A phishing operation compromised the X account of Ye Chen, founder of Scroll, and used it to target figures in the cryptocurrency industry. The attackers gained control of the account and leveraged it as a trusted communication channel to distribute malicious messages. The incident focused on impersonation tactics designed to exploit the platform’s internal trust mechanisms. The activity was identified and publicly flagged, prompting warnings to ignore communications originating from the compromised account.
The attackers posed as employees of the X platform and contacted recipients with claims of copyright violations. These messages threatened account restrictions unless recipients clicked provided links within a 48-hour window. To reinforce credibility, the attackers modified Ye Chen’s profile bio to reference Twitter and nCino and flooded the account feed with reposts from verified X accounts. This combination of profile changes and reposted content was used to create the appearance of legitimacy.
Following these preparatory steps, the attackers sent direct messages that appeared to come from X’s rights management team. The messages contained fake compliance warnings and time-sensitive appeals that directed recipients to malicious links. The phishing operation relied entirely on these links to compromise targets, rather than exploiting vulnerabilities in the X platform itself. The account takeover was subsequently identified, and the community was urged to disregard all messages from the affected account.
The incident was reported as part of a broader pattern of social engineering attacks targeting cryptocurrency-related accounts. Similar breaches have affected accounts linked to BNB Chain, Yi He’s WeChat, ZKsync, Matter Labs, and Watcher.Guru. In these cases, attackers used comparable techniques to spread false claims, promote fraudulent programs, or distribute phishing links. The repeated targeting of high-visibility accounts highlights the continued focus on exploiting trusted identities within the crypto ecosystem.
Reported tactics across these incidents include the abuse of delegated account access, the registration of expired domains, and methods capable of bypassing two-factor authentication. In one case, attackers used a compromised WeChat account to promote a meme coin called MUBARA, creating wallets shortly before the breach and later dumping accumulated tokens. In another case, false claims of an SEC investigation and a fake airdrop were posted, contributing to a reported short-term decline in a token’s price. Automated bots were also used in separate incidents to spread false partnership claims.
Additional reporting has linked similar social engineering methods to compromises outside social media platforms. Examples include hijacked publisher accounts used to distribute malicious software updates through trusted channels. These attacks relied on the established trust of existing accounts rather than new infrastructure. At least two confirmed cases involved malware designed to steal cryptocurrency through such update mechanisms.
Broader crime statistics provide context for the scale of these threats. More than $3.4 billion was reported stolen in 2025, with a significant share of service compromises attributed to state-linked operations. Cumulative losses attributed to these groups have reached several billions of dollars over time. Personal wallet compromises also increased substantially, driven in part by address poisoning and private-key leaks, including a single incident involving a $50 million loss.
