X Platform to Implement Automatic Account Locking to Combat Crypto Scams

X, a social media platform, is set to introduce a novel security measure designed to thwart a pervasive form of cryptocurrency phishing that exploits hijacked accounts to promote fraudulent tokens. The company, led by its Head of Product Nikita Bier, will soon roll out a feature that auto-locks accounts when they mention cryptocurrency for the first time, requiring users to undergo additional verification before they can post again. This move targets the primary motivation behind these attacks, aiming to eliminate 99% of the incentive for such phishing attempts, which deceive users into surrendering their login credentials and then utilize their accounts to propagate crypto scams. The decision comes after a user shared a detailed account of losing control of their account to a phishing email disguised as a copyright violation notice. The attacker used a fake login page that perfectly mimicked the real one to harvest two-factor codes, locked the user out, and began promoting fake crypto projects from the compromised account. Such attacks have been rampant on X, a problem inherited from its pre-acquisition days as Twitter. Common tactics include the 'double your money' scam, where users are promised more cryptocurrency in exchange for sending some, and the promotion of fake memecoins or fraudulent airdrops, often using hijacked accounts to appear legitimate. Impersonation is a powerful tool in these scams, with spoofed accounts of major personalities tricking followers into clicking on malicious links that resemble legitimate crypto platforms. Since cryptocurrency transactions are irreversible, once a user falls prey to such an attack, their funds are lost forever. A notable example was the 2020 hack of Twitter's internal systems, where hackers took control of major accounts, including those of Apple, Barack Obama, and Elon Musk, to promote a fake bitcoin giveaway, netting over $100,000 before the posts were removed. This breach, achieved through social engineering against Twitter employees, resulted in the hacker receiving a 5-year sentence. X has made several attempts to bolster its security, including purging bots, restricting API access, and implementing behavioral detection. The latest move to auto-lock accounts that mention crypto for the first time aims to cut off these scams at their root by making hijacked accounts useless for fraudulent activities. Bier also criticized Google for not doing enough to stop phishing emails at the email level, highlighting the tech giant's responsibility in protecting its users from such attacks.