Cybercriminals Exploit X Ad Feature to Launch Sophisticated Crypto Scam

Cybersecurity analysts have uncovered a dangerous new scam exploiting X (formerly Twitter)’s advertising URL display system to mislead users into falling for fake cryptocurrency promotions.

Threat researchers at Silent Push revealed that attackers manipulated X’s ad URL preview functionality to display trusted domains – like CNN.com – even though the actual link led victims to scam websites impersonating Apple and promoting a fake "Apple iToken" crypto presale.

This scheme abuses how X generates its link preview cards. When a URL is posted in an ad, X's bot fetches metadata using a static User Agent string. Attackers configure their web servers to recognize that user agent and redirect the bot to a legitimate site (like cnn[.]com), creating a clean preview. But when regular users click, they’re silently redirected to scam domains like ipresale[.]world.

In some cases, attackers use link shorteners such as bit[.]ly, which initially point to a reputable site for preview generation, only to switch to malicious pages once the ad is live.

These phishing links often pass through several redirects (including t[.]co) before landing on professionally designed scam sites. Victims are shown fake endorsements from Apple CEO Tim Cook and encouraged to deposit funds into one of 22 crypto wallets across Bitcoin, Ethereum, and Solana networks.

Further investigation uncovered nearly 90 related domains active since 2024. The attackers used consistent infrastructure – shared files, icons, IP addresses (e.g., 51.15.17[.]214), and name servers (ns1.chsw.host) – to run the scam network.

The campaign’s second wave launched via new X ads on May 5, 2025, redirecting users through chopinkos[.]digital to itokensale[.]live, featuring nearly identical scam content and Apple branding abuse.

Some associated domains even tied back to suspicious .ru regions, though definitive attribution to a specific group remains unconfirmed.

This incident highlights the sophistication of modern social media ad fraud and the risks of platforms relying on client-side redirection without robust URL verification. Silent Push recommends urgent improvements to X’s ad review and metadata systems and greater user vigilance.

As ad scams grow more deceptive, users should not only think twice before clicking but also regularly clean up past content. Tools like TweetDeleter let you delete old tweets and manage your social media history – an essential step in staying safe online.

Source: gbhackers.com