Account hijacking, cryptocurrency scams spread on X

Multiple companies including Mandiant, Netgear and Hyundai have had their X social media accounts hijacked and used for cryptocurrency scams by threat actors.

X, formerly known as Twitter, is no stranger to high-profile cryptocurrency scams. In July 2020, hackers breached the platform's network, posing as IT staff and conducting a social engineering attack that enabled them to send crypto scam tweets from high-profile accounts such as those owned by former U.S. president Barack Obama and current X owner Elon Musk. The hackers stole more than $118,000 at the time in bitcoin.

Recent scams have taken a different shape. The X account of Google-owned security firm Mandiant was hijacked by threat actors on Jan. 3. According to screenshots posted by threat research group VX-Underground, attackers used the "@Mandiant" handle to pose as cryptocurrency wallet provider Phantom and promote fake currency giveaways.

Mandiant recovered its account Jan. 4. In a post made the same day, Mandiant confirmed it regained control of the account.

"As you likely noticed, yesterday, Mandiant lost control of this X account which had 2FA enabled. Currently, there are no indications of malicious activity beyond the impacted X account, which is back under our control," the post read. "We'll share our investigation findings once concluded."

Today Mandiant had their Twitter account stolen.

2024 starting strong pic.twitter.com/gHagm2o36q

— vx-underground (@vxunderground) January 3, 2024

UPDATE: Mandiant said Wednesday on X that it completed its investigation in the account hijacking and determined that a brute force attack compromised the password, and that the X account was not adequately protected by 2FA.

Two other recent examples of account hijacking include Netgear and auto manufacture Hyundai's Middle East and Africa (MEA) branch. Accounts owned by both entities were stolen in the last few days, and both have since been recovered. Netgear's account was used to send phishing links in replies to X posts from cryptocurrency trading platform BRC, while attackers posed Hyundai MEA's account as web3-powered multiplayer game Overworld and published similar links. Like the majority of cryptocurrency scams on Twitter, victims who click one of these scam links and connect their wallets would see their funds drained.

TechTarget Editorial has reached out to Mandiant, Netgear and Hyundai for additional information. A Mandiant spokesperson declined to comment but reiterated the firm's commitment to provide an update when the investigation is complete.

The X account owned by Web3 security vendor CertiK was also hijacked earlier this month. According to a post outlining its investigation, CertiK said one of its employees was contacted by an apparently compromised verified account belonging to a Forbes editor attempting to set up an interview. The employee was then phished via a fake link for scheduling app Calendly, and Certik's X account was subsequently hijacked and used for cryptocurrency phishing posts. Shortly after, the account was recovered. It is unclear if any other recent account hijackings occurred in a similar way.

UPDATE: The U.S. Securities and Exchange Commission (SEC) on Tuesday afternoon had its X account compromised. Threat actors briefly hijacked the regulator's account to post that the SEC had approved spot bitcoin exchange-traded funds, or ETFs. Minutes later, SEC chair Gary Gensler posted on his personal X account to debunk the post and confirm a hack.

"The @SECGov twitter account was compromised, and an unauthorized tweet was posted. The SEC has not approved the listing and trading of spot bitcoin exchange-traded products," the post read. The SEC quickly regained its account, and published a similar message to its own page.

On Tuesday evening, X's safety-focused account published the results of its preliminary investigation. The social media company claimed that the compromise was not due to a breach of X but rather "an unidentified individual obtaining control over a phone number associated with the @SECGov account through a third party." X also claimed the SEC's account did not have two-factor authentication enabled.

We can confirm that the account @SECGov was compromised and we have completed a preliminary investigation. Based on our investigation, the compromise was not due to any breach of X’s systems, but rather due to an unidentified individual obtaining control over a phone number…

— Safety (@Safety) January 10, 2024

Apparent cryptocurrency scams have been observed on X advertisements in recent months. For example, advertisements for "X Token" and "X Coin" cryptocurrencies have appeared on the social media platform. These supposed currencies claim to be affiliated with the platform, and some malicious advertisements have even utilized Musk's likeness.

It's unclear why the X Token and X Coin ads have repeatedly run on the platform. TechTarget Editorial contacted X for additional information. In response to our request, a press email connected to the company sent an automatic reply that read, "Busy now, please check back later."

Christopher Budd, director of threat intelligence at Sophos, said in an email that while his company hasn't seen specific data on increases in scams on X, "there is certainly plenty of anecdotal evidence to indicate that the reported shedding of nearly 80% of staff in the past 12+ months has had an impact on the nature and stability of the platform."

"As we've said, the Twitter platform has changed significantly in the past 12+ months, and it's always important to review and reassess risk in light of significant changes," he said. "People can and should make a fresh risk and business assessment to determine if the new X platform meets their business and security needs or not, and take appropriate actions."

Updated on 1/10/2024.

Alexander Culafi is an information security news writer, journalist and podcaster based in Boston.