Immutable AI Labs social media compromised, spreads phishing links

Immutable AI Labs appears to have been compromised as it was spotted sharing a risky link for its IMMU token airdrop. Web3 security researchers found other instances of compromised social media profiles recently. 

Immutable AI Labs had its social media profile compromised, as discovered by Web3 Antivirus. The inquisition came after Immutable AI’s X account was found spreading a fake link for users to check their eligibility ahead of its new IMMU token airdrop. 

The risk is still present, as the Immutable AI X account is still not frozen or suspended. The malicious link was still active hours after the initial posting. The fake link uses a spoof ImmutableAI website, with only a slight difference to the real eligibility checker. The hijacked account has also been spreading the phishing link through replies.

Address checkers do not flag the spoof site as risky, and the Web3 Antivirus tool only flags the risk when trying to connect a wallet.

Hijacked social media accounts are one of the main methods of distributing fake token addresses and phishing links. This time, the mixup also included a fully spoofed website. The Web3 Antivirus service marks the address as risky, containing a wallet drainer and a spoofed Ethereum address that looks legitimate. 

Immutable AI Labs hijackers advertising fake IMMU token

For Immutable AI Labs, the IMMU token is not mentioned anywhere else on social media, with no detailed conditions on the airdrop. Immutable AI has nothing to do with ImmutableX, which is a separate project that claims to secure AI training models on the blockchain. 

Social media attacks spoofed users of up to $3.5M in the past few months, according to blockchain tracking by ZachXBT. The accounts attacked were mostly crypto insiders, though they also included the social media handle of McDonald’s. 

Stolen X accounts may be especially tricky, as there have been cases where the hacker regains control of the app even after recovery. Sometimes, a hacker may set up a passkey on a mobile app, which is usually sufficient to re-enter the account and send out messages.

The exploit hinged on the passkey creation, which is not immediately visible to the true account owner. For Web3 and other projects, account recoveries must take into account the potential for access through a passkey, which must be revoked.  

As tokens gain value and activity increases, phishing links now have more opportunities to hide in various forms. DeFi activity, token sales, NFT mints, or other Web3 activities are all viable options for creating wallet drainers, fake tokens, or Pump.fun rug pulls. 

Aerodrome DEX also impersonated through malicious Google ads

In cases where hackers cannot take control of a social media account, fake advertisements on Google searches are still a common tool for spreading spoofed links. One recent attack involved the DeFi Llama trading service.

The best approach to avoid these traps is to bookmark the legitimate links for most DEX and DeFi services instead of relying on a Google search every time. Some links may need to be double-checked or, as a last resort, tested with a wallet that does not contain significant reserves.

🚨 Security Alert: We've detected phishing ads impersonating Aerodrome on Google! These scam ads could steal your assets if you connect wallet & sign transactions.

🛡️ Safety Tips:
• Skip Google Ads results
• Bookmark trusted sites
• Never rush into signing transactions pic.twitter.com/OkCg3uK4Zy

— Scam Sniffer | Web3 Anti-Scam (@realScamSniffer) November 27, 2024

The popularity of the Base blockchain and its ability to reach valuable assets made hackers post a fake ad for Aerodrome, one of its most active DEXs. 

This time, the sponsored content was removed almost immediately. The attack against Base shows the chain has established itself as one of the main stores of value. Until recently, scam tracking services noted more than 95% of exploits targeted Ethereum. Base, as a Layer 2, still carries valuable assets, including USDC tokens. 

Solana wallet exploits are even riskier since the signed permission cannot be revoked. Once a drainer controls the wallet with a signed permission, that address is forever tainted and not safe to store any assets, even if the user controls their private keys. 

Scam links often drain small-scale wallets. However, some of the biggest exploits have reached more than $32M. Pink Drainer, the most common wallet draining tool, has so far accrued more than $8B in multi-chain assets, with 22,161 victims. Targeted wallet draining for large sums is usually the more efficient option, but general spoof links still attempt to drain the wallets of retail users.

From Zero to Web3 Pro: Your 90-Day Career Launch Plan