Fraudsters use bots to monitor Tweets requesting support to MetaMask, TrustWallet, and other crypto wallets to respond with scams within seconds, BleepingComputer reports.
To launch these targeted attacks, scammers monitor all public Tweets fro specific keywords and phrases, such as “support”, “assistance” and “help”, paired with “MetaMask”, “Phantom”, “Yoro” and “TrustWallet”. Twitter bots are used to respond to these Tweets automatically, posing as a fake customer service representative offering a malicious link that steals the victim’s cryptocurrency wallet.
All scammers’ replies have the same purpose of stealing the recovery phrase of the victim’s wallet, which an attacker can use to import the wallet to their device. In order to steal recovery/seed phrases, threat actors set up support forms on Google Docs and other cloud platforms. These forms mimic a simple support form and ask the user for their email address, problem, and wallet recovery kit, as shown in the fake MetaMask support form below.