An active phishing campaign is targeting high-profile X accounts in an attempt to hijack and exploit them for fraudulent activity. This campaign has been observed targeting a variety of individual and organisational accounts such as U.S. political figures, leading international journalists, an X employee, large technology organisations, cryptocurrency organisations, and owners of valuable, short usernames.
SentinelLabs’ analysis links this activity to a similar operation from last year that successfully compromised multiple accounts to spread scam content with financial objectives. While the activity detailed here is centred around X/Twitter accounts, this actor is not limited to a single social platform, and can be observed directing attention to other popular services as well, while seemingly pursuing the same financial objectives.
Thanks to tips from targets and collaboration with industry partners, SentinelLabs has observed a variety of phishing lures tied to this campaign over the past few weeks. One example is the classic account login notice. The links in this email are not legitimate and they lead to credential phishing sites. Other observed lures have used copyright violation themes. However, SentinelLabs notes that phishing users directly may not be the only access method employed by this attacker.
In recent cases, the actor has been observed abusing Google’s “AMP Cache” domain cdn.ampproject[.]org to evade email detections and redirect the user to a phishing domain. This ultimately leads the targets to an actor-made phishing website seeking X account credentials.
In the ‘copyright infringement’ lure scenario, the user will first visit an Action Needed page before being prompted to enter credentials on a fake copyright infringement page.
Once an account is taken over, the attacker swiftly locks out the legitimate owner and begins posting fraudulent cryptocurrency opportunities or links to external sites designed to lure additional targets, often with a crypto theft-related theme. Ultimately, compromising high-profile accounts enables the attacker to reach a broader audience of potential secondary victims, maximising their financial gains.
SentinelLabs’ observations suggest that the attacker is highly adaptable, continuously exploring new techniques while maintaining a clear financial motive. The targeting appears constrained, yet opportunistic. Notably, past public reports have attributed related activity to Turkish-speaking actors based on language phishing page source comment language. At this time, this campaign is not attributed to a specific country or any widely-tracked threat actor.
Conclusion
The cryptocurrency scam landscape continues to evolve, becoming increasingly difficult to navigate as crypto’s popularity grows. While marketing for coins and tokens has long been irreverent and meme-driven, recent developments have further blurred the line between legitimate projects and scams. A striking example occurred in January 2025 when the X account of the late crypto-enthusiast and antivirus founder John McAfee was reactivated to promote a new coin, $AIntivirus. The marketing style and brand voice of this purportedly legitimate token closely resemble tactics used in known scam campaigns, highlighting how easily crypto enthusiasts can be misled in an already murky ecosystem.
To safeguard X accounts, SentinelLabs strongly recommends using a unique password, enabling two-factor authentication (2FA), and avoiding credential sharing with third-party services. Be especially cautious of messages containing links to account alerts or security notices. Always verify URLs before clicking, and if a password reset is needed, initiate it directly through the official website or app rather than relying on unsolicited links.
Follow this link to read the full report.