A new account takeover campaign emerged on 25 September 2025 on X targeting crypto influencers and project accounts. Attackers send links that look like Google Calendar invites, but they lead to an authorization page for a fake calendar app that, once approved, grants control of the victim’s account. Reports indicate the trick defeats two‑factor authentication and impacts verified users as well as their followers.
The lure arrives as a direct message on X with a preview showing calendar.google.com while the actual URL points to a spoof domain like x.ca-lendar.com. That domain uses JavaScript to redirect the browser to an X authorization endpoint, masking the transition and fostering trust through the convincing preview.
The permission screen presents a rogue app whose title uses Cyrillic letters that resemble Latin ones, whereas the genuine X Calendar app uses only Latin characters. The malicious app requests broad access, including the ability to read direct messages, publish tweets, follow or unfollow accounts, and alter the profile.
After approval, victims are redirected to Calendly to mask the crime. Reports notes the flow sidesteps normal safeguards, including 2‑factor codes, and Ohm Shah has confirmed active sightings of the campaign.
What the trick means for crypto
The campaign poses direct risks to crypto communities, where compromised profiles can rapidly propagate scams across highly engaged follower bases. Convincing previews and homoglyph app names increase the chance that both users and security teams miss the fraud, underscoring gaps in current defenses and review processes.
- Hijacked profiles push scams, fake token sales, or phishing links that drain follower wallets.
- Convincing previews and homoglyph names raise the chance that users and security teams miss the fraud.
- X needs tighter preview generation and clearer app name display to expose spoofed identities.
- Compliance staff should list every connected app and trim rights as part of KYC and internal checks
Researchers tracking the campaign say attackers now target user interface steps instead of classic code flaws. Product and compliance teams should audit and revoke existing app permissions and deploy phishing‑resistant MFA to reduce the blast radius of future authorization‑based compromises.
The campaign highlights how convincing authorization flows can bypass traditional safeguards. By tightening app review, reducing unnecessary permissions, and adopting phishing‑resistant MFA, organizations and users can mitigate this takeover vector on X.
