Hackers impersonate X employees using a hacked scrolling founder account
Crypto journalist
Anas Hasan
Crypto journalist
Share
Scroll co-founder Chen X's account was hacked by sophisticated phishing attackers posing as platform employees and targeting crypto industry figures.
The hacked account, which is highly influential among crypto leaders, began circulating fraudulent messages stating copyright infringement and account restrictions unless users clicked on malicious links within 48 hours.
Hackers changed Chen's profile to look like X's official brand name, updating his bio on Twitter and nCino to reference it while warning followers about security breaches.
To enhance legitimacy, the attackers flooded the feed with retweets from X-verified accounts, then began their phishing campaign with direct messages.
A growing pattern of sophisticated attack mirrors
The breach follows established tactics that hackers use to distribute malicious links to trusted accounts, masquerading as urgent forum notifications.
Recipients received messages purporting to be from X's rights management team, complete with false compliance warnings and time-consuming appeals procedures designed to cause panic and bypass security awareness.
Blockchain security researcher BeautifulBlockchain first discovered the deal and warned the community to ignore communications from the account.
The warning drew particular attention to Chen's wide range of high-level cryptocurrency executives, developers and investors who could trust messages from his verified account.
The attack represents the latest escalation in social media targeting crypto industry leaders, in which hackers gained access to proxy accounts and expired domain registrations bypassing security measures including two-factor authentication.
BNB Chain's official account suffered a similar breach in October when hackers posted fake reward programs with phishing links after Binance co-founder CZ warned followers not to download suspicious content.
The hacked account advertised fraudulent BSC token distributions and promised early payouts to users who voted on prize days via malicious URLs designed to drain digital wallets.
Binance Co-CEO Yi He's WeChat account was also hacked in December to promote meme coin plans, with attackers conducting a coordinated pump and dump operation around MUBARA.
Two wallets flooded retailers before the breach amassed 21.16 million tokens, netting attackers nearly $55,000 and later buyers exposed to a price drop.
Other popular hacked accounts include ZKsync and Matter Labs, which were compromised in May by what the group described as a “delegated account” with limited posting rights.
Hackers published false claims about the SEC investigation along with fake airdrop promotions, which triggered a 5% drop in the ZK token price despite the previous 38.5% weekly rally.
Popular crypto media company Wire.guru confirmed in March that its account was breached after fake Ripple-SWIFT partnership requests were circulated by automated content bots on its linked Telegram, Facebook and Discord channels.
The group suspects that the deal is a suspicious link to the strange query strings shared in their Telegram group a few weeks ago.
A year of theft has exposed increasing threats
According to the Chinalysis 2026 Cryptocrime Report, the crypto ecosystem is expected to steal more than $3.4 billion by 2025, with North Korean state-sponsored hackers making a record $2.02 billion in smaller but more sophisticated attacks.
The Democratic People's Republic of Korea now represents 76% of the service agreement, bringing the total DPRK cryptocurrency theft to $6.75 billion after operations began.
There will be around 158,000 personal wallet incidents affecting at least 80,000 unique victims, tripling the 54,000 reported cases by 2022.
An address poisoning scam led to a major loss in December, when a victim transferred $50 million to a fake wallet impersonating the intended destination, while private key breaches led to $27.3 million being stolen from multi-signature wallets.
Beyond the platform, personal security breaches are on the rise.
Most recently, Ubuntu developer Alan Bishop warned that attackers are hijacking Snap Store publisher accounts by registering expired domains linked to legitimate developers and pushing malicious updates to previously trusted packages.
The technique uses automatic update systems and established trust tokens, at least 2 wallet-stealing malware distributed through normal-looking apps.
Given these growing, multifaceted attack vectors, Better Business Bureau officials are warning consumers about phishing campaigns that lock X users out of their accounts and then use them for cryptocurrency promotions.
Kentucky journalist Jenny Reese revealed she received direct messages from apparent colleagues asking for contest votes, after her account found her posting bogus Audi purchase claims after she clicked on the malicious link.
Trending news, recommended popular crypto topics, price predictions
