Beware of Phishing Attacks by Fake Journalists

4 min readNov 13, 2023



On October 14, Twitter user Masiwei reported a malicious code targeting for account theft.

According to the analysis by the SlowMist Security Team, the link sent by the attacker contained a malicious JavaScript script. The attacker would trick users into adding it as a bookmark, laying the groundwork for future malicious activities. Following this discovery, SlowMist issued a security warning on Twitter. The team had previously written an article about browser bookmark attacks, titled “SlowMist: Exposing How Malicious Browser Bookmarks Can Steal Your Discord Token.”

On October 17, a user of named Double Wan tweeted that their assets on were stolen. The SlowMist Security Team immediately assisted the victim in tracking and investigating the theft. Through the efforts of the SlowMist team and the cooperation of OKX, the stolen funds were successfully intercepted. Below, we will detail the process of phishing attacks by fake journalists, hoping to raise awareness and help everyone better guard against such scams.

Attack Process

Disguising Identity

In the digital world, one can easily fabricate their identity. The attacker masqueraded as a journalist from a well-known news agency and even had over ten thousand followers on Twitter.


The JavaScript malicious script was designed to attack users. Naturally, the attacker chose Key Opinion Leaders (KOLs) as targets, who, due to their popularity, would find it reasonable to receive interview invitations.

The attacker would follow people you are following on Twitter. When you visit the attacker’s Twitter page and see some mutual follows, it creates the impression that they are a part of the same community.

Building Trust

After scheduling an interview, the attacker would guide you to join the interview on Telegram and even provide an interview outline.

And so, you diligently prepare based on the interview outline provided by the attacker and engage in a two-hour interview, listening to two “hosts” conversing back and forth. It all seems legitimate, as you anticipate the interview being published on a renowned news website.

The Moment of Attack

After the interview, the attacker asks you to fill out a form and open a phishing link they provide. The link, under the “Verify” section, includes detailed explanations on why and how to verify: To prevent impersonation, you must verify the ownership of your account. Please follow the instructions below to complete the verification process. To verify your account, drag the “Verify” button to your bookmark bar, then go to the website and click on the bookmark to verify.

Once a user opens the bookmark containing the malicious JavaScript script on the page, the malicious code is designed to deceive and steal the user’s password (i.e.,’s 2FA), as well as the tokens associated with the embedded wallet Privy used by the account. This means that both the user’s account and the related funds are at risk of being stolen.

Our founder, Cos, also emphasized the severity of such attacks. If your independent password, i.e., the 2FA for, is stolen, and you have set up information related to and its embedded wallet Privy (including other relevant information in localStorage), then your private key plaintext can also be stolen. This means that your account is effectively rendered useless unless is willing to provide you with a new private key and corresponding wallet address.

Preventive Measures

- Heighten awareness of social engineering attacks.

- Avoid clicking on unknown links.

- Learn basic methods to identify phishing links, such as checking for misspellings or extra punctuation in domain names, and ensuring they match official domains.

- Install anti-phishing plugins, as detailed in our previous public articles, like “How to Choose an Anti-Phishing Plugin.”


Social engineering attacks and phishing scams are constantly evolving. The victim in this incident, who was just practicing English speaking skills, ended up having all their funds on stolen. While we might not be familiar with all these scams, we can significantly avoid phishing attacks by: not clicking unknown links; learning to identify phishing links; and maintaining skepticism and continuous verification for actions involving authorization or password input. Lastly, we recommend reading SlowMist’s “Blockchain Dark Forest Self-Rescue Manual” available at:




SlowMist is a Blockchain security firm established in 2018, providing services such as security audits, security consultants, red teaming, and more.