X Accounts of Crypto Users Compromised by 2FA-Bypassing Phishing Campaign

Executive Summary

A new phishing campaign targets cryptocurrency users on X (formerly Twitter), bypassing two-factor authentication through disguised application authorization requests, leading to full account takeovers used to promote fraudulent schemes.

The Event in Detail

Reported on September 25, 2025, an advanced phishing campaign is actively compromising X accounts within the crypto community by exploiting a vulnerability in the platform's application authorization system. The attack begins with direct messages containing links that use metadata spoofing to visually appear as legitimate domains, such as calendar.google.com. However, these links redirect to malicious sites, exemplified by x(.)ca-lendar(.)com. Upon interaction, users are covertly led to a page executing malicious code before being presented with a prompt for application authorization. A phishing program, often disguised with Cyrillic characters to mimic a "Google Calendar" application, requests extensive permissions to access the user's X account, including capabilities like following/unfollowing, updating profiles, and creating/deleting posts. If these permissions are granted, attackers gain full control, directly bypassing traditional passwords and 2FA, achieving immediate account takeover without initial detection. Compromised accounts are subsequently utilized to disseminate fraudulent cryptocurrency schemes, potentially resulting in financial losses for followers. Users are advised to visit their X connected applications page to review and revoke any suspicious "Calendar" app authorizations to mitigate risk.

Market Implications

This sophisticated phishing technique presents a significant threat to the security and trust within the Web3 ecosystem. The direct bypass of 2FA, a cornerstone of digital security, signifies an escalation in cyber threats beyond simple credential theft. This development may necessitate X to enhance its application authorization security protocols and urges the broader cryptocurrency community to adopt more stringent, multi-platform security practices. The financial impact of such campaigns is substantial; by August 2025, Scam Sniffer reported over $12 million stolen from more than 15,000 victims through various phishing scams. The targeting of influential accounts amplifies the reach of deceptive schemes, potentially affecting market sentiment and leading to broader financial losses for unsuspecting investors. The ongoing nature of these attacks underscores the critical need for continuous vigilance and adaptive security measures.

Expert Commentary

Crypto developer Zak Cole highlighted the severity of the situation, characterizing it as "complete account takeover with zero detection," emphasizing the stealth and efficacy of the attack. MetaMask security researcher Ohm Shah confirmed the campaign's active presence, noting its observation "in the wild." Shah clarified that this attack deviates from conventional phishing, as it does not involve fake login pages or password stealing, but rather exploits X's application support directly to gain account access. Cole also identified an operational inconsistency: the spoofed Google Calendar preview redirects to calendly.com upon granting permissions, an anomaly that could serve as a warning sign for attentive users.

Broader Context

This campaign integrates into a wider pattern of escalating cyberattacks targeting the cryptocurrency industry through social media platforms. High-profile account hijackings have become a prevalent strategy for attackers, leveraging compromised accounts to disseminate fraudulent links and promote deceptive token giveaways to a large, often trusting audience. Incidents throughout 2024 and 2025 include the compromise of accounts belonging to a WIRED journalist, NBA, NASCAR, Linus Tech Tips, and Ethereum co-founder Vitalik Buterin, all exploited to spread crypto-related scams. By mid-2025, total crypto-related phishing and fraud losses exceeded $2.1 billion globally. The increasing focus on social engineering and the human element, rather than purely technical vulnerabilities, underscores the evolving nature of these threats. This trend highlights the ongoing challenge for individuals and platforms to secure digital assets against sophisticated and adaptive cybercriminal tactics.