Latest Threat Research: LetMeowIn – Analysis of a Credential Dumper

Get Informed


Twitter Bots Being Used to Trick Victims into Sharing Recovery Phrase

Scammers are using the Twitter API to monitor every tweet containing requests for support for MetaMask, TrustWallet, and other popular crypto wallets, and are responding to those tweets with scam links in just seconds. The threat actors are using the API to monitor public tweets matching keywords they input such as ‘support,’ ‘help,’ or ‘assistance,’ along with keywords like ‘MetaMask,’ ‘Phantom,’ ‘Yoroi,’ and ‘Trust Wallet’. Anytime these keywords are found within the same tweet, the tweet sender receives an almost instantaneous reply from a scammer account offering to help the victim with their issue. The reply tweets contain a link to a Google form that poses as a legitimate wallet support form that asks the victim to enter their recovery phrase for their wallet. Once the recovery phrase is stolen, the threat actor has access to all the crypto in the wallet.

Analyst Notes

As a general rule, never share a wallet’s recovery phrase with anyone. The recovery phrase is only for the wallet owner, and no legitimate support person from MetaMask, TrustWallet, or elsewhere will ever ask for it. It is also important to never allow screen sharing, especially when displaying the recovery phrase as scammers can screenshot the phrase and use it for the same purpose. At this time, there is no way to prevent these attacks unless Twitter makes changes to their API to restrict keywords or restrict who has access to their development platform.