New Advanced X Takeover Attack Puts Crypto Investors at Risk

Phishing Campaign Exploits X Apps

A new wave of crypto attacks is sweeping through the social media platform X (formerly Twitter), specifically targeting influential figures and investors in the cryptocurrency community. Unlike traditional phishing attempts that rely on fake login pages and credential harvesting, this advanced account takeover method uses a much more sophisticated approach — abusing X’s built-in app authorization system.

The result is a seamless and nearly undetectable compromise, allowing attackers to bypass passwords, two-factor authentication (2FA), and gain full control over victims’ accounts. Security experts warn that this campaign represents a significant evolution in the threat landscape for crypto investors, many of whom rely heavily on their X presence for networking, project promotion, and market influence.

Crypto developer Zak Cole was among the first to sound the alarm in a Wednesday X post, calling the campaign “zero detection” and warning that it’s “active right now.” The implications are severe: with full account access, attackers can post fraudulent messages, scam followers, manipulate token markets, or conduct large-scale social engineering attacks — all under the guise of a trusted crypto figure.

 

How the Attack Works Step-by-Step

The crypto phishing campaign is notable for its credibility and stealth. It typically starts with a direct message on X that contains a link, often disguised as an invitation to a calendar event. Because X automatically generates link previews based on site metadata, the message appears legitimate — often showing the trusted Google Calendar domain even when it isn’t.

In Zak Cole’s case, the message appeared to come from a representative of venture capital giant Andreessen Horowitz, lending even more legitimacy. However, the malicious domain — x(.)ca-lendar(.)com — was registered just days earlier. Once clicked, the page’s JavaScript silently redirects users to an X authentication endpoint requesting app authorization.

At first glance, the app looks harmless and is even named “Calendar.” But a closer inspection reveals a clever trick: two Cyrillic characters replace standard Latin letters, making the app appear identical to the real one while remaining a separate, malicious entity.

This small detail is key — it allows attackers to bypass 2FA entirely. Since the user is technically authorizing a new app (rather than entering credentials on a fake page), even the most security-conscious users can fall victim. Once access is granted, the attackers receive comprehensive account permissions, including the ability to:

• Follow and unfollow accounts
  
• Update profile details
  
• Post and delete content
  
• Like, retweet, and comment on posts
  

These permissions essentially give the attackers total control over the victim’s X account — often without the victim realizing it until damage is done.

 

Signs and Red Flags to Watch

One of the reasons this crypto attack is so effective is that it’s nearly invisible. The telltale signs are subtle and easy to overlook, but careful users can still spot them. Here’s how:

1. Watch the URL Carefully: The malicious domain often flashes for just a split second before redirecting. If it doesn’t exactly match the expected domain (e.g., calendar.google.com), don’t proceed.
   
2. Check App Permissions: On the X authentication page, review what permissions the app is requesting. A legitimate calendar app should not ask for control over your posts, profile, or engagement activity. Overly broad permissions are a major red flag.
   
3. Be Wary of Redirects: After granting access, some users report being redirected to Calendly — an unrelated scheduling platform. This inconsistency should immediately raise suspicion.
   

Cole also noted that this operational oversight — spoofing Google Calendar but redirecting to Calendly — could be a crucial clue that prevents further compromise.

 

Protecting Your Crypto Presence

Given the high stakes involved in these crypto attacks, protecting your account requires a proactive approach. Influencers, project founders, and investors should implement several key security measures immediately:

• Review Connected Apps: Visit the X connected apps page and carefully audit the list. Revoke access for any suspicious apps, especially those named “Calendar” or anything you don’t recognize.
  
• Use Hardware Security Keys: While this attack bypasses traditional 2FA, hardware keys provide a stronger layer of defense against unauthorized access.
  
• Enable Login Alerts: Turn on login notifications for your X account. While this won’t stop app authorizations, it can alert you to potential suspicious activity.
  
• Educate Your Team: Many crypto projects have multiple people managing social media. Ensure everyone is aware of this attack method and knows how to verify links before clicking.
  

Security researcher Ohm Shah from MetaMask confirmed that the attack is already “in the wild,” suggesting that this campaign is not isolated. With high-profile accounts and brands already targeted — including even non-crypto figures like an OnlyFans model — the scale is expected to grow.

 

The Broader Impact on Crypto Security

This new wave of crypto attacks represents more than just a social media threat — it’s a warning sign of how cybercriminals are evolving their tactics. Social platforms like X are critical infrastructure for the digital asset ecosystem, and their compromise can have far-reaching consequences.

If an attacker gains access to the account of a major crypto exchange, project founder, or influencer, they can manipulate token prices, spread fake announcements, or steal millions through coordinated scams. The fact that this attack exploits legitimate features of X — rather than relying on obvious fakes — means detection and mitigation will require a combined effort from both users and the platform itself.

X will likely need to strengthen its app authorization system, implement more robust app review processes, and improve metadata handling to prevent similar abuses in the future. In the meantime, individual users remain the first line of defense.

 

Final Thoughts: Vigilance Is Essential

The sophistication of this new X account takeover attack highlights the evolving nature of phishing threats in the crypto world. As attackers grow more creative — exploiting trusted platforms and legitimate features — traditional advice like “don’t click suspicious links” may no longer be enough.

For crypto investors and professionals, the message is clear: vigilance, verification, and regular security hygiene are now non-negotiable. By staying informed and skeptical of unexpected messages — no matter how credible they appear — the community can stay one step ahead of this latest wave of crypto attacks.