X Platform Introduces Anti-Scam Measure to Combat Crypto Phishing Attacks

X, a social media platform, is set to introduce a novel security feature designed to combat a pervasive form of cryptocurrency phishing that exploits compromised accounts to promote fraudulent tokens. The company will automatically lock any account that mentions cryptocurrency for the first time, requiring users to undergo additional verification before they can post again, according to Nikita Bier, Head of Product. This move targets the primary motivation behind these attacks, which Bier believes will eliminate 99% of the incentive. The new feature comes in response to a detailed account from an X user who fell victim to a phishing email disguised as a copyright infringement notice, resulting in the loss of control over their account. The attacker used a fake login page to steal two-factor codes, locked the user out, and began promoting fake cryptocurrency projects from the compromised account. Such attacks have been prevalent on X, a legacy issue inherited from its predecessor, Twitter. Common tactics include the 'double your money' scam, where users are deceived into sending cryptocurrency in exchange for a promise of more, as well as the promotion of fake memecoins or fraudulent airdrops using hijacked accounts to lend credibility. Impersonation is a powerful tool, with spoofed accounts impersonating prominent personalities tricking followers into clicking malicious links that mimic legitimate cryptocurrency platforms. Since cryptocurrency transactions are irreversible, once a user falls victim to such an attack, their funds are lost forever. A notable example occurred in 2020 when hackers gained access to Twitter's internal systems, taking control of prominent accounts, including those of Apple, Barack Obama, and Elon Musk, to promote a fake bitcoin giveaway, netting over $100,000 before the posts were removed. The hacker received a 5-year sentence for the breach, which was carried out through social engineering against Twitter employees. X has made several attempts to bolster security, including bot purges, API restrictions, and behavioral detection. The latest move to auto-lock accounts that post about cryptocurrency for the first time builds on these efforts, aiming to cut off the tactic at its root by rendering hijacked accounts useless for scams. Bier also criticized Google for failing to stop phishing emails at the email level, emphasizing the tech giant's share of responsibility for failing to protect its users from phishing attacks.