A phishing campaign targeting high-profile X accounts has been observed hijacking and exploiting them for fraudulent activity.
The campaign, uncovered by SentinelLabs, has impacted various individuals and organizations, including US political figures, international journalists, a platform employee, major technology firms, cryptocurrency organizations and owners of valuable short usernames.
SentinelLabs’ analysis links this activity to a similar operation from 2024 that compromised multiple accounts to spread scam content for financial gain. Although this campaign primarily focuses on X accounts, the attackers have also targeted other popular online services.
Phishing Tactics and Account Takeover
Over the past few weeks, the security firm has identified various phishing lures used in this campaign. One common tactic involves sending fake login notifications via email and directing targets to credential phishing sites. Another approach uses copyright violation warnings to deceive users.
In some cases, attackers have leveraged Google’s AMP Cache domain to bypass email security filters and redirect users to phishing websites. These deceptive pages prompt users to enter their X account credentials, allowing attackers to take control of accounts. Once compromised, accounts are quickly locked from their rightful owners and used to promote fraudulent cryptocurrency schemes or external sites designed to deceive additional victims.
Read more on cryptocurrency-related scams: Web3 Attacks Result in $2.3Bn in Cryptocurrency Losses
Widespread Infrastructure and Attack Patterns
The campaign has utilized multiple phishing domains, such as securelogins-x[.]com for email delivery and x-recoverysupport[.]com for hosting phishing pages. These domains have been linked to an IP address associated with a Belize-based VPS provider. Most of these phishing sites were registered through a Turkish hosting service.
Further investigation into the attack infrastructure reveals that the domains often employ FASTPANEL, a website management service that, while legitimate, is frequently abused by cybercriminals due to its ease of use and low cost.
Many of the malicious sites hosted on the campaign’s servers remain operational. This indicates the attackers’ ability to sustain long-term phishing efforts while evading detection.
Emerging Account Intrusions and Crypto Fraud
Recent incidents suggest the campaign may be expanding its targets. On January 30 2025, the official X account of the Tor Project was compromised in a manner consistent with these phishing tactics.
Similarly, social media accounts tied to the Decentralized Autonomous Wireless Network (DAWN) were hijacked to lure victims into phishing traps targeting X and Telegram credentials.
Some of the compromised domains have also been linked to crypto-themed scams. For example, buy-tanai[.]com was initially marketed as an AI-powered trading tool but was later found to be a placeholder for potentially fraudulent activities. The attackers appear to stage such domains for future use, adapting their content to fit evolving scams.
Historical Connections and Prevention Measures
This campaign follows a pattern of high-profile account takeovers seen in mid-2024, including the hijacking of the Linus Tech Tips X account. More recently, in January 2025, the X account of late crypto-enthusiast and antivirus software founder John McAfee was reactivated to promote a dubious cryptocurrency called $AIntivirus.
To protect against such threats, users should:
- Use a strong, unique password for X accounts
- Enable two-factor authentication (2FA)
- Avoid clicking on links in unsolicited messages
- Verify URLs before entering credentials
- Initiate password resets directly through official websites
SentinelLabs said it continues to monitor the situation and urged anyone who encounters similar suspicious activity to report it.
Image credit: sdx15 / Shutterstock.com