitter addressed the security hole that enabled these verified account exploits.
Limit Break was founded in 2021 by Leydon and Halbert Nakagawa, former co-founders of mobile game studio Machine Zone, which has produced successful titles such as Game of War: Fire Age and Mobile Strike. The Web3 startup raised $200 million, as announced in August, from firms such as FTX, Coinbase Ventures and Paradigm.
DigiDaigaku is billed as a “free-to-own” game meant to move away from the ephemeral play to earn model popularized by Axie Infinity. The project’s original Genesis NFT Profile Pictures (PFP) launched in August with a free coin, and has generated over 9000 ETH worth of trading volume to date, or about $14 million based on the current price of ETH.
Limit Break claims they acquired a DigiDaigaku commercial slot for Super Bowl LVII in February 2023 at a price tag of $6.5 millionis investing heavily for a potential opportunity to expose the Web3 project to a larger audience.