A recent phishing campaign has emerged, targeting high-profile X accounts and exploiting them for fraudulent activities. The campaign, uncovered by security firm SentinelLabs, has affected a wide range of individuals and organizations, including US political figures, international journalists, a platform employee, major technology firms, cryptocurrency organizations, and owners of valuable short usernames.
This malicious activity is reminiscent of a similar operation in 2024 that aimed to compromise multiple accounts for financial gain by spreading scam content. While the current campaign mainly focuses on X accounts, attackers have also set their sights on other popular online services.
Phishing Tactics and Account Takeover
The security firm has identified several phishing lures used in this campaign over the past few weeks. One common tactic involves sending fake login notifications via email to direct targets to credential phishing sites. Another approach uses copyright violation warnings to deceive users into providing their login credentials.
In some instances, attackers have exploited Google’s AMP Cache domain to bypass email security filters and redirect users to phishing websites. These deceptive pages prompt users to enter their X account credentials, enabling attackers to take control of the accounts. Once compromised, accounts are swiftly locked from their rightful owners and utilized to promote fraudulent cryptocurrency schemes or external websites designed to lure additional victims.
Widespread Infrastructure and Attack Patterns
The campaign has employed multiple phishing domains, such as securelogins-x[.]com for email delivery and x-recoverysupport[.]com for hosting phishing pages. These domains have been tied to an IP address associated with a Belize-based VPS provider, while most phishing sites were registered through a Turkish hosting service.
Further investigation into the attack infrastructure reveals that the domains frequently utilize FASTPANEL, a legitimate website management service often abused by cybercriminals due to its ease of use and affordability. Many of the malicious sites hosted on the campaign’s servers remain active, indicating the attackers’ ability to sustain long-term phishing efforts while avoiding detection.
Emerging Account Intrusions and Crypto Fraud
Recent incidents suggest that the campaign may be expanding its targets. On January 30, 2025, the official X account of the Tor Project was compromised using phishing tactics similar to those employed in this campaign. Social media accounts linked to the Decentralized Autonomous Wireless Network (DAWN) were also hijacked to trap victims into providing X and Telegram credentials through phishing schemes.
Some of the compromised domains have been associated with crypto-themed scams. For instance, buy-tanai[.]com was initially promoted as an AI-powered trading tool but was later discovered to be a front for potentially fraudulent activities. It appears that the attackers prepare such domains for future use, adjusting their content to match evolving scams.
Historical Connections and Prevention Measures
This campaign mirrors a trend of high-profile account takeovers witnessed in mid-2024, including the hijacking of the Linus Tech Tips X account. More recently, in January 2025, the X account of the late crypto-enthusiast and antivirus software founder John McAfee was reactivated to endorse a questionable cryptocurrency called $AIntivirus.
To safeguard against such threats, users are advised to use strong, unique passwords for their X accounts, enable two-factor authentication (2FA), refrain from clicking on links in unsolicited messages, verify URLs before entering credentials, and initiate password resets directly through official websites. SentinelLabs continues to monitor the situation and encourages individuals who encounter similar suspicious activity to report it promptly.