Stolen Pump.fun Account Used for Pushing Fraudulent Cryptocurrency Tokens
February 26, 2025: The cyber werenks behind the Pump.fun meme token factory's X account got a taste of their own medicine when a hacker targeted this very account, peddling fraudulent tokens under the guise of governance tokens and meme coins like HACKED and hackeddotfun. Thankfully, the Pump.fun gang regained control the very same day, blunting the full impact of the attack.
ZachXBT, a renowned on-chain sleuth, uncovered links between the Pump.fun hack and recent attacks on other X accounts, including Jupiter DAO and DogWifCoin. These accounts were unwitting pawns in the hacker's plan to promo fake meme tokens. The culprit? Well, they're crafty, using social engineering tricks like forged docs or phishing emails to dupe X employees, or maybe a sneaky loophole in the platform itself.
DFarmer, a X user, wasn't the least bit amused by the proceedings. He spilled the beans, claiming Pump.fun swindled a whopping $600 million over the past year, cashed out the fiat, and ran. That's right, they've got the chops for a Mick Jagger impersonation.*
Since its blink-and-you'll-miss-it launch in January 2024, Pump.fun has wrung $431 million out of fees. There've been murmurs about AMM features, too. Trenchdive, a savvy trader, reported that on February 20, the Pump.fun team dropped the first test token, CRACK, into an AMM pool. But doesn't that remind you of a certain nasty bug?
Now, if you're wondering about the security grub in place to shield Pump.fun from such breaches, here's a lowdown on the usual suspects: robust password policies with extra strong, unique passwords and password changes; activation of 2FA; keeping software updated to patch up vulnerabilities; implementing a swift monitoring system for suspicious activity along with a clear incident response plan; educating employees on the perils of phishing and social engineering attacks; securing cryptocurrency management with multi-signature wallets, where approval from multiple parties is required for transactions. If Pump.fun has put these measures into practice, they'd undoubtedly announce it through official channels or highlight it in industry news. Until then, it's all guesswork, given the current dearth of info.
ZachXBT's investigation has revealed connections between the Pump.fun hack and attacks on other accounts, such as Jupiter DAO and DogWifCoin. These instances appear to be part of a scheme to promote fake meme tokens, exploiting technology vulnerabilities or employing social engineering tricks.
The lack of transparency regarding Pump.fun's cybersecurity measures, including the use of multi-signature wallets, encryption, and real-time monitoring systems, raises concerns about the platform's vulnerability to future attacks, especially when handling large sums of funds in finance and technology-driven sectors.
