Summary

On February 6, 2025 at 0840 UTC+8, our main Twitter account was compromised, resulting in the publication of malicious tweets from the attacker. The security incident was initially identified through our alerting system along with internal reports from our team members. Immediate account recovery procedures were initiated upon confirmation of the breach. While we have concluded our investigation, we did not determine the exact method of account takeover. Our security analysis and vault audit logs strongly indicate that the compromise was not caused by a leak of our credentials.

Key Timestamps

• Reported: February 6, 2025 12:40 AM (UTC)
• Impact start: February 6, 2025 12:40 AM (UTC)
• Fixed: February 6, 2025 4:30 AM (UTC)

Durations

• Incident duration: 3 hours and 50 minutes
• Time to react to the incident: 25 minutes

Incident Timeline (All timestamps in UTC +8)

2023-03-03

08:40:00

• The malicious attacker started to post malicious tweets on @JupiterExchange’s twitter account
  
  

  compromised_tweet1440×2437 150 KB

09:05:00

• Team members started to receive BetterStack notifications from the Discord Moderators and Team Members
  
  

  image821×587 78.1 KB

09:10:00

• The team verified the authenticity of the alerts and have started to check how we can regain access to the account

09:18:00

• The security team member used a “super admin” access to assign themselves to the vault, granting them access to retrieve the credentials needed to regain account control
  
  

  image2048×144 51.9 KB

09:37:00

• After numerous failed attempts in trying to log in, we found out that the email that was previously attached to the twitter account had been changed, and the original email that was used to access the Twitter account was no longer valid

image526×730 55.8 KB

10:18:00

• We have started to ban the tokens that was advertised from the twitter account in jup.ag’s search function to try to protect our users from buying the tokens

image1235×149 14.7 KB

10:30:00

• Got into a security call with an external security firm to try to resolve the situation

10:59:00

• Twitter support has emailed to confirm that they have blocked the attacker’s access to the account. However, they required additional verification steps before restoring the access to the account

12:05:00

• Twitter Support verified the information we have provided and we successfully regained control of the Twitter account.

13:00:00

• A thorough investigation has began to determine the root cause of the breach

13:11:00

• A team member has regained delegation access to the JupiterExchange Twitter account to post a public message about the breach.

14:21:00

• A tweet was published informing the community that the account had been secured.

image603×517 41.7 KB

Findings from the investigation

• Only two team members had access to the Vault. After checking the audit logs, we initially found out that no team members have accessed the vault or copied/revealed the Twitter password during the breach’s timeframe

image421×295 6.04 KB

• During our investigation, we identified a limitation in the logging system. While access through the web browsers generates comprehensive logs, actions performed via desktop applications, browser extensions, or mobile applications may not be fully captured in the audit trail. This logging inconsistency was confirmed through our internal testing procedures.
• Diving deeper into the inconsistency, crucial actions such as “Revealing” or “Copying” is still logged, but more comprehensive actions such as “Display” which indicated that the user has clicked in to the item was not recorded on other applications
• The access logs showed no new sessions created or logins from unfamiliar devices. If an attacker had gained access to a team member’s account, the logs would have displayed the message “An app or browser was used for the first time to securely log in to _____”

image656×248 43.7 KB

• After checking the session logs of key members with vault access, there were no indications that any new devices had been authorised in the last 12 months.
• The two team members that have access to the vault also confirmed that they have their physical devices physically with them, which indicates that their physical devices were unlikely to be compromised by an external actor. They have also verified that they did not receive any phishing emails or had any social engineering attacks executed against them

Two Factor Authentication

• As a preventive security measure, SMS-based two-factor authentication was disabled from November 30, 2023 to mitigate potential SIM swapping attacks
• Time-based One-Time Passwords (TOTP) were implemented as an authentication method, with access restricted to authorised devices of team members with vault permissions
• Review of the vault audit logs during the incident timeframe revealed no vault access, confirming that TOTPs was not retrieved during that period

Historical movements of the credentials

• The most recent authorised access to the credentials occurred during the Catstanbul livestream. During the livestream setup, the account password and OTP were retrieved from the vault and they were manually entered into the streaming device. After the end of the event, there were physical confirmations that the session was properly logged off on the streaming device
• Review of the vault audit logs has also identified two other timestamps of recorded activity prior to the incident
  • 2025-01-02 at 6:11 PM +8
  • 2024-08-18 at 11:44 AM +8

How Twitter deals with changing of key credentials

• During one of our internal testing, we have identified that if you are logging in from a “new” device, you will not be able to change your credentials

• For any sensitive credentials changes like email and password, once you have gained access to the account, you would only need the MASTER PASSWORD to change the credentials. Twitter DOES NOT REQUIRE your 2FA for these actions

• If you change the account’s email, an email change notification email would be sent to your OLD email that was attached to the account.

