.png){kind=logo}
Hackers have developed an advanced phishing scheme that targets leading members of the crypto community using X infrastructure. The attack exploits X’s app authorization system, allowing attackers to bypass both passwords and two-factor authentication.
Crypto developer Zak Cole first flagged the issue on Wednesday, warning that the attack results in complete account takeover with “zero detection.” Unlike conventional phishing attempts that rely on fake login pages, this method exploits X’s native application support to access accounts directly.
MetaMask researcher Ohm Shah confirmed spotting the attack “in the wild,” indicating a wider spread. A similar method targeted even non-crypto figures, including an OnlyFans model, showing the attack’s versatility.
The crypto crime is initiated with a direct message in X, which has a link that previews a legitimate website. The connection shows calendar.google.com, but the connection is to “x(.)ca-lendar(.)com”, which was only registered a few days ago. The preview is misleading to users since X uses metadata to create its previews, which attackers use to display Google's official branding.
After clicking the link, the user is quietly redirected to a page that executes some code that takes them to an official-looking X login screen. There, a phishing program named Calendar requests account permission.
A subtle visual illusion makes the name look identical to the real Google Calendar application. However, two of the letters are actually Cyrillic characters designed to trick the eye, making it harder for users to spot the difference.
The counterfeit app then requests sweeping permissions that would never be required by a calendar tool. It asks about the option to follow or unfollow accounts, edit profile information, and even post or delete something. These are over-access requests, and this is among the few signs that something is amiss.
Another red flag appears after users grant access. Victims are also redirected to calendly.com as opposed to Google Calendar, which is not consistent with the preview and the actual destination. According to Cole, this operational error may alert some users.
Cole’s GitHub report advises users to check their X account settings to identify suspicious app connections. He specifically recommended revoking access for any app labelled “Calendar” to stop attackers from maintaining control.
The campaign’s success stems from its subtle execution, which combines metadata spoofing, Unicode homograph techniques, and OAuth abuse. These methods make detection difficult and increase the credibility of phishing attempts. Security experts note that it is crucial to be cautious when considering app permission requests, and suspicious access requests are one of the few indicators of compromise.
Also Read: Crypto Crime Trail: Bybit Hack Funds Surface in Greece Amid Global Crackdown
