Hackers Steal $500K Through X Breaches and Meme Coin Scams

Highlights:

• Hackers compromised over 15 X accounts, promoting scam Solana tokens and phishing schemes.
• Hackers used phishing emails and fake support to steal credentials and promote scams.
• Cybercriminals are increasingly targeting X, exploiting its popularity for phishing and scam campaigns.

Blockchain investigator ZachXBT revealed on December 24 that hackers compromised over 15 X accounts, promoting scam Solana meme coins. The attacks enabled scammers to steal approximately $500k.

2/3 Each of the 15 ATOs were directly connected by mapping out the deployer address for each scam.

The attacker bridged back and forth between Solana and Ethereum in an attempt to obfuscate the funding source. pic.twitter.com/DMcuh0KjXK

— ZachXBT (@zachxbt) December 24, 2024

Details of the Attacks

ZachXBT revealed that these incidents, starting on November 26, are part of a larger scheme. Over 15 breaches have been linked to the operation by an unknown hacker or group. Hackers breached popular accounts like Brett, Kick Streaming, and Alex Blania. They stole passwords and other credentials through deception. The hackers mimicked X support agents to trick users. They falsely claimed users violated terms of use and copyright policies. The phishing emails appeared to be official communication from X. They falsely claimed to address copyright infringement issues, creating urgency.

The hackers tricked victims into visiting a phishing website. They prompted victims to reset their two-factor authentication (2FA) or password. The attackers stole the credentials and took control of the accounts, and used the compromised accounts to promote meme coin scams.

After hack, the accounts promoted fake Solana-based tokens. They shared a contract address and urged followers to invest with SOL. This led victims to unknowingly transfer funds to the scammers. Investigators traced the deployer address, linking all 15 account takeovers (ATOs).

The hackers tried to hide their funding sources by bridging funds between Solana and Ethereum. Despite these efforts, investigators traced the activities back to a single threat actor. To protect against such attacks, users should avoid reusing email addresses across services. Security experts recommend using physical security keys for 2FA on critical accounts whenever possible

The first known incident occurred on November 26 with RuneMine’s X account. The most recent breach happened on December 24, involving Kick. Many of the hacked X accounts had large followings, with over 200,000 followers each.

Cybercriminals Exploit X for Phishing Scams

X, formerly Twitter, has become a hub for creators and projects after Elon Musk’s acquisition. The platform focuses on free speech and creator monetization. However, its growth has attracted cybercriminals. They spread phishing links and target creators with scams. On December 8, hackers breached the Cardano Foundation’s X account. The attacker promoted a fake “ADAsol” token and falsely claimed the Foundation would stop supporting ADA.

The scam generated $500k in trading volume before the token’s value dropped by 99%. Cardano founder Charles Hoskinson confirmed the breach. In October, Symbiotic’s X account was hacked by an attacker. They posted phishing links disguised as airdrop checklists. These links tricked users and led to stolen tokens. EigenLayer, a restaking protocol, experienced a similar attack. The hacker ran a fake airdrop campaign to target victims.