A security breach in X led to the theft of $2.2 million worth of meme money on Solana.
Blockchain researcher ZachXBT revealed that the attack exploited a vulnerability in X’s mobile platform, resulting in multiple token losses in what appeared to be a sophisticated phishing operation against Wallstreetbets.
The attack resulted in the theft of multiple tokens; Major losses included $1.43 million in PNUT, $400,000 in ZEREBRO, and $130,000 in ALCH tokens.
Source: ZachXBT Telergam channel
According to ZachXBT’s Telegram announcement, attackers took advantage of a previously detected bug in X’s mobile platform. This allowed them to add passkeys to compromised accounts; this was a vulnerability that was not visible to the original account holders and was not properly addressed by platform support.
The vulnerability affects the platform’s mobile interface, allowing attackers to maintain persistent access even after account recovery attempts.
Wallstreetbets regains access to the account
Wallstreetbets has since regained control of its accounts. It also confirmed that unauthorized tweets containing malicious links were posted during the security breach.
The account owner explained that they have been struggling with unauthorized access attempts for about a month. The user also works with X’s security team to resolve ongoing security issues.
URGENT: I just deleted the following tweet, which was not written by me. As you may or may not know, I dealt with scammers hacking my account for a month. I will NEVER ask you to click on a sketchy link and I will definitely not tell you to buy something (maybe $XRP). pic.twitter.com/4hB8gaC1Pn
— wallstreetbets (@wallstreetbets) December 8, 2024
Sending a direct message to the attackers, Wallstreetbets issued a stern warning, claiming their identities were known despite them using VPN services to mask their activities.
“Hiding your account login information with a VPN is a ridiculously poor way to cover your tracks,” the account said. Wallstreetbets suggested possible legal consequences of criminal activity.
The account owner also reached out to potentially affected users, asking them to share details of any losses via direct message. This information is intended to be passed on to authorities as part of ongoing investigations into the security breach.
Wallstreetbets wasn’t the only major breach on Sunday. Cardano’s X account was also hacked, and details of the fake US Securities and Exchange Commission lawsuit were published before being shut down.
Bitcoin 
Ethereum 
XRP 
Tether 
BNB 
Solana 
Dogecoin 
USDC 
Lido Staked Ether 
Cardano 
TRON 
Avalanche 
Chainlink 
Wrapped stETH 
Shiba Inu 
Toncoin 
Wrapped Bitcoin 
Sui 
Stellar 
Polkadot 
Hedera 
WETH 
Bitcoin Cash 
Uniswap 
Pepe 
Litecoin 
LEO Token 
Hyperliquid 
NEAR Protocol 
Wrapped eETH 
Aptos 
Bitget Token 
Ethena USDe 
Internet Computer 
Aave 
USDS 
Cronos 
Ethereum Classic 
POL (ex-MATIC) 
VeChain 
Render 
Artificial Superintelligence Alliance 
Monero 
Mantle 
Arbitrum 
Bittensor 
MANTRA 
Filecoin 
Fantom 
WhiteBIT Coin