Full Report
Hackers hijack high-profile X accounts with phishing scams to steal credentials and promote fraudulent cryptocurrency schemes
Analysis Summary
# Incident Report: High-Profile X (Twitter) Account Takeover via Phishing
## Executive Summary
A significant phishing campaign successfully compromised numerous high-profile X accounts, including those belonging to political figures, journalists, and technology companies, to promote fraudulent cryptocurrency schemes. The attackers utilized deceptive emails, often leveraging Google's AMP Cache to bypass security filters, to steal user credentials. Response efforts have focused on monitoring the ongoing activity and advising users on preventative measures like enabling 2FA.
## Incident Details
- Discovery Date: Ongoing, identified by SentinelLabs over "the past few weeks."
- Incident Date: Ongoing, linked to activity observed in mid-2024 and specific recent events (e.g., January 30, 2025).
- Affected Organization: Various high-profile individuals and organizations (US political figures, journalists, platform employees, tech firms, crypto organizations).
- Sector: Technology, Cryptocurrency, Media, Political/Government.
- Geography: Global (Belize-based VPS provider infrastructure noted).
## Timeline of Events
### Initial Access
- Date/Time: Ongoing, occurring over recent weeks.
- Vector: Credential Phishing via email.
- Details: Attackers sent fake X login notifications or copyright violation warnings to targets. They leveraged Google’s AMP Cache domain to redirect compromised users to phishing websites (e.g., domains linked to x-recoverysupport\[.\]com).
### Lateral Movement
- Details: Once credentials were obtained, the attackers immediately locked victims out and gained control of the X accounts to perpetrate fraud. Specific details on internal network lateral movement beyond the X platform are not detailed, focusing primarily on account takeover.
### Data Exfiltration/Impact
- Details: Compromised accounts were used to promote fraudulent cryptocurrency schemes or external deceptive sites to defraud additional victims. The primary impact was the hijacking of the account identity and subsequent fraud perpetuated through the trusted platform.
### Detection & Response
- Detection: Identified by SentinelLabs through continuous monitoring and analysis of phishing lures and infrastructure.
- Response Actions: SentinelLabs published analysis and urged the public to report similar suspicious activity while recommending layered security practices.
## Attack Methodology
- Initial Access: Credential Phishing via deceptive emails (fake login prompts, copyright warnings).
- Persistence: Achieved by immediately changing credentials and locking out rightful owners post-takeover.
- Privilege Escalation: Not explicitly detailed, but control of the primary X account is the objective.
- Defense Evasion: Utilization of legitimate services like Google's AMP Cache domain to bypass common email security filters.
- Credential Access: Direct harvesting of X account credentials via custom phishing pages.
- Discovery: Reconnaissance involved identifying high-profile targets across multiple sectors.
- Lateral Movement: Movement focuses on immediate control of the compromised X account to leverage its existing network trust.
- Collection: Data collection focused specifically on highly valuable social media credentials.
- Exfiltration: The "exfiltration" was the use of the compromised identity to spread malicious external links/scams for financial gain (crypto fraud).
- Impact: Financial fraud resulting from crypto scams promoted via hijacked accounts.
## Impact Assessment
- Financial: Significant potential financial losses due to promoted cryptocurrency scams (linked to known $2.3Bn crypto loss trend).
- Data Breach: Social media credentials (X account access) for high-profile users.
- Operational: Disruption to the public communication and security status of affected individuals/organizations (e.g., Tor Project compromise).
- Reputational: Severe reputational damage to compromised individuals/organizations whose accounts were used for fraud.
## Indicators of Compromise
- Network Indicators (Defanged):
- Phishing Delivery Domain: securelogins-x\[.\]com
- Phishing Page Domain: x-recoverysupport\[.\]com
- Associated Scam/Placeholder Domain: buy-tanai\[.\]com
- Infrastructure: Associated with an IP linked to a Belize-based VPS provider, using FASTPANEL.
- File Indicators: N/A (Primarily web-based credential theft).
- Behavioral Indicators: Promotion of cryptocurrency schemes immediately following account takeover; locking out rightful owners.
## Response Actions
- Containment Measures: Public disclosure and analysis by SentinelLabs to alert the community.
- Eradication Steps: End-users are advised to initiate password resets and report suspicious activity to X/platform administrators.
- Recovery Actions: Affected users must reclaim control of their accounts, change passwords, and revoke suspicious session tokens.
## Lessons Learned
- Email filtering systems remain vulnerable to sophisticated URL redirection techniques (e.g., AMP Cache abuse).
- High-profile/verified accounts are prime targets for identity hijacking to lend credibility to subsequent scams.
- Infrastructure resilience: Attackers maintained operational phishing infrastructure using readily available, low-cost hosting services (FASTPANEL).
## Recommendations
- Mandatory implementation of Two-Factor Authentication (2FA) on all critical social media and email accounts.
- Users must verify URLs directly through official channels rather than clicking links in unsolicited messages, even if they appear to originate from trusted platforms.
- Organizations should conduct regular security training emphasizing the detection of social engineering tactics used in credential harvesting.
- Review and restrict third-party application permissions linked to high-value accounts.