The X account of Ethereum co-founder Vitalik Buterin was reportedly compromised and used by scammers to spread a phishing link disguised as a promotional giveaway. According to onchain investigator ZachXBT, the attack resulted in more than $691,000 in stolen digital assets, highlighting once again how hacked social media profiles can be weaponized in crypto-related fraud.
A fake “free collectible” post triggered the attack
The malicious post appeared to celebrate the arrival of Proto-Danksharding on Ethereum, presenting users with an opportunity to claim a commemorative NFT collection for free. The tactic followed a familiar pattern used in many crypto phishing scams: victims were encouraged to click a link, connect their wallets, and authorize a transaction under the impression that they were receiving a legitimate digital collectible.
Instead, the interaction exposed wallets to theft. The post was later deleted, but not before users had already been affected. The incident shows how quickly a compromised high-profile account can become an effective distribution channel for fraudulent links, especially when the message is tied to a real Ethereum development narrative and appears to come from one of the ecosystem’s most trusted figures.
Warnings emerged quickly from family and community members
Shortly after the suspicious post appeared, Dmitry Buterin, Vitalik’s father, warned users on X not to trust it. He stated that Vitalik had apparently been hacked and was working to restore access to the account. That warning became an important signal to the community, which moved quickly to amplify the message and reduce further damage.
Prominent voices in crypto also issued alerts. Among them was Ethereum developer Bok Khoo, known on X as @Bokkypoobah, who said he had “lost a few Punks” in the incident and urged followers not to interact with the link. His statement offered an early indication that the scam had already gone beyond an attempted phishing campaign and had begun producing substantial real-world losses.
Stolen assets included high-value CryptoPunks
Blockchain sleuth ZachXBT later reported that the total drained by the attackers had reached $691,000. He also shared details on some of the stolen assets, which included several valuable NFTs. Among the most notable were Cryptopunk #3983 and Cryptopunk #1751.
At the time referenced in the report, Cryptopunk #3983 was estimated at 153.62 ETH, or roughly $250,000, while Cryptopunk #1751 was valued at 58.18 ETH. The theft of these blue-chip NFTs underscored the seriousness of the breach and showed that sophisticated scammers are not merely targeting small balances but actively exploiting trusted accounts to seize premium digital assets.
The scale of the losses also demonstrates a recurring vulnerability in crypto markets: a single compromised social profile can trigger significant wallet drain events within minutes, especially when the account belongs to a founder, developer, or major public figure whose followers are accustomed to interacting with announcements and ecosystem updates.
Possible link to Pink Drainer raised by observers
Crypto journalist Colin Wu, known online as Wu Blockchain, also warned followers about the suspected compromise. In his comments, he pointed out that this was not an isolated case and recalled that Hayden Adams, the Uniswap founder and Ethereum Foundation member, had experienced a similar X account incident earlier in the year.
Wu later suggested that the compromise of Vitalik Buterin’s account may be connected to a hacker or hacking group referred to as Pink Drainer. While the report did not present a definitive attribution, the mention reflects a broader concern in the industry that certain wallet-draining operations have become organized, repeatable, and highly effective at exploiting social trust.
If accurate, such a connection would fit a pattern increasingly seen in crypto-focused cybercrime: attackers compromise influential accounts, post links tied to a believable narrative, and use wallet-draining infrastructure to steal tokens and NFTs from users who react quickly without verifying the source.
A reminder of crypto’s social engineering risk
The incident involving Buterin’s X account is part of a broader trend in which scammers target the social media presence of well-known figures in order to bypass skepticism. The original report notes that prominent members of the crypto industry are not the only ones affected. In June, for example, the Twitter account of longtime bitcoin critic and gold advocate Peter Schiff was reportedly used by hackers to promote a token called $GOLD, falsely presenting it as a major innovation for gold-backed DeFi.
These cases show that the attack surface in crypto extends far beyond smart contracts and exchanges. Account security, social verification, and wallet interaction habits remain critical points of failure. Even experienced users can be deceived when a message appears to come from a trusted source and is framed around current ecosystem developments or exclusive opportunities.
For users, the lesson is straightforward: unsolicited airdrops, “free NFT” promotions, and urgent claim links should always be treated with caution, even when posted by verified or widely respected accounts. Verifying the legitimacy of announcements through multiple official channels, avoiding rushed wallet approvals, and inspecting transaction requests carefully remain essential defenses against phishing and drain attacks.
For the crypto industry, the event is another reminder that reputation can be turned into a weapon when account security fails. In ecosystems built on open participation and instant communication, a hacked social media account can become a powerful attack vector, capable of causing six-figure losses before warnings spread widely enough to contain the damage.

