Social media platform X is preparing a new security measure aimed at stopping a widespread form of crypto-phishing that exploits hacked accounts to promote fraudulent tokens.
The company will soon automatically lock any account mentioning cryptocurrency for the first time in its history, according to Nikita Bier, the company’s product manager. Users will need to complete additional verification before being allowed to post again.
Bier said this feature targets the main incentive behind these attacks. “This should remove 99% of the incentive,” he wrote, referring to the current wave of phishing that tricks users into giving up their credentials and then uses their accounts to promote crypto scams.
The change was revealed in response to a detailed story from user X who lost control of their account after falling for a phishing email disguised as a copyright infringement notice.
The attacker, the user said, used a pixel-perfect fake login page to harvest two-factor codes, then locked out the user and began promoting fraudulent crypto projects from his account.
Crypto Scams on X
These types of attacks have been extremely common on X, a legacy from before it was acquired by Elon Musk and which was still called Twitter.
One of the most common tactics is the “double your money” scam, in which users are asked to send cryptocurrency in exchange for a promise of more. Others offer fake memecoins or fraudulent airdrops, often using hacked accounts to lend credibility.
Identity theft is one of the most powerful tools. Spoofed accounts posing as major figures have repeatedly tricked their followers into clicking on malicious links that mimic legitimate crypto platforms.
Cryptocurrency transactions are irreversible, so once a user falls into such an attack, their funds disappear.
The most infamous example came in 2020, when hackers accessed Twitter’s internal systems and took control of major accounts, including those of Apple, Barack Obama and Elon Musk.
They used these accounts to promote a fake Bitcoin giveaway, earning over $100,000 before the posts were deleted. This violation, carried out by social engineering against Twitter employees, earned the hacker a 5-year prison sentence.
X has made several attempts to strengthen security. These include bot purges, API restrictions, and behavioral detection. The latest move to automatically lock accounts that first post about crypto builds on these efforts, aiming to eliminate the tactic at the root: by making hacked accounts useless for scams.
Bier also criticized Google for failing to stop phishing emails at the email level, pointing the finger at the tech giant’s share of responsibility for failing to protect its users from phishing attacks.
