A recent phishing campaign has been exploiting high-profile X accounts, hijacking them for fraudulent activities. This malicious operation, identified by SentinelLabs, has affected a range of individuals and organizations, including political figures in the US, international journalists, a platform employee, major tech companies, cryptocurrency entities, and owners of valuable short usernames.

Phishing Tactics and Account Takeover

SentinelLabs has linked this campaign to a similar operation from 2024, which compromised numerous accounts to disseminate scam content for financial gain. While the primary focus is on X accounts, attackers have also targeted other popular online services.

Over recent weeks, various phishing lures have been identified. A common tactic involves sending fake login notifications via email, directing targets to credential phishing sites. Another method uses copyright violation warnings to deceive users.

In some instances, attackers have utilized Google’s AMP Cache domain to bypass email security filters, redirecting users to phishing websites. These sites prompt users to enter their X account credentials, allowing attackers to seize control. Once compromised, accounts are swiftly locked from their rightful owners and used to promote fraudulent cryptocurrency schemes or external sites designed to deceive additional victims.

For more on cryptocurrency-related scams, read Web3 Attacks Result in $2.3Bn in Cryptocurrency Losses.

Widespread Infrastructure and Attack Patterns

The campaign employs multiple phishing domains, such as securelogins-x[.]com for email delivery and x-recoverysupport[.]com for hosting phishing pages. These domains are linked to an IP address associated with a Belize-based VPS provider, with most registered through a Turkish hosting service.

Further investigation reveals that these domains often use FASTPANEL, a legitimate website management service frequently abused by cybercriminals due to its ease of use and low cost. Many malicious sites hosted on the campaign’s servers remain operational, indicating the attackers’ ability to sustain long-term phishing efforts while evading detection.

Emerging Account Intrusions and Crypto Fraud

Recent incidents suggest the campaign may be expanding its targets. On January 30, 2025, the official X account of the Tor Project was compromised using these phishing tactics. Similarly, social media accounts linked to the Decentralized Autonomous Wireless Network (DAWN) were hijacked to lure victims into phishing traps targeting X and Telegram credentials.

Some compromised domains have been associated with crypto-themed scams. For instance, buy-tanai[.]com was initially marketed as an AI-powered trading tool but later found to be a placeholder for potentially fraudulent activities. The attackers appear to stage such domains for future use, adapting their content to fit evolving scams.

Historical Connections and Prevention Measures

This campaign follows a pattern of high-profile account takeovers seen in mid-2024, including the hijacking of the Linus Tech Tips X account. More recently, in January 2025, the X account of the late crypto-enthusiast and antivirus software founder John McAfee was reactivated to promote a dubious cryptocurrency called $AIntivirus.

To protect against such threats, users should:

  • Use a strong, unique password for X accounts.
  • Enable two-factor authentication (2FA).
  • Avoid clicking on links in unsolicited messages.
  • Verify URLs before entering credentials.
  • Initiate password resets directly through official websites.
The link has been copied!