X Platform Introduces Automatic Account Locking to Combat Crypto Scams

X, a social media platform, is set to introduce a new security measure designed to combat a prevalent form of cryptocurrency phishing that exploits hijacked accounts to promote fraudulent tokens. The company, led by its Head of Product Nikita Bier, will soon implement a feature that auto-locks any account that mentions cryptocurrency for the first time. To regain posting access, users will be required to undergo additional verification. This move targets the primary incentive behind these phishing attacks, which trick users into surrendering their credentials and then use their accounts to promote crypto scams. According to Bier, this feature should eliminate 99% of the incentive for such attacks. The decision follows a detailed account from an X user who fell victim to a phishing email disguised as a copyright infringement notice, resulting in the loss of control over their account. The attacker used a fake login page to obtain two-factor codes, locked the user out, and began promoting fake crypto projects from the compromised account. Such attacks have been common on X, a legacy issue from its Twitter days. Common tactics include the 'double your money' scam, where users are promised more cryptocurrency in exchange for sending some, and the promotion of fake memecoins or fraudulent airdrops, often using hijacked accounts to appear legitimate. Impersonation is a powerful tool, with spoofed accounts of well-known personalities tricking followers into clicking malicious links that mimic legitimate crypto platforms. Since cryptocurrency transactions are irreversible, once a user falls prey to such an attack, their funds are lost. A notable example was the 2020 hack of Twitter's internal systems, where hackers gained control of major accounts, including those of Apple, Barack Obama, and Elon Musk, to promote a fake bitcoin giveaway, earning over $100,000 before the posts were removed. The hacker received a 5-year sentence for the breach, which was carried out through social engineering against Twitter employees. X has made several attempts to enhance security, including bot purges, API restrictions, and behavioral detection. The latest move to auto-lock accounts upon their first crypto mention aims to cut off the scam tactic at its root by rendering hijacked accounts useless for such activities. Bier also criticized Google for not adequately stopping phishing emails at the email level, emphasizing the tech giant's share of responsibility in protecting users from phishing attacks.