IFTTT (If This Then That), a third-party automated posting service, has been held responsible for a new series of scam posts on platform X, which encouraged potential victims to send money to a wallet address for a meme token called PACKY within the Solana ecosystem. On March 21st, a16z advisor Packy McCormick, Coinbase product director Scott Shapiro, Twitch co-founder Justin Kan, and several crypto influencers’ X accounts were directed by scammers to promote the fake token.
IFTTT Connection and Identity Attacks
McCormick announced that his account had been compromised and he was working to fix it. He warned not to click on any links from the famous X profile and not to send money to a random address. Following this, a post about PACKY and a Solana wallet were shared on the X profile. McCormick shared the following statement:
“It seems the hacker gained entry through IFTTT (If This Then That), which I had given Twitter access permission to about a decade ago.”
IFTTT is known as a web-based service launched in 2011 that allows users to create automated workflows between different internet-based applications and services. Blockchain detective ZachXBT noted that after Twitch co-founder Justin Kan shared a similar post from his X account, he apparently got hacked and warned not to buy the meme coin.
Coinbase product director Scott Shapiro was also hacked with a malicious message claiming he collaborated with CEO Brian Armstrong to launch the PACKY token. Shapiro warned about connecting to old third-party applications:
“Is there anything that better explains this list of connected applications in Web 2.0? It’s creepy to see how many decade-old auth tokens are among these graveyards.”
Noteworthy Details on the Issue
The hacker also infiltrated the X accounts of Rainbow’s co-founder Mike Demarais, Asymmetric Finance founder and CEO Joe McCann, and digital pop artist Bryan Brinkman. Brinkman apologized for the scam posts confirming that the IFTTT account connected as an app to his X profile had been breached and shared the following statement:
“If you sent money to this scam address, please contact me, I will find a way to fix this. The lesson here is that even with 2FA and Yubikey, there are always security vulnerabilities, stay safe.”
Platform X continues to be a haven for illegal activities, scams, and hacking. Even the SEC‘s official account was compromised just one day before the regulator approved spot Bitcoin ETF funds in January.
