Crypto scammers abuse Twitter ‘feature’ to impersonate high-profile accounts

Cryptocurrency scammers are abusing a legitimate Twitter "feature" to promote scams, fake giveaways, and fraudulent Telegram channels used to steal your crypto and NFTs.

On X, formerly and more widely known as Twitter, a post's URL consists of the account name of the person who tweeted it and a status ID, as shown below.

https://twitter.com/[account_name]/status/[status_id]

The website uses the status ID to determine what post should be loaded from the site's database, not bothering to check if the account name is valid.

This allows you to take an URL for a Tweet and modify the account name to whatever you want, even high-profile accounts. When visiting the URL, the website simply redirects you to the correct URL associated with the ID.

For example, https://twitter.com/BleepinComputer/status/1736650221243826564 looks like a legitimate post from our @bleepincomputer X account. However, clicking on it takes you to a post from Elon Musk, as the ID is associated with one of his tweets.

BleepingComputer previously reported on this feature in 2019, when security researcher Davy Wybiral expressed concerns that the feature could be used for phishing. However, at that time, it was not abused in phishing attacks.

Crypto scams abusing "feature"

Security researcher MalwareHunterTeam has told BleepingComputer that scammers have begun using this redirect mechanism for the past two weeks if not longer, to create URLs that look like they belong to legitimate, well-known organizations.

All of the impersonated organizations seen by BleepingComputer are crypto-related accounts, such as Binance (11 million followers), the Ethereum Foundation (3 million), zkSync (1.3 million), and Chainlink (1 million).

While the above look like tweets from Binance, Ethereum, and zkSync, they instead redirected to an unrelated X user's tweets promoting crypto scams. BleepingComputer observed tweets promoting fake crypto giveaways, websites that utilize wallet drainers, and Discord channels promoting pump-and-dumps.

The fake zkSync tweet led to a page impersonating the company and promoting a website that the X community says is a crypto drainer, meaning that when you connect your wallet, it automatically steals all crypto assets and NFTs.

Almost all accounts seen by BleepingComputer abusing this feature to promote crypto scam posts use an account name in the format of name+5 digits, such as @amanda_car16095. 

It is possible to filter out some of these tweets by enabling the Quality Filter under Settings > Notifications > Filters. However, you run the risk of tweets you wish to see being filtered incorrectly.

Most users should immediately be able to spot a scam tweet by seeing that the account is different than what was in the URL. However, some, like the zkSync URL, may be missed as the scammer created an account with the company in their user name.

Furthermore, opening these links on mobile can be a bit more confusing, as the app does not show an address bar, and you simply see the post. For many, it could be perceived that a company like Binance promoted it, making it appear more legitimate.

As this redirect is a standard feature of Twitter, we will likely not see it changed to make it more secure. That means if you click on an X link, you should take a quick look at your address bar (if available) to ensure you are visiting that person's tweet and have not been redirected.