A new wave of phishing attacks is actively targeting high-profile X (formerly Twitter) accounts, with attackers hijacking accounts to promote fraudulent cryptocurrency schemes, according to SentinelOne’s latest threat report. The campaign appears to be a continuation of a similar operation from last year that successfully compromised multiple accounts, spreading scam content with clear financial motives.
The phishing campaign is not limited to individual influencers or traders. According to SentinelLABS’ analysis, threat actors have been observed targeting a wide range of victims, including:
- U.S. political figures
- Prominent international journalists
- X platform employees
- Major technology organizations
- Cryptocurrency-related companies
- Owners of valuable, short usernames
While the primary focus remains on X/Twitter, researchers warn that the threat actor is not confined to a single platform, and similar attacks have been directed at other popular services.
“Compromising high-profile accounts enables the attacker to reach a broader audience of potential secondary victims, maximizing their financial gains,” SentinelLABS warns.
Attackers employ a range of phishing techniques to lure victims into revealing their X login credentials. One of the most common methods is the fake account login alert, designed to trick users into thinking their account security has been compromised.
“Thanks to tips from targets and collaboration with industry partners, SentinelLABS has observed a variety of phishing lures tied to this campaign over the past few weeks,” the report states.
- Fake Login Alerts: Users receive deceptive emails warning them of suspicious login attempts. Clicking the embedded link directs them to a fraudulent X login page designed to steal credentials.
- Copyright Violation Scams: Attackers send fake notices claiming that a post violates copyright laws, prompting users to enter their credentials on a phishing site.
- Google AMP Abuse: To bypass email security filters, attackers exploit Google’s “AMP Cache” service, redirecting victims to credential-harvesting pages hosted on domains like x-recoverysupport[.]com.
Once an account is compromised, the attacker quickly locks out the legitimate owner and begins posting fraudulent cryptocurrency investment opportunities, often leading to external crypto-theft schemes.
Researchers traced much of the phishing infrastructure to the IP 84.38.130[.]20, hosted by a Belize-based VPS provider, Dataclub. Domains linked to the campaign include:
- securelogins-x[.]com (used for phishing email distribution)
- x-recoverysupport[.]com (credential phishing pages)
Interestingly, most of these domains were registered through Turkish hosting provider Turkticaret, suggesting a possible regional link to the attackers. However, SentinelOne has not formally attributed the campaign to a specific country or known threat group.
Among the latest victims is The Tor Project, whose official X account was hijacked on January 30, 2025. While SentinelOne has not confirmed a direct link between the incidents, researchers note that the attack bears similarities to previous credential-phishing operations.
“While we have not yet established a high-confidence link, a recent compromise of a Tor Project account closely mirrors our observations,” SentinelLABS stated.
Another major victim was Decentralized Autonomous Wireless Network (DAWN), whose X and Telegram accounts were compromised to spread phishing links targeting cryptocurrency traders.
Attackers are also leveraging fake AI-driven trading projects as part of their schemes. One example is buy-tanai[.]com, which promoted “TANA AI” as a liquidity provider on the Solana blockchain. Researchers believe that many of these crypto projects are merely placeholders, waiting to be rebranded for future pump-and-dump scams.
- TANA AI was launched in mid-January 2025
- Despite losing most of its initial value, it remains actively traded
- The attackers likely use these domains as flexible phishing infrastructure, ready to be repurposed for new schemes
SentinelOne warns that more attacks are likely to follow, as attackers adapt their phishing techniques and infrastructure. Users are urged to remain vigilant and follow strong security hygiene to mitigate the risk of account compromise.
Related Posts:
- Report Exposes Cybercriminal Exploitation of High-Profile Events
- Beware of Fake AI Photo Editors on Social Media: Malvertising Campaign Targets Credentials
- High-Profile Organizations in Southeast Asia Hit by Targeted Cyberattacks
- TikTok Hit by Zero-Day Attack: High-Profile Accounts Compromised
