Phishing campaign bypasses passwords and two-factor authentication
A sophisticated phishing attack is targeting the crypto community on X (formerly Twitter), hijacking accounts by abusing the platform’s own app authorization system. Unlike traditional phishing attempts, this method bypasses both passwords and two-factor authentication (2FA), making it far more difficult to detect.
How the attack works
Crypto developer Zak Cole first raised the alarm, warning that the campaign is “zero detection, active right now, full account takeover.” Unlike common scams that rely on fake login pages, this method uses X’s application support system to request access permissions directly from the user.
The phishing messages often arrive as a direct message containing what looks like a link to Google Calendar. Thanks to how X generates link previews, the preview text shows the legitimate Google domain, but the real URL leads to x(.)ca-lendar(.)com, a fake domain registered on Sept. 20.
Once clicked, the site redirects the victim to an X authentication page requesting permission for an app named “Calendar.” However, researchers discovered that the app name uses Cyrillic lookalike characters, disguising it as an official service.
Security experts weigh in
MetaMask security researcher Ohm Shah confirmed seeing the phishing campaign “in the wild,” signaling that it may already be widespread. Other victims, including non-crypto figures such as an OnlyFans model, have also been targeted with similar attacks.
The biggest red flag appears on the X app permissions page. The fake “Calendar” app requests excessive privileges — from posting and deleting content to updating account settings and following or unfollowing accounts. Such permissions are unnecessary for a calendar service and should alert cautious users.
Cole highlighted another inconsistency: while the preview claims to be from Google Calendar, victims are redirected to Calendly after authorization. He described this as a “major operational security failure” that might tip off attentive users.
Protecting accounts from takeover
According to Cole’s GitHub report, users can check if they have been compromised by reviewing the Connected Apps section in their X account settings. The recommendation is to revoke any suspicious apps, especially those named “Calendar” or “Cаlеndar” (with Cyrillic letters). Security experts also advise removing any unused third-party connections as a precaution.
The attack shows how phishing is evolving beyond fake websites and emails. By exploiting built-in authorization systems, scammers can make their attempts appear more legitimate, raising concerns about the security of social media platforms widely used in the crypto industry.
With millions of dollars at stake in digital assets, experts warn that users must remain vigilant, carefully inspect permissions before authorizing apps, and stay informed about new, advanced attack vectors.
Disclaimer
This content is for informational purposes only and does not constitute financial, investment, or legal advice. Cryptocurrency trading involves risk and may result in financial loss.