New Exploit Targets X/Twitter Ad URL Feature to Trick Users

A newly discovered financial scam is exploiting a loophole in X/Twitter’s advertising platform, allowing threat actors to spoof trusted domains such as “cnn.com” within ad display URLs.

The campaign, first observed by Silent Push Threat Analysts leverages this vulnerability to redirect users to fraudulent cryptocurrency websites impersonating Apple and its CEO, Tim Cook, as part of a fake “iToken” presale scheme.

Technical Exploit Overview

The attack capitalizes on the way X/Twitter constructs and displays links within promoted posts.

When a user incorporates a URL in a tweet, X/Twitter’s bot scrapes metadata to generate a Twitter card.

By differentiating between the Twitter bot’s user agent and that of real browsers, attackers can redirect the bot to a legitimate domain-such as cnn[.]com-while real users are covertly redirected to a malicious site, such as ipresale[.]world.

As a result, the advertisement appears to originate from cnn[.]com, instilling false trust in the viewer.

In this campaign, the displayed ad URL was manipulated to show “From CNN[.]com.”

However, clicking the ad started a multi-stage redirect, passing through shortened URLs (e.g., bit[.]ly/4k4X1Tz, t[.]co/OswjDCIcFI) before finally landing users on ipresale[.]world, a clone site designed to promote the fraudulent “Apple iToken” cryptocurrency.

Here, users are enticed to register accounts and are presented with 22 unique wallet addresses for various cryptocurrencies, including Bitcoin, Ethereum, and USDT, to purchase the fake token.

Infrastructure and Evolution of the Threat

Silent Push’s investigation revealed that this campaign is not isolated. Nearly 90 similar domains have been identified since 2024, sharing infrastructure, visual assets (including Apple and X/Twitter-themed favicons), and financial lures-many leveraging the same server infrastructure and name servers, primarily hosted on providers like Hetzner and Cloudflare.

Further technical pivots using CSS file hashes and favicon fingerprints enabled analysts to map an expansive network of associated domains, many registered on PublicDomainRegistry and mapped to ASN “Online SAS, FR.”

Additionally, the campaign exhibits a pattern of leveraging URL shorteners and dynamic redirects, updating destinations post-ad approval to avoid detection and maximize reach.

The scammers have continued to iterate on their tactics: a second ad, detected on May 5, 2025, employed a new redirect chain (bit[.]ly/4iS1W9p → chopinkos[.]digital → itokensale[.]live), but ultimately led to another near-identical “iToken” scam site.

Forensic analysis of these websites showed consistent use of reused web assets, unique JavaScript/CSS, and shared wallet addresses-strong evidence of a coordinated and persistent threat actor group.

This campaign underscores the risks posed by seemingly small platform vulnerabilities.

By spoofing the display URL in X/Twitter ads, the perpetrators effectively sidestep traditional user vigilance, exploiting the trust placed in recognized news brands and the Apple identity.

Their sophisticated web infrastructure, rapid domain registration, and continuous asset reuse suggest an organized and well-resourced operation.

Silent Push analysts advise all organizations to remain vigilant, block the identified domains and associated infrastructure, and monitor similar exploit vectors.

The indicators of compromise (IOCs) described below provide actionable threat intelligence for defenders.

Indicators of Compromise (IOC)

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates