Phishing campaign may hijack X accounts via app authorization, potentially targeting Solana crypto figures and bypassing 2FA

• Spoofed app authorization: attackers use a fake “Calendar” app to request broad permissions.

• The scam exploits X’s preview metadata and visually legitimate links to trick targets into authorizing access.

• Security researchers report active incidents; revoke unknown connected apps via X settings to remediate.

X account takeover phishing steals access via app authorizations, bypassing 2FA; check connected apps and revoke suspicious ones now. Read how to protect your account.

What is the X account takeover phishing campaign?

X account takeover phishing is an attack that hijacks X (formerly Twitter) accounts by abusing the platform’s app authorization flow. Attackers present a spoofed app authorization prompt—often disguised via convincing metadata previews—so victims grant excessive permissions and enable full account control.

How does the phishing method bypass two-factor authentication?

The attack bypasses 2FA by using X’s OAuth-style authorization endpoint rather than stealing credentials. Victims are redirected to an X authorization page that requests broad permissions for a malicious app whose name visually mimics a trusted app using lookalike characters.

Technical signs include: brief display of a suspicious URL before redirect, app names with Cyrillic lookalikes, and permission lists unrelated to the app’s stated function (for example, a calendar app requesting posting and profile control).

A new, hard-to-spot phishing campaign is hijacking crypto personalities’ X accounts by abusing X’s app authorization system to bypass passwords and 2FA.

A new sophisticated phishing campaign is targeting the X accounts of crypto personalities, using tactics that bypass two-factor authentication and appear more credible than traditional scams.

According to a Wednesday X post by crypto developer Zak Cole, a new phishing campaign leverages X’s own infrastructure to take over the accounts of crypto personalities. “Zero detection. Active right now. Full account takeover,” he said.

Cole highlighted that the attack does not involve a fake login page or password stealing. Instead, it leverages X application support to gain account access while also bypassing two-factor authentication.

MetaMask security researcher Ohm Shah also confirmed seeing the attack “in the wild,” suggesting a broader campaign, and an OnlyFans model was also targeted by a less sophisticated version of the attack.

How do attackers craft a credible phishing message?

The campaign begins with a direct message that appears to show a legitimate Google Calendar link because X generates a preview from the target page’s metadata. The visible preview fools recipients into trusting the destination.

In reported incidents the displayed domain looked like calendar.google.com in the preview, while the actual link pointed to a lookalike domain such as x(.)ca-lendar(.)com. The malicious page then redirects to an X authorization endpoint requesting app permissions.

The phishing link is in the message. Source: Zak Cole

The fake app presented to users appears as “Calendar,” but contains two Cyrillic characters that visually match Latin letters, making it technically distinct from the real Calendar app in X’s system. When granted, the app receives extensive permissions including posting, deleting, following, and profile changes.

Phishing site’s metadata. Source: Zak Cole

When would a user notice the attack?

Signs to watch for include a fraction-of-a-second display of a suspicious URL before redirect, an authorization prompt requesting unrelated permissions, and an unexpected final redirect (reports note a redirect to calendly.com despite a Google Calendar preview). These inconsistencies are red flags.

Security researcher guidance recommends checking X connected apps and revoking any unknown or suspicious apps, particularly any labeled “Calendar” or similar variants using lookalike characters.

Phishing X authorization request. Source: Zak Cole

Frequently Asked Questions

How do I check connected apps on X?

Open your X account settings and navigate to Connected apps. Review the list and revoke any unfamiliar or unused apps immediately. Prioritize revoking apps named “Calendar” or similarly spelled variants.

What immediate steps stop a takeover?

Revoke malicious app access in X connected apps, change account passwords, enable strong authentication, and review recent account activity. If you lose access, contact platform support and document suspicious DMs and authorization requests.

Key Takeaways

• Attack vector: App authorization abuse — attackers request excessive permissions instead of stealing passwords.
• Detection tips: Look for mismatched previews, odd URLs, Cyrillic lookalike characters, and unrelated permission requests.
• Remediation: Revoke suspicious connected apps, change credentials, and audit recent activity; prioritize accounts of public crypto figures.

Conclusion

This X account takeover phishing campaign demonstrates a shift toward authorization-based hijacking that bypasses traditional password and 2FA protections. COINOTAG recommends immediate checks of connected apps, prompt revocation of suspicious permissions, and routine security hygiene to limit exposure.