Mandiant's X (Twitter) Account Hacked to Promote Crypto Scam

The hours-long breach — since resolved — directed users to a suspicious website as attackers posing as crypto-wallet service Phantom took over the feed of the Google subsidiary.

A stack of gold coins
Source: Klaus Ohlenschlaeger via Alamy Stock Photo

The X (Twitter) account of Google's cybersecurity firm Mandiant was restored to its rightful owner Jan. 4 after the account was hacked and used to promote a cryptocurrency scam.

The account-takeover drama played out for several hours on X, as observers tweeted various evidence of Mandiant's account being taken over by attackers posing as Phantom, a "friendly crypto wallet built for DeFi and NFTs," according to a screenshot of the hacked Mandiant X bio posted by Cyble.

The incident occurred amid growing concerns for the security of high-profile accounts on X, as the platform has a history of being targeted by cybercriminals to post and promote scams that show little signs of stopping.

Though Phantom is a legitimate company — its wallet app is available on both Google and Apple's app stores — the actors who purported to be the company on Mandiant's account seemed anything but. Once Mandiant's X account was commandeered by attackers around 5:30pm EST on Wednesday, it tweeted a series of promotions directing people to a scam that offered token awards on a website that would verify if their cryptocurrency wallet was eligible.

VX-Underground posted a screenshot of one of the tweets, which announced, "The $PHNTM distribution has officially started. Our snapshot recorded over $250,000 wallets, head over to our website to check if you're eligible to claim." The tweet then directed people to the suspicious site, ""

By Thursday, Mandiant's X account again appeared to be in proper working order. Mandiant is a part of Google Cloud; the tech giant completed its acquisition of the firm in September.

“We are aware of the incident that impacted the Mandiant X account and are conducting a thorough investigation. We've since regained control and the account has been restored," a Mandiant spokesman told Dark Reading.

During the several hours that the account was taken over, Phantom also was aware of the issue and assured users on its own X account that their funds were safe, warning them to be wary of clicking on strange links, according to a screenshot tweeted by MalwareHunterTeam, which also documented the situation on X.

History of Takeover As Threat Lingers

High-profile X accounts are certainly no stranger to takeover by threat actors. In a now notorious event that occurred in July 2020 when the platform was still called Twitter, a number of major accounts — including those of Jeff Bezos, Bill Gates, Barack Obama and even X's current owner Elon Musk — were hacked to promote a Bitcoin scam.

Musk's purchase and rebranding of the platform has indeed come with much criticism and controversy, among them growing security concerns that the platform is ripe for cybercriminal activity after Musk cut hundreds of security employees upon taking over X.

In fact just earlier this week, security firm CloudSEK revealed a "Gold Rush" of cybercriminals taking over verified "Gold" X accounts — or those accounts independently verified as legitimately belonging to a high-profile organization or a celebrity — and selling them on the Dark Web for up to $2,000 each.

The CloudSEK reported cited yet another high-profile X account takeover to prove its point—that of Vitalik Buterin, the co-founder of Ethereum, which attackers used to tweet out an offer for purportedly free nonfungible tokens (NFTs) that included an embedded malicious link redirecting users to a fake website designed to drain cryptocurrency from their wallets.

Other security researchers report vulnerabilities on X that appear to remain unpatched. Last month researchers — including Chaofan Shou, a Ph.D. student at the University of California — discovered flaws in the platform that would "allow anyone to take over an account" that were not addressed for weeks by the social media site's team, according to Recorded Future.

“Both vulnerabilities are obvious and easy to find for folks working in security,” Shou, who built what he called on his X feed in a Dec. 12 tweet a "nuclear-weapon-level" exploit for several unfixed vulnerabilities, told Recorded Future News.

CloudSEK earlier this week recommended that high-profile organizations protect themselves on X by monitoring mentions of their respective brands on the site as well as implementing strong password policies. Brute-forcing passwords is a key way that attackers take over X and other online accounts.

About the Author(s)

Elizabeth Montalbano, Contributing Writer

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights