Animoca Brands’ Exec Explains How His X Account Was Hacked Despite 2FA

Blockchain gaming giant Animoca Brands revealed that co-founder and chair Yat Siu’s X account was hacked, promoting a fraudulent token on Solana’s Pump.fun platform.

The attackers impersonated Animoca and falsely announced the launch of a token. Blockchain investigator ZachXBT attributed the hack to a phishing scam that has recently targeted over 15 crypto-focused X accounts, ultimately stealing almost $500,000.

Fraudulent ‘MOCA’ Token

Siu’s hacked account shared a link to a fake token called Animoca Brands (MOCA) on the Pump.fun platform, which bore the same name as both the company and its Mocaverse NFT collection. This fraudulent MOCA token was then traced back to the same address behind other fraudulent tokens, ZachXBT confirmed.

After being promoted on Siu’s account, the token briefly reached a peak value of almost $37,000, only to crash moments later to a market cap of just $5,735, as per data compiled by Birdeye. Currently, there are only 33 holders of the token.

ZachXBT had previously uncovered this sophisticated phishing scheme wherein phishing emails disguised as urgent messages from the X team often cited fabricated copyright issues and tricked victims into resetting their account credentials.

The scheme leveraged the credibility of crypto-related accounts with large audiences. A majority of those had more than 200,000 followers. Affected accounts included Kick, Cursor, The Arena, Brett, and Alex Blania. The first attack was on November 26, involving RuneMine, and the most recent occurred on December 24, affecting Kick, just before Siu’s.

2FA “Not Enough” to Secure Accounts

Siu explained that the hacker somehow obtained his password and used the account recovery page to bypass 2FA by submitting a request with a non-registered email address. He tested this process and noted a significant security gap: while the system triggered a login notification to the wrong email, the actual, registered email received no alerts regarding critical actions like a 2FA change request.

He said that this lack of notification could have prevented the hack. Siu also added that the hacker submitted a government-issued ID to bypass further security checks, a tactic he suspects was facilitated by phishing. He urged X to implement stronger notifications, particularly for sensitive changes like 2FA modifications, and recommended better verification measures to protect accounts.

Siu also warned that 2FA alone is not enough to secure an account and advised maintaining strong password hygiene, as attackers can bypass 2FA once they have access to the password.