Crypto scammers are exploiting a four-year-old documented flaw in X (formerly Twitter) to impersonate celebrities and promote fake giveaways to steal crypto and NFTs.
The flaw, reported by Bleeping Computer back in 2019, involves a switch around in X URLs — which still register as twitter.com. It redirects users to crypto scams.
A Twitter URL consists of a person’s account name followed by a status ID, as follows: https://twitter.com/[account_name]/status/[status_id]. Crypto scammers can create an account imitating a public figure, post a phishing link, and change the account name of that post’s URL. This makes it appear as though the public figure is endorsing the post, particularly on mobile.
Security researchers noted in 2019 that the URL exploit can be used for phishing campaigns and reportedly open up the potential for political misinformation and well-crafted social engineering. The URL feature is also reportedly standard to X and won’t likely change any time soon, meaning crypto scams are likely to keep occurring.
X is no stranger to crypto scams. Back when it introduced the verification checkmark, accounts would inflate their followers and rebrand themselves to someone real before blocking them and redirecting users to crypto scams.
Scammers also started buying fake ads on the social platform which promised free crypto, trips to Mars, and Neuralink brain chips, seemingly exploiting the hype around Elon Musk.