
Fake Project Teams: Beware of High-Fidelity Impersonators Phishing in the Comments
TechFlow Selected TechFlow Selected

Fake Project Teams: Beware of High-Fidelity Impersonators Phishing in the Comments
This article will analyze the operational process of phishing groups in the comment sections of well-known project teams.
Authors: Shan & Liz
Background
Recently, the SlowMist security team has received multiple reports of crypto theft. After analyzing these incidents, we discovered that in most cases, the root cause was phishing comments under tweets posted by well-known project teams.
SlowMist then conducted a targeted analysis and found that approximately 80% of prominent projects have their first comment slot on Twitter occupied by scam accounts after posting a tweet. Given the high level of automation used by these phishing groups and the relatively low security awareness among some cryptocurrency users, this article will dissect how phishing gangs operate in official project comment sections to raise awareness across the crypto community.
Attack Workflow
1. Purchasing Twitter accounts. We found numerous Telegram groups dedicated to selling Twitter accounts. These accounts vary in follower count, number of posts, and registration date, allowing buyers to select suitable ones based on needs. Reviewing historical records in these groups reveals that most sold accounts are related to the cryptocurrency industry or are influencer accounts.


In addition to Telegram groups, there are websites专门 for selling Twitter accounts. These platforms offer accounts registered in various years and support purchases of lookalike usernames—such as "Optimlzm" (fake) mimicking "Optimism" (real). These sites also accept cryptocurrency payments.

(https://twitteraccseller.mysellix.io/)
2. After acquiring ready-made accounts, phishing groups use promotion tools to buy likes, retweets, and followers to enhance account credibility. These promotion services also accept cryptocurrency payments and provide engagement metrics across major international social media platforms. Buyers simply input the target link and desired quantity to complete a purchase.

(https://easyliker.ru/services)
According to customer service from one such platform, they have processed over 1.3 million orders and served more than 20,000 customers.

3. With the above preparations, phishing groups now possess Twitter accounts with sufficient posts and followers. They then mimic the content and style of legitimate project accounts, making it difficult for some users to distinguish between real and fake. The critical phase of the phishing operation then begins:
-
Automated bots monitor updates from well-known projects;
-
As soon as a project posts a tweet, the phishing bot automatically leaves the first comment to secure visibility and maximize exposure;
-
Since users are viewing an authentic post from the official project, and the phishing account appears nearly identical due to name spoofing, any lapse in vigilance may lead them to click on phishing links disguised as airdrops. Once users authorize or sign transactions, their assets are compromised.
Case Study
On January 12, Optimism's official Twitter account posted a tweet. The very first comment underneath was left by a phishing group. This comment received significant engagement and included a link labeled as the official website. However, the text-based URL was actually a phishing link—see image below. On the same day, SlowMist CISO @IM_23pds issued a public warning urging users to be cautious of impersonator accounts in project comment sections.

(https://twitter.com/IM_23pds/status/1745662404300788120)
The phishing group exploited Twitter’s display name feature, which allows users to change their visible name without altering their unique username (Handle), typically starting with @. The fake account changed its display name to match the official one—"Optimism"—but upon closer inspection, the username differs slightly: replacing "is" with "lz" (e.g., "Optimlzm"). This deceptive technique has previously been documented in the Dark Forest Survival Guide.
MistTrack Analysis
Using the on-chain tracking tool MistTrack, we investigated the Ethereum address 0xd02c75102ed941b26e318c0896c5b5aeb4ddc965 associated with individuals selling Twitter accounts on Telegram. We found that all incoming transactions to this address originated from addresses flagged by MistTrack as malicious—linked to phishing and theft activities. Drilling down further by double-clicking these addresses revealed extensive networks of additional malicious addresses, highlighting the vast scale of this underground market.


Countermeasures
1. Enhance anti-phishing browser extensions. Around 90% of NFT phishing attacks in the blockchain space involve fake domains. Real-time monitoring and alerts for known phishing domains are crucial. If a user opens a phishing page, the extension or browser should immediately flag it as risky, preventing subsequent signature scams by stopping threats at the earliest stage.
2. Implement “What You See Is What You Sign” and interactive security features in wallets. Wallets equipped with fraud detection can clearly present human-readable details of what a user is about to sign—such as what permissions are being granted, the amount involved, and the recipient. This transparency creates a final defensive layer, helping users recognize dangerous transactions before confirming.
3. Strengthen personal security awareness. No matter how advanced protective tools or warnings become, individual vigilance remains paramount. Always verify links, approvals, and signatures carefully before proceeding. Only through conscious caution can users avoid falling victim to theft and scams.
Conclusion
This article examines the growing trend of phishing comments beneath tweets from prominent project teams, detailing the operational workflow of phishing groups. Our goal is to help users recognize this threat, stay alert, and protect their digital assets.
Finally, we recommend reading the *Blockchain Dark Forest Survival Guide* published by SlowMist to gain deeper insights into cybersecurity best practices.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News









