Crypto Twitter Account Hijacking on the Rise: Reviewing Hackers' New Attack and Monetization Tactics
TechFlow Selected TechFlow Selected
Crypto Twitter Account Hijacking on the Rise: Reviewing Hackers' New Attack and Monetization Tactics
Even with the most stringent protection, there's still a chance of getting compromised. Once an account breach is detected, the speed of response will determine the extent of the loss.
Navigating Web3 tides with focused insights
In recent months, an increasing number of cryptocurrency projects, professionals, politicians, and celebrities have had their social media accounts compromised, followed by the posting of scam messages. Recently, several Bitget employees personally experienced similar phishing attacks. After recovering their accounts, we gradually uncovered the details and discovered that hackers are constantly upgrading their attack methods—becoming increasingly deceptive and stealthy. Therefore, we’ve prepared this article to help strengthen security defenses across the entire industry.
Bitget Employees Targeted by Phishing Attacks
In mid-May, a Bitget employee responsible for business development received a direct message on X (formerly Twitter) from a supposed partner, inviting him to discuss a potential collaboration. Both parties quickly scheduled a meeting, which proceeded as planned. During the call, the other party sent some installation files under the guise of a "functionality test," inviting the Bitget employee to try them out.
In the following days, the employee began receiving inquiries from friends and industry peers: “Did you just send me a strange DM on X?” Recognizing something was wrong, he immediately collaborated with Bitget’s security team and successfully regained access to his account using linked email and other recovery information.
Hacker Tactics Against Crypto-Related X Accounts and Their Monetization Methods
During subsequent security investigations, we reconstructed the detailed steps used in these attacks and how hackers profit from them:
Step 1: Hackers use compromised social media accounts to send direct messages to victims, directing them to contact a specific Telegram account to further discuss fake collaborations
❗ Security Alert:
-
These messages may not come from suspicious small accounts—they could originate from verified official accounts. However, the scam messages were not sent by the legitimate team.
-
At this point, hackers have quietly gained control of these official accounts and redirect victims to Telegram for the next stage of fraud.
-
Hackers often delete the messages immediately after sending them. As a result, even if hundreds of scam messages are sent, the real account owner remains unaware.
Step 2: Once the victim contacts the hacker on Telegram, they are invited to an online meeting where they’re prompted to download and install specific documents
❗ Security Alert:
-
The hacker's Telegram account is usually impersonating a real employee. Details such as name and profile may be scraped from platforms like LinkedIn, and the account ID might closely resemble the real one—for example, confusing uppercase I with lowercase L.
-
The installer file contains malicious code. Once the victim installs it, the hacker gains remote access to their device, enabling theft of social media credentials, cryptocurrency, or fiat assets.
Step 3: After gaining access to the victim’s device, hackers first attempt to directly steal assets. Then, using the victim’s X and Telegram accounts, they identify new targets and send direct messages guiding them to contact the hacker-controlled Telegram account for further scams
❗ Security Alert:
-
As mentioned earlier, hackers delete messages right after sending them, making it difficult for the account owner to realize their account has been compromised.
-
This explains why scam messages can appear to come from verified official accounts while no action is taken—the real owners remain completely unaware.
Step 4: When the next victim connects with the hacker via Telegram, the attacker chooses an appropriate scam strategy based on their assumed identity
❗ Security Alert:
-
If impersonating an exchange employee, hackers typically lure victims into transferring funds under the pretense of a token listing partnership.
-
If posing as a project team member, they often promise early investment opportunities to trick victims into sending money.
-
If pretending to be from an investment firm, they may propose investment collaborations to solicit fund transfers.
-
If the assumed identity cannot directly generate profits, they use it as a stepping stone to trick people within the victim’s network into installing malware, thereby gaining access to more accounts and expanding their scam infrastructure.
Summary
The hacking and monetization techniques described here share similarities with past attacks—hackers still rely on installing malware (via specific files) to gain control over victims’ devices. However, their tactics have evolved significantly:
-
Using compromised verified X accounts to DM victims greatly increases credibility and success rates.
-
Deleting messages immediately after sending allows hackers to remain undetected for extended periods. In previous cases, hackers would post scam tweets immediately after takeover—promoting fake events or scam tokens—for quick profit. But this approach quickly alerted owners and the public, raising red flags.
-
The Telegram accounts used for follow-up communication are carefully forged, often mimicking official personnel with nearly identical usernames.
How to Identify and Prevent Similar Phishing Attacks
-
Be cautious of all invitations,even if they appear to come from “official” accounts. Always verify the sender’s identity through alternative channels. If it’s someone you know, check whether prior chat history still exists before continuing.
-
Do not casually download or open files sent during meetings. If you need to install a meeting client like Teams or Zoom, download it only from the official website. This is critical.
-
During calls, grant only video and audio permissions. Do not give Zoom or Teams additional permissions that could allow hackers to remotely control your computer.
-
Never leave your computer unattended during a session. If necessary, have someone else monitor your screen to prevent hackers from acting while you're away.
-
Never back up your seed phrase on your computer or phone. Enable MFA (Multi-Factor Authentication) wherever possible.
-
Use an iPhone upgraded to the latest version for any device handling funds, turn on Lockdown Mode, limit its use for external communications, and keep it separate from work or social devices.
Account Compromised? How to Respond Quickly and Minimize Losses
Even with strong defenses, you might still fall victim. Your response speed will determine the extent of damage.
-
Shut down your computer and disconnect from the internet immediately to cut off the hacker’s access.
-
Check financial security (e.g., wallet approvals). Attackers may have accessed local wallets (browser extensions, private key storage). Immediately transfer assets to a new wallet (preferably with newly generated private keys—not derived from the same seed phrase).
-
Regain account access via another device or email. While the session may still be active, use your registered email or phone number to log in, reset your password, and sign out all other sessions. Once recovered, revoke all third-party login authorizations immediately to prevent continued hacker access.
-
Notify and warn others. Alert your contacts not to trust recent messages, mark suspicious accounts, and spread awareness to prevent chain reactions of victimization.
The above case is not isolated—it reflects a challenge every user in the crypto industry may face. At Bitget, we’re not only building technical safeguards but also striving to turn “security awareness” into real capability. Bitget’s “Anti-Scam Month” is now underway, featuring a series of anti-fraud educational materials and interactive activities. Visit the event page to enhance your ability to detect scams and protect your digital boundaries.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News
