New Phishing Attack Compromises High-Profile X Accounts to Spread Malicious Links

A new wave of phishing attacks has been identified, targeting high-profile accounts on the social media platform X (formerly Twitter).

The campaign, which has been active since mid-2024, aims to hijack accounts belonging to U.S. political figures, international journalists, technology organizations, cryptocurrency entities, and other prominent users.

Once compromised, these accounts are exploited to promote fraudulent cryptocurrency schemes, maximizing financial gains by reaching a wider audience.

SentinelLABS researchers have linked this activity to a similar operation from the previous year that successfully compromised multiple accounts.

The attackers use phishing lures such as fake account login notifications and copyright violation alerts to deceive users into providing their credentials.

Notably, the campaign employs advanced techniques like abusing Google’s AMP Cache domain to evade email detection systems and redirect victims to phishing sites.

Infrastructure and Tactics

The phishing infrastructure demonstrates flexibility and adaptability.

Domains such as “securelogins-x[.]com” and “x-recoverysupport[.]com” have been used to host phishing pages, while emails are delivered through related domains.

The attackers also utilize IP addresses linked to a Belize-based VPS service and domains registered via Turkish hosting providers.

Phishing Attack
Example discussion of FASTPANEL (RU crime forum)

One notable aspect of this campaign is its use of FASTPANEL, a website hosting service known for its ease of use and scalability.

Although not inherently malicious, FASTPANEL is frequently abused by cybercriminals for phishing campaigns.

Domains like “buy-tanai[.]com” and “emotionai[.]live” are currently staged as blank templates, allowing attackers to quickly adapt their hosted content for ongoing scams.

The campaign has even targeted cryptocurrency-themed projects as placeholders for future attacks or pump-and-dump schemes.

For instance, the domain “buy-tanai[.]com” was associated with a project promoting an AI-powered trading agent on the Solana blockchain.

Despite its initial failure in the market, the project remains active on decentralized exchanges, underscoring the financial motives behind these operations.

Recent Incidents

Recent breaches include the official X account of the Tor Project and accounts linked to the Decentralized Autonomous Wireless Network (DAWN).

In these cases, compromised accounts were used to lure victims into entering credentials on phishing pages targeting X and Telegram accounts.

While SentinelLABS has observed overlaps with past campaigns attributed to Turkish-speaking actors, no definitive attribution has been made.

The attackers’ adaptability and opportunistic targeting highlight their technical sophistication. They continuously refine their methods while maintaining a clear focus on financial objectives.

To mitigate risks, users are advised to adopt robust security measures:

  • Use unique passwords for each account.
  • Enable two-factor authentication (2FA).
  • Avoid clicking on unsolicited links in messages or emails.
  • Verify URLs before entering credentials.
  • Initiate password resets directly through official platforms.

As this campaign continues to evolve, individuals and organizations must remain vigilant against phishing attempts that exploit high-profile accounts for fraudulent activities in the cryptocurrency space.

Also Read:

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here