X Platform Introduces Anti-Scam Measure to Combat Crypto Phishing Attacks

X, a social media platform, is set to roll out a new security feature designed to combat a widespread form of crypto phishing that utilizes hijacked accounts to promote fraudulent tokens. The company will auto-lock any account that mentions cryptocurrency for the first time, requiring users to undergo additional verification before they can post again, according to Nikita Bier, Head of Product. This move targets the primary incentive behind these attacks, which trick users into surrendering their credentials, then use their accounts to push crypto scams. Bier stated that this feature should eliminate 99% of the incentive for such attacks. The decision to introduce this feature follows a detailed firsthand account from an X user who lost control of their account after falling for a phishing email disguised as a copyright violation notice. The attacker used a fake login page to harvest two-factor codes, locked the user out, and began promoting fake crypto projects from their account. Crypto scams have been prevalent on X, a problem inherited from its predecessor, Twitter. Common tactics include the 'double your money' scam, where users are promised more cryptocurrency in exchange for sending some, and pushing fake memecoins or fraudulent airdrops, often using hijacked accounts to appear credible. Impersonation is a powerful tool, with spoofed accounts impersonating major personalities tricking followers into clicking malicious links that mimic legitimate crypto platforms. Since cryptocurrency transactions are irreversible, once a user falls for such an attack, their funds are lost. A notable example occurred in 2020 when hackers accessed Twitter's internal systems, took control of major accounts, including those of Apple, Barack Obama, and Elon Musk, and used them to promote a fake bitcoin giveaway, netting over $100,000 before the posts were removed. X has made several attempts to bolster security, including bot purges, API restrictions, and behavioral detection. The latest move to auto-lock accounts that post about crypto for the first time aims to cut off the tactic at its root by making hijacked accounts useless for scams. Bier also criticized Google for failing to stop phishing emails at the email level, emphasizing the tech giant's responsibility in protecting its users from phishing attacks.