Cryptocurrency scammers are using a sophisticated phishing method against a number of prominent political figures and journalists, compromising dozens of accounts to push coins.
In one instance, scammers even created a deepfake of one of the victims, saying his account had not been hacked.
They also used other compromised accounts to respond to the posts shilling coins, insisting they were legitimate.
In one, Rachel Campos-Duffy, the wife of Trump's Transportation Secretary Sean Duffy, replied to a crypto plug on journalist Kyle Griffin's account.
Looks like Kyle Griffin and Fox News host Rachel Campos-Duffy have been hacked.
— PatriotTakes ?? (@patriottakes) February 19, 2025
Rachel is the wife of Trump Transportation Secretary Sean Duffy. pic.twitter.com/4NpR9WIlBW
"he is not hacked talking rn facetime," Campos-Duffy's account replied.
The targeted users, most of whom are verified, saw their accounts share posts about crypto coins in recent days despite no signs that they were hacked.
"This was posted to my X account a few minutes ago (I deleted immediately)," wrote Aaron Rupar, a prominent left-wing journalist with over 922,000 followers. "To my knowledge I have not been hacked, was not the victim of a phishing scam, and I have two factor on. What could possibly explain it?"
This was posted to my X account a few minutes ago (I deleted immediately). To my knowledge I have not been hacked, was not the victim of a phishing scam, and I have two factor on. What could possibly explain it? pic.twitter.com/KqpCXqHRBu
— Aaron Rupar (@atrupar) February 20, 2025
Others, such as Micah Erfan, a member of the Texas Democratic Party, similarly revealed his account was used to push cryptocurrency despite his security settings.
"If you want any more evidence that Elon ruined this site, I just was momentarily hacked despite having two factor authentication on," he tweeted.
However, the hack doesn't appear to rely on obtaining a user's email and password like in traditional phishing attacks. Numerous users confirmed that the account intrusion took place after they were were sent a direct message inquiring about potential interviews.
The hackers, often posing as belonging to media outlets such as Tech Crunch, sent links that appeared to originate from Google Calendar or Calendly as part of an alleged effort to schedule a discussion.
Journalist Ryan Grim alleged that at least six separate accounts posing as journalists reached out to him as well.
I had like 6 people claiming to be from TechCrunch reach out and try to set up an interview using some dodgy platform. Not sure if this is what got Aaron but this is a new one: https://t.co/lQFabNGFn6 pic.twitter.com/wbvuMTPz2q
— Ryan Grim (@ryangrim) February 20, 2025
It remains unclear if all the messages are part of a singular campaign or if the method is being utilized by multiple individuals and groups.
Those who click the link unknowingly enable an attack that grants a third-party app access to their X account, allowing the scammers to post to their page without ever needing their login credentials, and users potentially never noticing.
Cybersecurity expert Mike Grover, who was also targeted by the scam, shared the DMs he received that also used the calendar invite attack.
For anyone curious, he said he got a DM from a “journalist”, then a phishing link was sent posing as a calendar invite, which granted perms to the Twitter account.
— MG (@_MG_) February 20, 2025
He didn’t post the DM, but I got some around the same time. Here is what they look like. (account is now dead) https://t.co/7McilFiCaI pic.twitter.com/FAMuWatgky
Most responded by quickly deleting the offending posts.
Concerned users, though, should access their settings and find the "Security and account access" section, select "Apps and sessions," and make sure no unauthorized apps are listed under "Connected apps."
Internet culture is chaotic—but we’ll break it down for you in one daily email. Sign up for the Daily Dot’s web_crawlr newsletter here. You’ll get the best (and worst) of the internet straight into your inbox.
