There’s currently a surge in cryptocurrency and phishing scams proliferating on X (formerly Twitter)—hiding under the guise of gold and gray checkmarks intended to mark “Verified Organizations,” reports have warned this week.
These scams seem to mostly commandeer dormant X accounts purchased online through dark web marketplaces, according to a whitepaper released by the digital threat monitoring platform CloudSEK. But the scams have also targeted high-profile X users who claim that they had enhanced security measures in place to protect against these hacks.
This suggests that X scammers are growing more sophisticated at a time when X has launched an effort to sell even more gold checks at lower prices through a basic tier announced this week.
Most recently, the cyber threat intelligence company Mandiant—which is a subsidiary of Google—confirmed its X account was hijacked despite enabling two-factor authentication. According to Bleeping Computer, the hackers used Mandiant’s account to “distribute a fake airdrop that emptied cryptocurrency wallets.”
A Google spokesperson declined to comment on how many users may have been scammed, but Mandiant is investigating and promised to share results when its probe concludes.
In September, a similar fate befell Ethereum co-founder Vitalik Buterin, who had his account hijacked by hackers. The bad actors posted a fake offer for free non-fungible tokens (NFTs) with a link to a fake website designed to empty cryptocurrency wallets. The post was only up for about 20 minutes but drained $691,000 in digital assets from Buterin’s unsuspecting followers, according to CloudSEK’s research.
Another group monitoring cryptocurrency and phishing scams linked to X accounts is MalwareHunterTeam (MHT), Bleeping Computer reported. This week, MHT has flagged additional scams targeting politicians’ accounts, including a Canadian senator, Amina Gerba, and a Brazilian politician, Ubiratan Sanderson.
On X, gold ticks are supposed to reassure users that an account can be trusted by designating that an account is affiliated with an official organization or company. Gray ticks signify an account is linked to government organizations. CloudSEK estimated that hijacked gold and gray checks could be sold online for between $1,200 to $2,000, depending on how old the account is or how many followers it has. Bad actors can also buy accounts affiliated with gold accounts for $500 each.
A CloudSEK spokesperson told Ars that its team is “in the process of reporting the matter” to X.
X did not immediately respond to Ars’ request to comment.
CloudSEK predicted that scams involving gold checks would continue to be a problem so long as selling gold and gray checks remains profitable.
“It is evident that threat actors would not budge from such profit-making businesses anytime soon,” CloudSEK’s whitepaper said.
For organizations seeking to avoid being targeted by hackers on X, CloudSEK recommends strengthening brand monitoring on the platform, enhancing security settings, and closing out any dormant accounts. It’s also wise for organizations to cease storing passwords in a browser, and instead use a password manager that’s less vulnerable to malware attacks, CloudSEK said. Organizations on X may also want to monitor activity on any apps that become connected to X, Bleeping Computer advised.
How does the X scam work?
CloudSEK’s spokesperson told Ars that its team started researching scams targeting verified organizations on X after coming across “unique advertising on the dark web which talked exclusively” about gold checks, as well as advertisements on social media platforms like Telegram and Facebook. Seeing so many ads focused on X gold checks raised a red flag for CloudSEK, which predicted that malicious campaigns that require X gold accounts were “brooding on a large scale.”
Investigating, CloudSEK used search tools to crawl the dark web and explore Facebook and Telegram, identifying relevant keywords to find ads selling “Twitter Gold” accounts.
The earliest ad that CloudSEK discovered was a request to buy a gold X account that was posted on a dark web marketplace in March 2023. The buyer made it clear how important the gold account would be to their operation, writing, “I’ll buy a legacy/gold Twitter account … I need it every day and a lot.”
Some scammers were so bold that they openly advertised the names of companies whose X gold accounts had been hacked, CloudSEK reported. Other ads offered to boost followers on stolen accounts by up to 50,000 for an extra cost. According to CloudSEK, there’s also an entire marketplace where hacked accounts could be resold.
One compromised X account with nearly 30,000 followers that had been inactive since 2016 was advertised for up to $2,500 on Telegram, CloudSEK reported.
To access verified X accounts, hackers use various methods, including manually creating accounts posing as verified organizations, brute-forcing existing accounts by using a “generic username and password combo list,” and using malware to harvest credentials from infected devices, CloudSEK reported.
Typically, hackers target inactive accounts and then update them with the hacker’s own information to lock out initial account holders. After an account takeover occurs, the hackers subscribe to X gold, and the stolen account is ready to be sold.
Buyers pay for gold accounts through a guarantor, who holds their funds until the account is delivered. After that, buyers are guaranteed access to the X account with “no hassles” for 30 days. Should any problems arise with the first login, one ad flagged by CloudSEK said a replacement would be provided, but otherwise, “all sales are final.”
Currently, 30 days is the standard duration of an X gold subscription, but X is now advertising that annual subscriptions are “coming soon.” That means it’s possible that any undetected malicious activity on a hijacked account could go on for much longer, possibly increasing the value of gold checks or incentivizing the black market to sell more checks.
How do you spot a hijacked gold account on X?
X owner Elon Musk has insisted that selling checkmarks on X is intended to decrease scams and impersonation, but reports this week suggest that users should still be cautious before trusting verified organizations on the platform.
Until X announces solutions for malicious activity flagged by cyber threat researchers this week, CloudSEK recommends tips for users wanting to double-check the authenticity of verified organizations on X before clicking any links.
The biggest clue for users that a gold account is hacked can be found in the account’s pinned post. CloudSEK’s team found that sometimes hijacked accounts leave a verified organization’s bio information exactly as it appeared before the account was commandeered. That means the username will appear the same, and a legitimate website will be linked in the bio. However, the pinned post at the top of the account will likely be a “misleading crypto advertisement asking followers to join.”
CloudSEK recommends that users treat any posts from a verified organization “insisting” that their followers “join random channels based on crypto” as suspicious. Often, these posts link X users to malicious domains that host the company’s name but shift it to a different top-level domain than the company’s legitimate website. Hovering over a link before clicking and comparing it to an organization’s legitimate website could spare some X users from being scammed.
While cryptocurrency scams on X appear to be more common, CloudSEK warned that bad actors are also hijacking X gold and gray accounts for other scams, including posting phishing links, disinformation campaigns, and financial scams.