Introduction

A sophisticated phishing campaign has been identified [6], targeting high-profile accounts on the social media platform X (formerly Twitter) [6] [7]. This operation [3], active since mid-2024 [7], aims to hijack accounts of prominent individuals and organizations to promote fraudulent cryptocurrency schemes.

Description

A sophisticated one-click phishing campaign targeting high-profile accounts on the social media platform X (formerly Twitter) has been identified, active since mid-2024 [7]. This operation aims to hijack accounts belonging to US political figures [7], international journalists [3] [4] [6] [7], technology organizations [4] [7], cryptocurrency entities [1] [3] [4] [5] [6] [7], and other prominent users [7], including employees of X. Once compromised [2] [3] [4] [5] [6] [7], these accounts are exploited to promote fraudulent cryptocurrency schemes [1] [3] [7], enhancing the attackers’ reach and maximizing financial gains by targeting a wider audience. Attackers lock victims out of their accounts after they enter their credentials [5], subsequently using the compromised profiles to disseminate scam content and post fraudulent cryptocurrency opportunities that often contain links to external phishing sites designed to lure additional victims.

Researchers at SentinelLabs have linked this activity to a similar operation from the previous year that successfully compromised multiple accounts for financial gain [7]. The attackers employ various phishing tactics [4], including fake account login notifications and copyright violation alerts [4] [6] [7], to deceive users into providing their credentials [4] [6] [7]. Recent tactics include the abuse of Google’s AMP Cache domain to evade email detection systems [4] [7], redirecting victims to phishing sites that prompt them to enter their X account credentials [3]. Tools like Evilginx are also utilized to enhance the effectiveness of these attacks.

Recent breaches include the official X account of the Tor Project and accounts associated with the Decentralized Autonomous Wireless Network (DAWN) [7]. In these instances [7], compromised accounts were used to lure victims into entering credentials on phishing pages targeting both X and Telegram accounts [7]. Many of the phishing domains, such as securelogins-x[. [3]]com for email delivery and x-recoverysupport[.]com for hosting phishing pages, are linked to an IP address, 84.38.130[.]20, associated with a Belize-based VPS provider and were predominantly registered through a Turkish hosting service [3]. The domains often utilize FASTPANEL [3], a website management service frequently abused by cybercriminals [3].

This campaign follows a pattern of high-profile account takeovers [3], including the hijacking of the Linus Tech Tips X account in mid-2024 [3]. In January 2025 [3], the X account of John McAfee was reactivated to promote a dubious cryptocurrency called $AIntivirus [3]. The attackers demonstrate adaptability and technical sophistication [7], continuously refining their methods while maintaining a focus on financial objectives [7]. Although past reports have suggested the involvement of Turkish-speaking actors [4], this campaign has not been attributed to any specific country or known threat actor [4].

Conclusion

The impact of this phishing campaign is significant, as it compromises the integrity of high-profile accounts and misleads a broad audience into fraudulent schemes. To mitigate such threats [3], users are advised to maintain strong password hygiene, use unique passwords [3] [4], enable two-factor authentication [1] [3] [4], avoid clicking on links in unsolicited messages [3], verify URLs before entering credentials [3], and initiate password resets through official websites [1] [3] [4]. Cybersecurity experts recommend continuous monitoring and the adoption of advanced authentication methods to further reduce risks [5]. SentinelLabs continues to monitor the situation and encourages reporting of suspicious activity [3]. The ongoing adaptability and sophistication of these attackers highlight the need for vigilance and proactive security measures in the digital landscape.

References

[1] https://www.darkreading.com/endpoint-security/one-click-phishing-campaign-high-profile-x-accounts
[2] https://www.validin.com/blog/x-phishing-threat-hunting-pivotoing-techniques/
[3] https://www.infosecurity-magazine.com/news/x-accounts-targeted-phishing/
[4] https://businessmondays.co.uk/sentinellabs-finds-x-phishing-campaign-targeting-high-profile-accounts/
[5] https://cybersecuritynews.com/new-phishing-attack-hijacking-high-profile-x-accounts/
[6] https://gbhackers.com/new-phishing-attack-hijacks-high-profile-x-accounts/
[7] https://cyberpress.org/new-phishing-attack-compromises-high-profile-x-accounts/