‘Yes, this is real’: hackers targeting high-profile X accounts blur fact and fiction

Basketball fans found themselves asking whether one of ESPN’s top reporters had been hacked this weekend when he broke the news of a massive trade that left people astonished and confused. “Yes, this is real,” the reporter was forced to clarify on X to confirm the legitimacy of the news. 

The situation, while humorous, spotlighted a longstanding issue that has worsened in recent years — the malicious takeover of prominent social media accounts by hackers, who often use their access to shill for fraudulent products.

Hackers have targeted all kinds of prominent accounts, from government agencies like the SEC to actors, politicians, news outlets and even cybersecurity firms. 

Researchers at SentinelOne published a report on Friday centered on an active phishing campaign targeting high-profile X accounts that attempts to hijack and exploit them for fraudulent activity.

Tom Hegel, principal threat researcher at SentinelLabs, told Recorded Future News the activity could be attributed to, most importantly, the “growing value and opportunities created by cryptocurrency scams.” 

“The platform in question has become increasingly vulnerable to abuse, while simultaneously serving as a critical media tool for influencers, brands, and even governments,” he said. “In short, the financial incentives are greater than ever, and in some cases, abusing these platforms has only become easier over time."

The cybersecurity company said it has seen the attackers target U.S. political figures, international journalists, an X employee, large technology organizations, cryptocurrency firms, and owners of valuable, short usernames. 

SentinelOne has been collecting tips and evidence from other cybersecurity companies as they monitor the campaign. 

One of the key phishing lures seen by the company involves emails about account logins. Many of the emails contain malicious links asking a user to log in again, while others claim the user has violated copyrights and has to log in to resolve them. 

An example of a phishing lure used in the campaign. Credit: SentinelOne

“SentinelLABS’ analysis links this activity to a similar operation from last year that successfully compromised multiple accounts to spread scam content with financial objectives,” the researchers said. “While the activity detailed here is centered around X/Twitter accounts, this actor is not limited to a single social platform, and can be observed directing attention to other popular services as well, while seemingly pursuing the same financial objectives.”

SentinelOne noted that phishing is not the only way the hackers are getting into the accounts. 

In the vast majority of cases, the hackers take over the account and lock out the legitimate owners before posting about fraudulent cryptocurrency opportunities or crypto theft-related links. 

“Ultimately, compromising high-profile accounts enables the attacker to reach a broader audience of potential secondary victims, maximizing their financial gains,” the company said. 

SentinelOne traced the campaign activity back to an IP address associated with a Belize-based virtual private server service called Dataclub, while several of the malicious domains used in the attacks have been registered through Turkish hosting provider Turkticaret.

Past reports have previously attributed these kinds of account takeover attacks to Turkish-speaking actors “based on language phishing page source comment language,” the researchers said. But they declined to attribute the campaign to a specific country or threat actor. 

As an example of recent activity, the report spotlights several recent account takeovers that drew headlines, including attacks on accounts owned by the Tor Project, NASDAQ and others. 

Late last week, prominent actress and comedian Issa Rae had her X account taken over and was forced to use Instagram to warn followers not to click on any of the links. 

A message from comedian Issa Rae informing fans her X account was hacked. Credit: Instagram

SentinelOne urged people to use unique passwords, enable multifactor authentication and be wary of emails with security notices or account alerts. Password resets should be done directly through the password and any URLs should be verified before they are clicked on, they said.