X Platform to Introduce Automatic Lockout for New Crypto Mentions to Combat Scams

The social media platform X is set to introduce a new security feature designed to combat a widespread form of cryptocurrency phishing that exploits hijacked accounts to promote fraudulent tokens. Any account that mentions cryptocurrency for the first time will be automatically locked, requiring users to undergo additional verification before they can post again, according to X's Head of Product, Nikita Bier. This move targets the primary motivation behind these phishing attacks, which deceive users into surrendering their login credentials, then utilize their accounts to push crypto scams. Bier stated that this feature should eliminate 99% of the incentive for such attacks. The decision follows a detailed account from an X user who lost control of their account after falling victim to a phishing email disguised as a copyright infringement notice. The attacker used a fake login page that perfectly mimicked the real one to steal two-factor codes, locked the user out, and began promoting fake crypto projects from their account. These types of attacks have been prevalent on X, a legacy issue from its Twitter days. Common tactics include the "double your money" scam, where users are promised more cryptocurrency in exchange for sending some, and pushing fake memecoins or fraudulent airdrops, often using hijacked accounts to appear legitimate. Impersonation is a powerful tool, with spoofed accounts impersonating major figures tricking followers into clicking malicious links that resemble legitimate crypto platforms. Since cryptocurrency transactions are irreversible, once a user falls for such an attack, their funds are lost. A notable example occurred in 2020 when hackers accessed Twitter's internal systems, took control of major accounts, including those of Apple, Barack Obama, and Elon Musk, and used them to promote a fake bitcoin giveaway, netting over $100,000 before the posts were removed. This breach, carried out through social engineering against Twitter employees, resulted in the hacker receiving a 5-year sentence. X has made several attempts to enhance security, including bot purges, API restrictions, and behavioral detection. The latest move to auto-lock accounts that post about crypto for the first time builds on these efforts, aiming to cut off the tactic at its root by making hijacked accounts useless for scams. Bier also criticized Google for failing to stop phishing emails at the source, pointing out the tech giant's share of responsibility for failing to protect its users from phishing attacks.