A new, sophisticated phishing campaign is targeting the X accounts of crypto personalities, using methods that bypass two-factor authentication and appear far more convincing than traditional scams.
Crypto developer Zak Cole reported in a Wednesday X post that the campaign exploits X’s own infrastructure to hijack accounts. “Zero detection. Active right now. Full account takeover,” he warned.
Unlike typical phishing attacks, this campaign does not rely on fake login pages or password theft. Instead, it abuses X’s application support system to gain account access while circumventing two-factor authentication.
MetaMask security researcher Ohm Shah confirmed seeing the attack “in the wild,” indicating a broader campaign, while a less sophisticated version also targeted an OnlyFans creator.
How the phishing works
The attack’s sophistication lies in its credibility and subtlety. It begins with an X direct message containing a link that appears to lead to the official Google Calendar domain, exploiting how the platform generates link previews. In Cole’s case, the message was disguised as coming from a representative of venture capital firm Andreessen Horowitz.
The message links to the domain “x(.)ca-lendar(.)com,” which was registered just last Saturday. However, X displays the legitimate calendar.google.com in its preview, exploiting how the platform generates previews from site metadata.
“Your brain sees Google Calendar. The URL is different.“
When users click the link, the page’s JavaScript redirects them to an X authentication endpoint, requesting authorization for an app to access their account. The app appears as “Calendar,” but a technical analysis shows its name includes two Cyrillic characters resembling “a” and “e,” making it a different app from X’s legitimate “Calendar” application.
The clue that exposes the attack
The clearest early warning may be the URL, which flashes briefly before the redirect—so short that many users could easily miss it.
A more obvious red flag appears on the X authentication page itself. The app requests an extensive list of permissions, including following and unfollowing accounts, updating profiles and account settings, creating and deleting posts, interacting with others’ posts, and more. Such broad access is clearly unnecessary for a calendar app and can alert cautious users to the phishing attempt.
If granted, the attackers gain full account control, with a further hint revealed as users are redirected to calendly.com instead of Google Calendar.
“Calendly? They spoofed Google Calendar but redirect to Calendly? That’s a major operational security failure. This inconsistency could tip off victims,” Cole noted.
Cole’s GitHub report on the attack recommends that users check their X connected apps page to see if their account may have been compromised. He advises revoking any app named “Calendar” to remove potential unauthorized access.
