Ddos 
The Buy Tokens page on ipresale[.]world/dashboard/buy-token/ | Image: Silent Push
In a disturbing evolution of cryptocurrency fraud, Silent Push Threat Analysts have uncovered a sophisticated scam operation that exploits a display URL spoofing loophole on X/Twitter, using it to promote a fake “Apple iToken” investment. The scheme, which spoofed the domain cnn[.]com in ad previews while redirecting users to malicious crypto scam sites, showcases a dangerous blend of social engineering, brand impersonation, and ad platform abuse.
“Silent Push Threat Analysts have uncovered a new finance scam exploiting an X/Twitter advertising display URL feature to spoof “cnn[.]com” while directing visitors to a crypto scam website impersonating Apple’s brand,” the report states.
The campaign started with what appeared to be a sponsored post on X/Twitter, bearing the source “From CNN[.]com.” Upon clicking, however, the user was funneled through a chain of redirects—from bit[.]ly to t[.]co and finally to the malicious ipresale[.]world domain.
The landing page was a classic crypto “presale scam”, urging users to buy a fake Apple-branded cryptocurrency called “iToken”, accompanied by a fraudulent endorsement from Apple CEO Tim Cook.
“The website also includes a fake testimonial from Apple CEO Tim Cook… ‘Secure, transparent, and built for the decentralized world ahead,’” the scam quote falsely proclaims.
Silent Push explains:
- When a URL is embedded in a tweet, Twitter’s bot fetches the preview (Twitter Card) using a known User-Agent string.
- The scam server detects this User-Agent and redirects the bot to a legitimate page like cnn[.]com.
- When a real user clicks the link, they are instead redirected to a malicious site, such as ipresale[.]world.
“Twitter will show a card for the content it was redirected to—in this instance, the benign cnn[.]com domain, despite those who click the link being redirected to a separate domain,” the report warns.
Silent Push identified 22 crypto wallet addresses, including Bitcoin, Ethereum, XRP, USDT, ADA, DOGE, and more, all linked to the “iToken” scheme. The fake platform mimicked a real investment dashboard, with registration forms, purchase flows, and even loyalty tiers ranging from Bronze to Legendary.
Despite being well-designed, early analysis showed no funds had been deposited yet.
Silent Push’s Web Resource Scan revealed that dozens of clone sites—like isale[.]ltd, i-token[.]live, itoken[.]foundation, and itokensale[.]live—shared the same CSS, HTML structures, and even favicons impersonating Apple and X/Twitter.
Many domains were hosted on Hetzner and Cloudflare infrastructure, and used suspicious nameservers like ns1.chsw.host, which was also linked to .ru domains and financial scams.
On May 5, 2025, analysts discovered another X/Twitter ad campaign using a similar approach, redirecting users via bit[.]ly and chopinkos[.]digital to itokensale[.]live. The new campaign retained all the hallmark elements—Apple branding, fake presale offers, and user interface mimicry.
Donate