If you had told me last Wednesday afternoon, when my Twitter account had a grand total of three tweets and 200-something followers, that roughly 24 hours later the account would have tweeted 577 times and boosted its follower count to 42,000, I would not have believed you. And if you had further told me that this unfathomable ascent was all part of a massive scam to con would-be Moonbird buyers out of tens of thousands of dollars in cryptocurrency, I would have asked you what a Moonbird is. And yet here we are.
Let’s back up for a moment. On Wednesday, my Twitter account was hacked. The hackers immediately reset the password and changed the associated email address, completely locking me out. I reported the hacking to Twitter Support, but I did not find it particularly concerning, in part because I check Twitter about as often as I send handwritten letters and in part because, for a while at least, the hackers did not seem to be doing much of anything with the account. For all I knew, they could have been wreaking havoc in my DMs (and, as it turned out, they would wreak some mild havoc), but at a glance everything looked the same as it always did.
Until the next day. On Thursday morning, the account transformed into a near-perfect replica of the official Twitter account for Moonbirds, an NFT—non-fungible token—collection that debuted in mid-April and promptly generated $489 million in trading volume in its first two weeks of existence, the most of any collection over that period. (Individual Moonbird NFTs are basically colorful little pixelated owls. They look sort of like a cross between a Club Penguin avatar and a Pokémon. You can buy your own for $80,000.) The hackers changed my account’s name, bio, profile picture, and cover photo to match the official Moonbirds account, except with a scam link instead of the real link for buying the NFTs. They deleted my three tweets and, rather deviously, retweeted a warning from the official Moonbirds account for would-be buyers to “BEWARE of scammers.”
Because my account is verified, they retained the blue check mark that Twitter displays beside my name, a stamp of legitimacy that is likely why the hackers targeted me in the first place, according to Dipanjan Das and Priyanka Bose, researchers at UC Santa Barbara who, along with several colleagues, recently conducted what, to their knowledge, is the first systematic study of security issues in the NFT market. Over the past two weeks, more than a dozen verified accounts have been hijacked by Moonbirds scammers. Bernie Sanders’s son Levi was hacked. The cricketer Martin Guptill was hacked. My colleague Caitlin Dickerson was hacked. (I am honored to be in their company.) By seizing verified accounts in particular, Das and Bose told me, the hackers bolster the credibility of the fake Moonbirds accounts—for the scam to work, people have to mistake the replicas for the real one.
Another way hackers do this is by juicing their follower counts. My measly couple-hundred followers would likely have been an immediate red flag to potential buyers that something was amiss. But 42,000? Now that’s a little more convincing. At one point on Thursday morning, my follower count was skyrocketing at a rate of roughly 200 a minute. Over the course of the day, it rose 14,700 percent. What’s going on here has to do with what Das and Bose call promoter accounts, which have hundreds of thousands or sometimes millions of followers, and whose entire raison d’être, pretty much, is running raffles. When an NFT scam account (or any account, really) wants to artificially spike its own follower numbers, it can pay one of these promoter accounts to run a raffle where the price of entry is following the scam account, rather than paying for a ticket. Bots also tend to get caught in these dragnets, Das and Bose told me, and they likely account for many of my tens of thousands of new followers. Just how many is hard to say.
All of that credibility-building work, though, is mere preparation. Only with the tweet storm does the scam begin in earnest. At 10:13 a.m. on Thursday morning, the hackers tweeted from my account: “We’re excited to launch the Nesting experience for Moonbirds! This is the kickoff of our product positioning around a longterm community,” they wrote, adding a graphic and a phishing link that was superficially similar to the real link to the Moonbirds site. Then, in a single thread, they proceeded over the next few hours to send out 567 tweets indiscriminately tagging thousands of random people. The main tweet has now been shared 1,400 times. Scam links tend to work in one of two ways, Das and Bose told me. In the first, the link takes potential buyers to a site that prompts them to transfer a sum of cryptocurrency in exchange for an NFT, then gives them either a fake NFT or nothing at all. The second is even more destructive: In this version, the site asks buyers for their personal key, which the scammers can use to steal the entire contents of their crypto wallet.
When I discovered what was happening to my account on Thursday morning, I was surprised that Twitter had not yet intervened. I understood why the company would be hesitant to instantly transfer control of an account to the first person claiming rightful ownership, but I would have expected it to step in when the hackers started spamming random accounts. Das and Bose too were surprised that Twitter did not freeze my account at this point, given that such behavior is a clear violation of the site’s terms and conditions. (When the two researchers deployed a similar tactic as part of their work, they were shut down almost immediately.) Twitter has not responded to a request for comment about this whole debacle, but its support team did eventually come through: At 2:39 p.m. on Thursday, 27 hours after the hacking, Twitter Support gave me back control of my account. At long last, I could return to not tweeting.
Who the hackers are is anyone’s guess. And whether or not anyone fell for the scam link my hacked account had tweeted is impossible to know. But dozens of people seem to have fallen victim to the broader Moonbirds scam. The official Moonbirds account has tweeted several times about the scams (its pinned tweet is still the “BEWARE of scammers” injunction that the hackers of my account cleverly co-opted), and the replies are filled with people lamenting their misadventures, seeking redress, or urging preventative action. Several professed to have trusted the scam accounts because they were verified and wondered how they achieved such status. “3,000 in eth over one wrong click,” wrote one apparent victim, referring to the cryptocurrency Ether. (The official Moonbirds Twitter account—yes, the real one—did not respond to a request for comment.)
As the NFT hype balloon has inflated over the past year, Das and Bose told me, scams have proliferated. In just the past few months, hackings similar to the Moonbirds one have targeted a number of other popular NFT collections, including Bored Ape Yacht Club and Azuki. Other scammers have used Facebook and Instagram advertisements to disseminate their malicious links. There is, on the surface, a certain irony to the fact that people are being scammed in the course of trying to purchase something that, if you ask NFT skeptics, is already itself a scam. Call it a second-order scam. Then again, if irony requires the subversion of expectations, perhaps there is nothing ironic about this at all. Of course a tidal wave of hype is going to create ideal conditions for scammers. Of course the people swept up in that tidal wave—many of whom have ample enthusiasm for NFTs and less than ample technical understanding of how they actually work—are going to make for easy targets. Even mechanically speaking, these scams are nothing new: “This is just one manifestation of that age-old phishing,” Das told me.
Nothing new to the world, but certainly new to me. At the moment, my account still looks a little worse for the wear. I have yet to go through and delete my 577 new tweets, and my 41,000 new followers, whether human or bot, have yet to forsake me. I can only hope they get as hyped about The Atlantic’s journalism as they get about Moonbirds.
The Insidexpress is now on Telegram and Google News. Join us on Telegram and Google News, and stay updated.