X Platform to Introduce Automatic Account Locking to Combat Crypto Scams

X, a social media platform, is set to introduce a new security feature designed to curb a prevalent form of cryptocurrency phishing that exploits hijacked accounts to promote fraudulent tokens. The company will automatically lock any account that mentions cryptocurrency for the first time, requiring users to undergo additional verification before they can post again, according to Nikita Bier, the company's Head of Product. Bier explained that this feature targets the primary motivation behind these attacks, stating that it should eliminate 99% of the incentive. The move comes after an X user shared a firsthand account of losing control of their account to a phishing email disguised as a copyright violation notice. The attacker used a fake login page to obtain two-factor codes, locked the user out, and began promoting fake cryptocurrency projects from the account. Such attacks have been common on X, a legacy issue inherited from its Twitter days. Common tactics include the 'double your money' scam, where users are promised more cryptocurrency in exchange for sending some, and fake memecoins or airdrops often promoted using hijacked accounts to lend credibility. Impersonation is a powerful tool, with spoofed accounts impersonating major personalities tricking followers into clicking malicious links that mimic legitimate cryptocurrency platforms. Since cryptocurrency transactions are irreversible, once a user falls victim to such an attack, their funds are lost forever. A notable example occurred in 2020 when hackers gained access to Twitter's internal systems, took control of major accounts, including those of Apple, Barack Obama, and Elon Musk, and used them to promote a fake bitcoin giveaway, earning over $100,000 before the posts were removed. The hacker received a 5-year sentence for the breach, which was carried out through social engineering against Twitter employees. X has made several attempts to strengthen security, including bot purges, API restrictions, and behavioral detection. The latest move to auto-lock accounts that post about cryptocurrency for the first time aims to cut off the scam tactic at its root by rendering hijacked accounts useless for scams. Bier also criticized Google for failing to stop phishing emails at the email level, emphasizing the tech giant's share of responsibility in protecting its users from phishing attacks.