How crypto scammers are misusing this X feature to impersonate high-profile accounts

Cyberattackers are misusing a feature on Elon Musk-owned social media platform X to promote scams, fake giveaways and fraudulent Telegram channels. These are being used by scammers to steal cryptocurrency and NFTs.

According to a report by BleepingComputer, security researcher MalwareHunterTeam has discovered that scammers have started using a known mechanism for the past few weeks to create URLs that look like they belong to legitimate and popular organisations.

The report also claims that all of the impersonated organisations are crypto-related accounts. This includes fake accounts of Binance (11 million followers), the Ethereum Foundation (3 million), zkSync (1.3 million), and Chainlink (1 million).

How hackers are creating fake X accountsA post's URL on X includes the account name of the person who shared it and a status ID. The micro-blogging site uses the status ID to determine what post should be loaded from the site's database. However, it doesn’t check if the account name is valid.

This allows anyone to take the URL of an X post and modify the account name to whatever they want, even high-profile accounts. Later, when users visit that URL, the website redirects them to the correct URL associated with the ID.

Earlier, in 2019, this feature was reported when security researcher Davy Wybiral expressed concerns that the feature could be used for phishing. However, now scammers are using this feature for crypto and NFT-based scams.


Hackers are using these look like X posts from Binance, Ethereum, and zkSync which when clicked on are redirecting to an unrelated X user's tweets promoting crypto scams.

The report notes that these posts are promoting “fake crypto giveaways, websites that utilise wallet drainers,” as well as Discord channels “promoting pump-and-dumps.”

As per the report, a fake zkSync post led to a page impersonating the company and promoting a website that the X community says is a crypto drainer. This means that when users connect their wallet, it automatically steals all crypto assets and NFTs.

The report notes that almost all accounts that were found abusing this feature to promote crypto scam posts use an account name in the format of name+5 digits, for instance, @amanda_car16095.

How users can stay safeX users can filter out some of these tweets by enabling the Quality Filter. The setting can be found under Settings > Notifications > Filters. However, this tool comes with the risk of tweets users wish to see being filtered incorrectly.

The report mentioned that most users should immediately be able to spot a scam post on X as the account will be different from the one given in the URL. However, some fake URLs, like the zkSync one can be confusing as the scammer created an account with the company in their username.

Moreover, opening these links on mobile can be a bit more confusing, as the app directly shows the post and not the address bar. Most users may perceive that a company like Binance promoted it, which will make it appear more legitimate.

X may not change this standard redirect feature to make it more secure. So, every time users click on an X link, they should take a quick look at the address bar (if available) to ensure that they are visiting that person's tweet and have not been redirected.