Cyber Incident Victim: KuCoin

On or around April 24, 2023, the official Twitter account of the cryptocurrency exchange KuCoin was compromised by attackers. The unauthorized access to the social media account lasted for a period of forty-five minutes. During this brief window, the threat actors utilized the hijacked account to post promotional content for a fraudulent cryptocurrency giveaway scam. The fabricated campaign was designed to appear as a legitimate promotional event hosted by KuCoin, mimicking the platform's regular marketing activities to enhance its credibility and deceive followers. The scam advertisement claimed the exchange was celebrating a milestone of reaching ten million users by airdropping five thousand Bitcoin and ten thousand Ethereum to participants.

The malicious posts directed users to a fraudulent website domain, kucoinevent[.]com, which was set up by the attackers to host the fake giveaway. The website's fraudulent terms invited all users to participate by sending any amount of cryptocurrency with the promise of receiving double the amount in return. The scam specifically stated that eligibility for participation was open to everyone, including individuals who did not possess a KuCoin account, a detail intended to broaden the potential victim pool beyond the exchange's immediate customer base. To further legitimize the scam and persuade hesitant visitors, the attackers also posted fabricated user comments beneath the promotional tweets. These fake replies purported to confirm the validity of the giveaway and the successful receipt of doubled funds.

The incident resulted in confirmed financial losses for a number of KuCoin's followers. The cryptocurrency exchange subsequently reported that it had identified twenty-two separate transactions associated with the fraudulent activity. These transactions involved both Bitcoin and Ethereum sent to addresses controlled by the scammers. The total value of the stolen cryptocurrency was quantified at 22,628 USDT. This amounted to a direct financial impact of over twenty-two thousand dollars stolen from victims who engaged with the scam.

Upon detecting the unauthorized access and the malicious posts, KuCoin initiated a response to contain the incident and mitigate further harm. The company's first action was to regain control of its compromised Twitter account, which was accomplished after the forty-five-minute period. Following the account's recovery, KuCoin publicly acknowledged the security breach through a thread of posts on its official Twitter account. In these communications, the company detailed the scope of the known financial impact, providing the number of transactions and the total value stolen. To prevent additional users from falling victim to the ongoing scam, KuCoin announced that it was actively examining and blocking the suspicious cryptocurrency addresses linked to the fraudulent activity.

KuCoin also directly addressed the victims of the scam, urging them to contact the company's official support team via the email address [email protected]. The exchange issued a specific warning advising affected users to ignore all advice or recommendations offered through other channels, noting the prevalence of fake cryptocurrency support bots on Twitter that often attempt to exploit individuals already victimized by such incidents. The company further advised against publicly posting details of their issues on the social media site or engaging with individuals offering unsolicited assistance.

In the aftermath of the incident, KuCoin made commitments regarding restitution and future security improvements. The exchange promised to fully reimburse all verified losses incurred by users as a direct result of the hack of its Twitter account. It simultaneously assured its user base that all assets held within the KuCoin trading platform itself remained entirely secure and were not impacted by this external social media compromise. To prevent a recurrence of such an event, KuCoin pledged to implement additional security measures for its social media presence. These measures were intended to augment Twitter's existing security protections, which include two-factor authentication. Furthermore, the company stated it was working closely with Twitter to conduct a forensic investigation aimed at determining the specific attack pathway utilized by the threat actors to hijack the verified account.

This incident is part of a broader trend wherein scammers target the official Twitter accounts of cryptocurrency exchanges. The compromise of these verified accounts provides attackers with a highly trusted platform from which to promote scams, making their fraudulent posts appear legitimate and significantly increasing the likelihood of successfully tricking a large number of people in a very short period. The KuCoin hack shares similarities with previous security events affecting other prominent players in the cryptocurrency sector. In late January 2023, the Twitter account of the trading platform Robinhood was similarly hijacked to promote a fake token launch. In September 2022, the Twitter account of the cryptocurrency exchange platform CoinDCX was compromised and used to promote fraudulent XRP (Ripple) advertisements. The primary impact of the KuCoin incident was the financial loss suffered by the individuals who transferred funds to the scam operators, coupled with the reputational damage to the KuCoin brand associated with the breach of its official communication channel. The company's response focused on victim reimbursement, securing the account, and initiating an investigation to understand the breach's mechanics.