- Trending
- Comments
- Latest
A wave of X account takeover attacks is sweeping through the crypto community, using convincing phishing techniques that bypass traditional two-factor authentication (2FA). Security researchers warn the campaign is live, hard to detect, and primarily targets high-profile users with large followings raising the stakes for investors and platforms alike.
Crypto developer Zak Cole first flagged the campaign in a post on X, describing it as “Zero detection. Active right now. Full account takeover.” His warning has since drawn attention from both researchers and victims, highlighting the growing sophistication of social engineering on the platform.
Unlike conventional phishing, which relies on fake login pages or password theft, this X account takeover leverages the platform’s own infrastructure. Attackers send direct messages (DMs) with links that appear to redirect to Google Calendar, thanks to how X generates previews.
In one reported case, the message pretended to come from venture capital firm Andreessen Horowitz, lending extra credibility. The malicious domain x(.)ca-lendar(.)com was registered only days earlier. Still, X’s preview showed the legitimate Google Calendar domain, luring victims into clicking.
Once clicked, users are redirected to an X OAuth authentication endpoint, requesting permissions for an app labeled “Calendar.” A closer look reveals two Cyrillic characters in the app’s name, making it distinct from the genuine version. The app then requests sweeping permissions, from updating profiles to creating and deleting posts.
“Your brain sees Google Calendar. The URL is different,” — Zak Cole, crypto developer.
If users approve access, attackers gain near-total control of the account as no password or 2FA needed.
The X account takeover method was confirmed by MetaMask security researcher Ohm Shah, who said he had observed the attack “in the wild.” This suggests a wider campaign, beyond isolated crypto figures.
Reports indicate that not only crypto personalities but also mainstream creators including an OnlyFans model were targeted, underscoring the broad applicability of the attack.
Security experts note the scam’s credibility stems from exploiting user trust in metadata previews and OAuth permissions, rather than crude imitation pages. That makes it more discreet than traditional phishing, and potentially more damaging.
Despite its sophistication, the X account takeover scam leaves subtle clues. The most obvious: the OAuth permissions requested are far beyond what a calendar app would need. Permissions include following and unfollowing accounts, posting, and altering settings which are red flags for anyone reviewing carefully.
Another giveaway is the redirection inconsistency. After granting permissions, victims are redirected to Calendly instead of Google Calendar.
“Calendly? They spoofed Google Calendar, but redirect to Calendly? Major operational security failure. This inconsistency could tip off victims,” Cole noted.
For now, the best defense is vigilance. Cole’s GitHub write-up advises users to check their X connected apps page and revoke any suspicious authorizations, particularly those named “Calendar.”
The crypto sector remains a prime target for scams, and an X account takeover can be devastating. Prominent crypto accounts often serve as trusted sources of market updates, project news, and endorsements. If hijacked, they can be weaponized to promote scams, drain wallets, or spread misinformation at scale.
“An account with 100,000 followers promoting a malicious link can inflict losses within minutes. The credibility of the voice matters as much as the reach,” — Ohm Shah, Security Researcher, MetaMask.
Beyond direct theft, these attacks erode confidence in platforms like X, which serve as de facto communication hubs for the crypto community. Until stronger safeguards are in place, influencers, traders, and investors must remain alert.
Experts argue that preventing X account takeover campaigns will require changes at the platform level. Potential solutions include stricter app vetting, clearer OAuth warnings, and improved link preview verification. Until then, the burden remains on users to scrutinize links and permissions.
The incident underscores a broader truth: crypto adoption depends not only on secure blockchains but also on secure communication platforms. Without trust in the channels where information spreads, investor confidence can falter.
For those concerned about security, proactive steps include reviewing connected apps regularly, enabling hardware keys where possible, and verifying unexpected messages through secondary channels before clicking.
As phishing campaigns evolve, vigilance will be key. The crypto community as long accustomed to decentralized risks now faces a centralized one: the security of its most visible social accounts.
✅ To check for suspicious authorizations, visit X’s Connected Apps.
✅ For Cole’s full technical breakdown, see his GitHub report.
✅ For general phishing awareness, review Google’s security tips.
