Experts have lifted the lid on an ongoing X campaign designed to take money via phishing campaigns by impersonating legitimate investigators and companies researching cryptocurrency and blockchain security.
Like any other phishing campaign, the threat actors use a sense of urgency to pressure victims into sharing personal information, ultimately handing over their money.
Revealed by Bleeping Computer, the scale of the campaign was only made greater by the fact that illegitimate posts on the platform were being shared by legitimate accounts, putting them into the hands of thousands.
X phishing campaigns
The not-so-sophisticated campaign sees threat actors set up fake accounts with similar names to existing, trusted accounts, such as @zachxbt (legitimate) and @zacheryxbt (used for the phishing attack).
vx-underground, which has nearly 250,000 followers on X, shared a post from the malicious account before later deleting it and sharing:
“Someone in our internal circle sent us the information about the alleged breach from a fake ZachXBT… Admittedly, because we know this person well, we didn’t double check anything.”
The malicious posts claim to expose a vulnerability in Uniswap, a decentralized crypto exchange, however Hayden Adams, a developer for the platform’s web application interface, has already confirmed that there is no such exploit in the wild.
The publication also claims that bot accounts have been promoting the #UniswapExploit hashtag to the point that they were trending across the US. X’s Elon Musk has previously spoken out about bots on the platform, suggesting that a nominal monthly charge to use the platform could help to eliminate bot accounts, simply because they would each need their own bank details.
X’s subscriptions now include Basic, Premium, and Premium+, but they are not mandatory, and free accounts (including bot accounts) can continue to operate.