• If you change the account’s password, an email would be sent to the CURRENT email to notify you that the password has been changed

• There were NO emails in our mailbox that indicates that these security actions have been executed

• We have also checked our Google Workspace logs and have also reviewed the audit logs to find any signs of tampering, but no such records have been found

  • No emails were received pertaining to any credentials changes
    

    

    Screenshot of received emails1100×396 96.3 KB

  • No emails were sent to the SMTP server as well
    

    

    Screenshot of Google Admin Panel to investigate SMTP headers1045×920 107 KB

  • No one has deleted any emails or tampered with the email that was supposed to be receiving these notifications
    

    

    Screenshot of Google’s audit and investigation logs1460×640 106 KB

Twitter’s account access history

• There was numerous access according to the account access history, but no proper conclusion could be made from the access history. This might be due to the limitations of the history and thus, we cannot draw definitive conclusions about the origin of the attack
  • Feb 6 2025, 8:26:42 AM → Team Member’s Access / Plane WIFI IP
  • Feb 6 2025, 7:00:45 AM → Typefully
  • Feb 6 2025, 4:04:11 AM → Team Member’s Access / IP from a VPN
  • Feb 6 2025, 3:48:33 AM → Team Member’s Access / IP from Singapore
  • Feb 6 2025, 2:46:34 AM → Team Member’s Access / IP from Singapore
  • Feb 6 2025, 1:44:22 AM → Team Member’s Access / IP was from the US

Third Party Application

• Only TypeFully was authorised on the Twitter Account
  

  

  image733×617 77.3 KB

• Given these permissions, the breach was unlikely to have originated from the third-party application, as the attacker was able to host a Twitter Space—a feature that requires full account access.

Token Addresses Advertised by the Attacker

While we have included the token addresses and transaction data as part of our investigation to trace the attacker, we explicitly discourage any interaction with these tokens. This information is shared purely for transparency and to document our on-chain activity analysis

Gj7C9aztJRsMdpfUwoBM9qUaaXjRpVCNGCwCDakvsosJ

• $MEOW Token
• Deployed by 2jG8qikFcB1BXjU4pe6GSVV35Fe2EmzAtjsPzKbpFV4k
  • Attacker had inflow from Binance, which was funded from swapspace
  • Fund TX https://solscan.io/tx/BHQYKKAwo6Xae2FztnCJ4HzW8qn3MP4xuA2DJqZhLC8X1d71gk8wUayyqhc8oDpPJASL92jDbSgshV2zPKPptDt

AXUkvPzQhJdS2w5t6XfVjgWy1fXtrsVDFByMVgoyeveP

• $MEOW Token 2
• Deployed by BEJoE3dFKTt1Y2am2uB8PxgsUKWejyEu4x5dVvhTZb2s
  • Funded by DVEsgYeHpGEdzBY8nWRw6jcu97fEb6x8CXcFN9Y97A1d
  • Which was funded by 2jG8qikFcB1BXjU4pe6GSVV35Fe2EmzAtjsPzKbpFV4k which is also linked the first attacker

FupVnjj4oq36F7YrBfGPW1PaazXTtHdQfPY4R5fapump

• Dogcoin
  • Creator of token on pump.fun is A67XNTUKdAMCUW8zmMTo4Zz3vnsftCCUvPZgS65YKXqt https://pump.fun/profile/A67XNTUKdAMCUW8zmMTo4Zz3vnsftCCUvPZgS65YKXqt?coins_sort=market_cap
  • Funded by Binance https://solscan.io/tx/TtG2m7tpcFQYxT9V7gZjyApwB1Ds5pbiGc1cweeV6ibBo71C1Yt9oNovve5U2Tngur1Un27TEQkdYa8UG3cgqit

ndLX6Zjb3f3V7Yz66YR4BR9qhFXKuK7rspq4zGqXFoE

• NiggaButt Token
• Creator of token on pump.fun is https://pump.fun/profile/DUKVDysvzUK5tdfe1Y3kShdEtgHy7j92caUHSHHrECiW?coins_sort=market_cap
  • Funded by Binance https://solscan.io/tx/4Jn5BD7SRkKhmgGifbrqgPXVjoAAumypx5GgVJ7jmxtqDDj14kwE7t9GJXR87afQdJCHBUQpU2ZhtYc9YkqqaT9g

