Symbiotic X hacked, malware is infecting SVG files: Crypto-Sec
The Symbiotic X account has been promoting a phishing site for two days, and researchers found malware in image files.
Phish of the week: Symbiotic X account is compromised
A report from PeckShield revealed that on October 5, the X account (formerly Twitter) of the staking protocol Symbiotic was hacked. As of October 7, Symbiotic’s official website confirmed that the account was still compromised.
The hacker used the compromised account to promote a fake “points” checklist, urging users to click on a malicious link to check their points. Instead of directing users to the legitimate website, symbiotic.fi, the link pointed to a fraudulent site, network-symbiotic[.]fi, potentially exposing users to scams or further security risks.
When users connect to the fake phishing site with a wallet, they are presented with a page that claims they have earned thousands of points, even if they have never interacted with the Symbiotic protocol.
The page urges users to redeem their points immediately and claims they will be lost if they do not click a large, green, “redeem” button in the middle of the screen
When users click on the “Redeem Points” button through the fraudulent link and attempt to use an empty wallet, an error message appears, suggesting they try a different wallet. This is a common tactic on phishing sites, which often request message signatures from users. If a user’s wallet contains Symbiotic tokens, the fake site likely prompts the user to sign a message, potentially allowing the hacker to drain the wallet’s tokens. Cointelegraph noted that they did not test the site with a wallet containing funds to confirm this.
The Symbiotic team has issued a warning on its official website, urging users to avoid interacting with any sites linked to the compromised X account.
This incident highlights the growing issue of X account hacks in the crypto space. As a precaution, users are encouraged to bookmark URLs for apps they frequently use, which can reduce the risk of phishing attacks. However, this method is not entirely foolproof. Users should also exercise extreme caution when asked to sign messages written in code, as this is a common indicator of a phishing attempt designed to steal tokens or other assets.
The prevalence of these scams in the crypto community underscores the importance of remaining vigilant when interacting with links shared on social platforms.
Malware corner: Attackers now using SVG files to lure victims
A September report from HP’s Wolf Security team revealed a new cyberattack technique where attackers are using SVG image files to infect victims’ computers. This method enables attackers to gain control of a victim’s system through remote access trojan (RAT) software, allowing them to steal sensitive information like website passwords, seed phrases, and other personal details. If the victim owns cryptocurrency, the attackers can then use the stolen credentials to attempt to access and drain the user’s wallet.
Researchers found that the malware was hidden in a ZIP archive, which is activated when the SVG image is opened in a browser. Alongside the malicious program, a .pdf file is loaded to distract the victim while the malware is quietly downloaded and installed in the background.
SVG (Scalable Vector Graphics) files, as explained by Adobe, store images through mathematical formulas rather than pixels, allowing them to be resized without losing quality. Additionally, they are written in XML code, which can store text and other elements. According to Mozilla, SVG files also contain a “script” element, enabling developers to embed executable programs within them—a feature that malware creators have learned to exploit.
HP researchers discovered an SVG image that generates a ZIP archive when opened in a browser. Once the user clicks on the archive, it triggers the opening of a File Explorer window and starts downloading a malicious shortcut file. Clicking on this shortcut displays a decoy .pdf file, while, in the background, scripts are copied into the victim’s music, photos, and startup directories. This allows the malware to persist on the device even after reboots.
This tactic represents a significant security threat, as the use of seemingly harmless SVG files makes it difficult for victims to detect an attack before it’s too late. The report underscores the importance of caution when interacting with unknown or suspicious files, even those that appear to be simple images or documents.
Fire token exploit illustrates risks of novel tokens
Investing in new tokens with novel features and unaudited contracts can be highly risky, as demonstrated by the events surrounding the FIRE token on October 1. The Uniswap liquidity pool for FIRE was drained almost entirely after an attacker exploited the token’s contract, allowing them to repeatedly sell the token at an artificially increasing price.
Following the exploit, the token’s team quickly deleted their social media accounts and disappeared, raising suspicion that the project may have been a rug pull or exit scam from the beginning. The token has not been traded since October 2, suggesting that its liquidity has been drained to the point where selling is likely impossible.
FIRE was marketed as an “ultra-hyper-deflationary token.” According to its website, the token’s design meant that whenever holders sold their FIRE tokens in the Uniswap liquidity pool, those tokens would be automatically sent to a burn address, effectively reducing the supply. The idea was that this deflationary mechanism would increase the value of the remaining FIRE tokens for those who didn’t sell. However, the token’s failure and the subsequent vanishing act of the development team have left investors with no liquidity and a worthless token, highlighting the risks of investing in projects with unaudited contracts and unproven features.
Related: New crypto scam drains users’ wallets without transaction approval
After the exploit, the FIRE team deleted its X and Telegram accounts, which suggests that the attacker may have been affiliated with the team. The token’s Apespace page also features a warning that the FIRE contract contains a “blacklisting” feature allowing developers to blacklist any user’s account and prevent them from selling the token. The developers may have used this blacklisting feature to only allow themselves to sell.
Users should exercise caution when interacting with tokens that have novel features that may not be fully understood.
In this case, the developers explicitly stated that anyone who sells into the pool destroys tokens, reducing their supply. Still, some users may not have realized that this allows a single trader to repeatedly swap into and out of the token to artificially raise its price and drain its liquidity.