This is a breaking news alert from @BitsTODAY, @BitCloutPulse and esteemed members of the BitClout development community. Given the time sensitive nature of this communication, we’re keeping this short and to the point.
If you ever used the applications @cloutspy or @bitwatcher, your BitClout account may be compromised. More details provided below.
Before continuing, if you are concerned about the security of your account, we recommend you:
- Do NOT run the executable versions of @cloutspy or @bitwatcher on your computer
- Delete the above named applications from your computer and / or delete any corresponding browser extensions
- Create a new, secure BitClout account (making sure to secure the seed phrase as well)
- Transfer any $clout funds and creator coins that are important to you to the new account
- You can subsequently transfer your handle as well
Around June 16th, a bad actor made his first public move with maliciously acquired data. Ultimately more than 30 BitClout accounts were compromised and more than 200 $clout ($30,000) was misappropriated. The manner in which the bad actor was able to compromise BitClout accounts has now been identified. The executable versions of the applications @cloutspy and @bitwatcher both include malware that can extract browser-specific app data, e.g. seed phrases, allowing their developer to access the BitClout accounts of any user who ran the program on their computers. When we say executable versions, we mean versions of the apps that run as programs on your operating system as opposed to over the web.
Previous account compromisations that were documented on June 12th (i.e. of user @uddeshya) were not related to this incident.
@tijn, @dgsus, and @hpaulson began their initial legwork about a week ago, following the breadcrumbs of fund transfers from compromised accounts and looking for common denominators in the programs that clouters who lost funds remembered using. The bad actor transferred funds between many of the compromised accounts to complicate the trail. The funds ultimately landed in anonymous accounts, as well as in @pr12m. As we now know, late last week, @pr12m ended up returning all the stolen funds to their respective owners. We won’t speculate on the motivation here — let’s dig deeper into how the accounts were actually compromised. 👇
The all-star squad’s investigation revealed that the trojan in the code scraped the majority of typically used browsers; the malware wasn’t limited to, say, Chrome users. The team also concluded that the online plug-in versions of these apps did not include the malware; unless you ran the executable versions of these apps, your seed phrase is likely still secure. The malware only searched for BitClout seed phrases; while it could have tried to sweep other browser data, such as bank passwords, the bad actor here was only interested in hacking BitClout accounts (at least up until this point). For a full technical rundown and subsequent findings, please visit THIS LINK from @smartalec.
So … who dunnit? Both @cloutspy and @bitwatcher were developed by the same individual or team. While we will not reveal the identity of the developer of these apps, their Discord username is known. References to how their malware worked were actually also present on the developers’ GitHub. We will not link to that work here so as to discourage other bad actors from using it. Today, both accounts have been blacklisted from Bitclout.com. If you search for their account on that node, you’ll get a 404 error.
Beyond the danger this incident posed to the individuals who used these apps, as well as to the damage done to broader trust in the BitClout community, this incident reveals a few important lessons for us all. For one, just because an app has open-sourced their code on GitHub doesn’t mean users should trust it. @cloutspy had published the purported code for their app on GitHub. But if users installed the executable versions and didn’t inspect the code, they wouldn’t have realized the program was actually running malware before doing any of the things the open-source code said the app would do. In short, just because you see open-source code on GitHub, that doesn’t mean that’s exactly what’s going to run on your computer. Further, take special caution when running programs that are executable on your computer, as opposed to just over the web.
What should BitClout community members do moving forward? We certainly don’t want to create unnecessary FUD (“Fear, uncertainty, doubt”) that would harm the broader, well-intentioned development community. There are many great apps built on BitClout that are safe to use.
What’s important is that users only run programs and use plug-ins built by trusted community members and teams. How do we establish this trust? There is no exact science here, but builders who show their work in public, have a strong track record, are respected and active in the broader community, and whose work has been audited by other community members tend to be safer. The project @DevAudit, which @smartalec is publishing the technical bulletin under, is working to find solutions for this with members of @cloutectives (more details below), and other trusted creators and users in the community.
Looking for more information? These events and additional information will be covered in greater depth on the @BitCloutPulse stage shortly (beginning 9:30 PM EST this evening). Please join (link HERE) to learn more from the team that conducted this investigation and to pose your questions. Additional questions can also be posed to @cloutectives, an account managed by @dgsus that also serves as a collective for members of the team that investigated this incident. As mentioned previously, a full technical bulletin from @smartalec is also available HERE.
The @BitsTODAY team would like to thank all above-mentioned investigators and @BitCloutPulse for arming us with the information to make this announcement, as well as of course for their diligent work. We’re continuously encouraged by all that clouters do to make this community stronger.
Stay safe and happy clouting,
The @BitsTODAY team