31Kmp8UsV5DWsV3UD5tNVkyLLnRe81HLtHavEEQtpump

• BCI Turkey By Nathan
• Creator of token on pump.fun is https://pump.fun/profile/36DWP52MVRDooYNrcRVDyoCh2R1fPXCYqKJQYg9pFQoE?coins_sort=market_cap
  • Funded by 6NUBX8RBCsgG2YEtvuQE2LfkPSYrSBj5HmiU2YgfbHEU
    • Funded by FJqiMbEQwg6AoAHdTHqFwRcpbSN67zv72gKBh5dfxjTh
      • Funded by DGkSWegreaGpc9K94Z9NM1Vp72r6md8m9Yuhv9SepCx6
        • Funded by Coinbase https://solscan.io/tx/4yAsVvQxCke7QscEV6xjjNnFK7yM552auMDcF3cNDccSK1P8wUTqqXNZupMW7pWvXh8PHoWTZgMw4GhN2APMtKu4

uw4QmLpaxEujbQtzFxyeXo7XXD8FBi4gY2Yqrmvpump

• Jupie
• Creator of token on pump.fun is https://pump.fun/profile/BfAgS1vsK2Wja56zxcBrMMdn6sFgTnMmZu3wi4XwiAt3?coins_sort=market_cap
  • Funded by 5FruiaG21x5DoaBJaUsWrfKcqPGedbDYnvqaEzsXPjPV
    • Funded by HASAiE4ZPHbN6KgkRbZ3ZQDb2wMS5ximtdC2ZPZHG1ze
      • Funded by BBp9FibKxEhx4twc2aNMFdPd1BDCZcuMz9V8dFRpxW6h
        • Funded by CvUx1XqJp4mVRQZjzXN2RJxqnsV77CfTKZVHdy4VCkHK
        • Funded by Kraken https://solscan.io/tx/3KgxJJH2DHbRRaLUVY6pddZPbCJz6WMG4Lh18edv66AGTtgUU9sx6yPpG4vTr2UibtDkSw6HiCnGuMzNsKdjmJKM

Deductions

• It is possible that the email and password may have been phished or leaked during the sign-in process on the new device at Catstanbul. However, without access to the OTP, the attacker would not have been able to complete the sign-in at the time of the attack. So, we don’t think this is the root cause.
• Even if the attacker had an ongoing active session and took over the account by changing the email and password on February 6, 2025 as 2FA is not required, we should have still received an email notification if these critical credentials have been changed. Given this facts, it’s strange that no such emails were received.
• With these points, we lack sufficient evidence to confirm that our email and password were leaked and used for the account takeover
  • We have also confirmed with the team members that had vault access that there were no known phishing attempts or social engineering attacks executed against them
  • We can further support this theory as the vault’s audit log remained clean throughout the attack period
• Based on our investigation, we strongly believe the breach was caused by external factors rather than any failure on the team’s part to securely manage our credentials.

What have been done so far

The key team members with vault privileges have undergone following steps in the next section, to ensure that their operations are uninterrupted. The ops team has determined that the risk of persistent compromise has been effectively mitigated and the team member’s access to these credentials do not pose any security problems anymore.

Hardware Security Reset

• The team member completed a full hardware refresh procedure where it includes the replacement of their primary work laptop and the replacement of their personal mobile device
• This measure was implemented to eliminate any potential malware persistence or unauthorised access tools on previously compromised devices.

Follow-up actions

This incident has provided valuable insights and take-aways for the team. We will be sharing what are some of the necessary steps we are taking to further improve our security

• Perform mandatory credential rotation whenever sensitive credentials have to be entered on a new external device
• Take a comprehensive review and enhancement of our OPSEC procedures so that we can establish proper guidelines if future breaches were to happen again

If you’ve made it this far, thank you very much! We know incident reports like this aren’t the most exciting read, but we hope it gives everyone a glimpse of what is being done behind the scenes, and how we’re trying to make things better. We are also extremely grateful to our partners and friends that have messaged us during the breach. The trust you have put on Jupiter means everything to us and we are very grateful to have such a supportive community as we continue to build and improve on the Jupiverse!!

By far the most detailed incident report I have seen on a hack.

Thanks for the transparency

Wow this is very sophisticated attack- thank you for the breaking it down

this post help me to know more. Thanks for your hard work and expertise, we really admire this Jupiverse and team! Thanks for your advice and explanation … very complete and showing each detail. Amazing report … happy to be part of this home, regards!

Thanks for being transparent about this and for doing all you can to get things back under control promptly as usual.

@doodoo1"I wanted to recognize your efforts to share this information in a professional manner. I noted that this was your first post, and it was really excellent! It’s very clear!

I wish you the best. Sincerely,"

Has the Twitter handle ever been changed?

Thank you for this super detailed report. Can’t stop thinking that X have to step up a little bit regarding its security issues…not the first time when we see that big X accounts like jupiter are hacked…and I’m referring to crypto accounts of course…

Really appreciate the transparency and great details shown in the recent Twitter hack report. The Jupiverse is safe and sound with the community we have around here, feels good that nothing worse happened and I really hope that not a lot of people fell for the scammy tokens shared through the main twitter. Stay strong cats!

thanks for all the details!

this is really crazy!

thanks for the report. very thorough, but unfortunate that the root still wasn’t determined.

nice report indeed,

we are making a killing with this type of documentation.

I use it just to read my favorite news and more, I totally avoid this from my life (X) - my favorite way to stay active is this house is with Jupisearch. Fake accounts and dangerous links cause confusion and loss of funds. Knowledge of technology is required to avoid tricky hackers. Definitely an X failure to expose