ZkPass ZKP Airdrop Phishing Via Hacked Twitter/X Account

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

ZKPass Logo/Homepage

ZKPASS is a privacy-focused protocol that connects Web2 and Web3 ecosystems, allowing users to verify private data securely using Multi-Party Computation (MPC), Zero-Knowledge Proofs (ZKP), and an enhanced 3P-TLS protocol. It ensures privacy by letting users generate ZKPs locally without revealing sensitive details, preventing fraud and tampering. ZKPASS is compatible with HTTPS-based systems and supports use cases like decentralized identity verification and DeFi lending. Recently, the project's X account was compromised, leading to phishing tweets, and some users reported losses. The team does not appear to have acknowledged the hack officially on their Twitter.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18][19][20][21][22][23][24][25][26][27][28][29][30][31][32][33][34][35][36][37][38][39][40][41][42][43][44][45][46][47][48][49][50]

About ZKPass

ZKPASS is a privacy-focused protocol designed to bridge Web2 and Web3 ecosystems by allowing users to verify private data without revealing sensitive details. It integrates key technologies like Multi-Party Computation (MPC), Zero-Knowledge Proofs (ZKP), and an enhanced 3P-TLS protocol to enable secure logins, data verification, and privacy preservation. Users can generate ZKPs locally, ensuring their data remains private, while the platform prevents fraud and tampering. ZKPASS offers compatibility with HTTPS-based sessions, making it efficient and easy to integrate into existing systems. It supports use cases like decentralized identity verification, DeFi lending, healthcare data marketplaces, and more. Additionally, ZKPASS is designed for memory efficiency, allowing for quick proof generation even in browser environments.

"$ZKP airdrop is live! Any wallet that has traded any token in the past 40 days may be eligible. Check your allocation"

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

Someone managed to gain access to the ZKPass Twitter account, and posted a series of tweets about a new $ZKP token which they had launched. The falsely represented their token as being affiliated with ZKPass officially.

Key Event Timeline - zkPass ZKP Airdrop Phishing Via Hacked Twitter/X Account
Date Event Description
December 19th, 2024 11:39:00 AM MST Initial Dither Bonded Pump A Tweet by "Dither Bonded Pump" promotes the new token via Twitter/X.
December 19th, 2024 11:57:00 AM MST Bull Pump Tweet Promotion A tweet by "Bull Pump" promotes the new token.
December 19th, 2024 12:03:00 PM MST Low Marketcap Great Opportunity Twitter user @Rcjz69 notes of the "Low Mcap. Bought at 67k" where the "address is in official site".
December 19th, 2024 12:09:00 PM MST Skeptical CoinHuntersTR CoinHuntersTR appears to be the first user to be skeptical of the new token, but he's asking a question "Hacked??" instead of any statement.
December 19th, 2024 12:12:00 PM MST Francis_Berwa First Warning Francis_Berwa is the first to delcare that the account is hacked.
December 19th, 2024 12:19:00 PM MST Warning From Team Developer @Ryan_zkHolipop, a developer of zkPass, tweets to warn users of the compromised account.
December 19th, 2024 6:22:00 PM MST Scam Sniffer Warning Scam Sniffer posts a warning about the compromised account tweet.

Technical Details

This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?

Total Amount Lost

The total amount lost is unknown.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

"According to Scam Sniffer's monitoring, the privacy-preserving data verification protocol zkPass's X account was compromised and used to post phishing tweets."

Ultimate Outcome

It does not appear that ZKPass posted anything until January 6th, or has acknowledged the hack in any way. Multiple users have reported losses.

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. @realScamSniffer Twitter (Accessed Jan 29, 2025)
  2. zkPass - Private Data Protocol (Accessed Jan 29, 2025)
  3. @BondedPump Twitter (Accessed Jan 29, 2025)
  4. @Ryan_zkHolipop Twitter (Accessed Jan 29, 2025)
  5. @Rcjz69 Twitter (Accessed Jan 29, 2025)
  6. @Bull_Pump Twitter (Accessed Jan 29, 2025)
  7. @CoinHuntersTR Twitter (Accessed Jan 29, 2025)
  8. @Francis_Berwa Twitter (Accessed Jan 29, 2025)
  9. @Kryptospherus Twitter (Accessed Jan 29, 2025)
  10. @Trknerknci Twitter (Accessed Jan 29, 2025)
  11. @michael314 Twitter (Accessed Jan 29, 2025)
  12. @DhimasBagusSep5 Twitter (Accessed Jan 29, 2025)
  13. @n0yuh Twitter (Accessed Jan 29, 2025)
  14. @Zek_eth Twitter (Accessed Jan 29, 2025)
  15. @SuplabsYi Twitter (Accessed Jan 29, 2025)
  16. @NeOnRainX Twitter (Accessed Jan 29, 2025)
  17. @0xaudney Twitter (Accessed Jan 29, 2025)
  18. @gu5371804581905 Twitter (Accessed Jan 29, 2025)
  19. @shissuu_ Twitter (Accessed Jan 29, 2025)
  20. @brlstync Twitter (Accessed Jan 29, 2025)
  21. @splashy_effort Twitter (Accessed Jan 29, 2025)
  22. @1c4m3by Twitter (Accessed Jan 29, 2025)
  23. @millat_misu Twitter (Accessed Jan 29, 2025)
  24. @bv99z Twitter (Accessed Jan 29, 2025)
  25. @chingoarts Twitter (Accessed Jan 29, 2025)
  26. @codeglitch Twitter (Accessed Jan 29, 2025)
  27. @cryptoegeo Twitter (Accessed Jan 29, 2025)
  28. @Bliiighty Twitter (Accessed Jan 29, 2025)
  29. @sumit8676 Twitter (Accessed Jan 29, 2025)
  30. @iskenderETH Twitter (Accessed Jan 29, 2025)
  31. @cucus0 Twitter (Accessed Jan 29, 2025)
  32. @tiktok_onfire77 Twitter (Accessed Jan 29, 2025)
  33. @mrgreengold_ofc Twitter (Accessed Jan 29, 2025)
  34. @apy1000 Twitter (Accessed Jan 29, 2025)
  35. @quiconch Twitter (Accessed Jan 29, 2025)
  36. @JohnTears Twitter (Accessed Jan 29, 2025)
  37. @AmanOnchain Twitter (Accessed Jan 29, 2025)
  38. @solminingpunk Twitter (Accessed Jan 29, 2025)
  39. @Moorlach Twitter (Accessed Jan 29, 2025)
  40. @webtechtr Twitter (Accessed Jan 29, 2025)
  41. @gabcoin_ Twitter (Accessed Jan 29, 2025)
  42. @yavuzsyildiz Twitter (Accessed Jan 29, 2025)
  43. @AlexNest2020 Twitter (Accessed Jan 29, 2025)
  44. @yamancan_ Twitter (Accessed Jan 29, 2025)
  45. @crypto_Jahan Twitter (Accessed Jan 29, 2025)
  46. @ZheSolworks Twitter (Accessed Jan 29, 2025)
  47. @saifamerr Twitter (Accessed Jan 29, 2025)
  48. @AirdropAlarmCom Twitter (Accessed Jan 29, 2025)
  49. @BasedNormye Twitter (Accessed Jan 30, 2025)
  50. What are Zero-Knowledge Proofs in Crypto? (Accessed Jan 30, 2025)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=ZkPass_ZKP_Airdrop_Phishing_Via_Hacked_Twitter/X_Account&oldid=6499"