Security Incident Report: CloutSpy & BitWatcher

This report describes the CloutSpy/BitWatcher security incident and some of the methods employed by the bad actor facilitating the theft of funds.

Security Incident Report: CloutSpy & BitWatcher

On June 16, 2021, several BitClout users reported that their accounts had been compromised and that $Clout from their accounts had been transferred to other profiles without their consent. A collective of engineers and developers on BitClout informally known as the Cloutectives launched an investigation into this incident. They concluded that the browser extensions CloutSpy and BitWatcher contained malicious code in their executable files that compromised users' seed phrases and facilitated the theft of funds.

Over 30 BitClout accounts were found to have been compromised, while around $30,000 worth of $Clout was funneled into a single account. Most, if not all, of these funds were returned to users within three days of the initial incident.

This report describes the CloutSpy/BitWatcher security incident and some of the methods employed by the bad actor. The article also provides guidance to users whose accounts have been compromised.

WARNING

If you have ever used CloutSpy or BitWatcher executable files in the past, please follow these instructions before reading to ensure your BitClout funds are secure:

  1. Delete CloutSpy.exe or BitWatcher.exe
  2. Create a new BitClout account
  3. Transfer all your holdings to this new account
  4. Rename the previous account and reclaim your username on the new account

This process may be tedious, but this is the only way to ensure that your funds are safe after using either of these extensions.

Contributors

The following community members contributed to the investigation

How It Happened

On June 16, several community members were gathered in a Zoom call when one participant noticed that his holdings were being transferred from his profile without his consent. @dgsus was in the video call and began looking into it.

He soon connected with other Cloutectives contributors, including @Taonaya and @smartalec, who had also been alerted to reports of users losing their BitClout holdings.

The investigators gathered in a group chat and pooled information about affected accounts. They followed two important leads.

First, they tracked the transfer of funds from the initial withdrawal from compromised accounts to their final destination, a single BitClout wallet. As @tijn and @HPaulson discovered, the bad actor made multiple transfers, including from some compromised accounts to others, to conceal their actions.

Meanwhile, the team contacted users whose accounts had been compromised and determined which apps or web extensions had been used in common. It turned out that the common denominators were the browser extensions CloutSpy and BitWatcher. Both apps were developed by the same person or team of devs.

cloutspy-1

@smartalec and other contributors then worked on determining whether the two apps contained malware of any kind. Their analysis revealed that the executable files of the two apps contained a trojan in their code.

The malware scraped the data of commonly used browsers, identified BitClout seed phrases, and sent them to the bad actor.

It's worth emphasizing a few points about the extensions and how they worked:

  • Both CloutSpy and BitWatcher were available as open source extensions on the developer's GitHub. These versions didn't contain malware. Only the executable files looked up seed phrases.

  • The malware only looked for BitClout public keys and their associated seed phrases. As far as the investigation is concerned, the bad actor was not interested in other data like bank info.

  • BitClout.com was not responsible in any way for this security incident. Only accounts whose owners installed either extension were at risk.

  • You can read the full technical incident report by @smartalec here.

The Aftermath

As mentioned above, the bad actor returned the funds to accounts they compromised within three days of the start of the investigation. Notably, the Cloutectives did not contact any users associated with CloutSpy or BitWatcher. One can only speculate why they decided to return the $Clout they took.

With help from BitClout.Com developers, the accounts associated with CloutSpy and BitWatcher have been blacklisted.

Once again, if you have ever downloaded and installed either of these executable files, please follow the instructions above to ensure your holdings are safe. More generally, it is absolutely crucial that users, especially ones less experienced with software engineering and development, only use extensions that are trusted or verified by the larger BitClout community.

How do we determine who is trusted? Here are some points to consider before you install an extension and an executable file in particular:

  • Check the app's BitClout profile. If it credits developers, are these developers active in the community and possibly verified by BitClout.com?
  • Is the app or project listed on sites like BitHunt, which require an application process before being featured?
  • Join communities outside BitClout.com like the Discord server and ask about the app if you are unsure. What do other users have to say?

Understanding how to keep your seed phrase secure and helping other users do the same is essential with any cryptocurrency. With BitClout, it is perhaps even more important to communicate information about security, because this platform is intended to be accessible to the average social media user, who may be unfamiliar with concepts like seed phrases and executable files.

If you have any questions about the CloutSpy/BitWatcher security incident and this report, feel free to get in touch with any of the contributors listed above.

Subscribe to The Pulse

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe