Hackers exploit X authorization for phishing scams

A new large-scale phishing campaign has been detected on social network X, targeting leaders of the crypto community. Unlike traditional fake login-page schemes, attackers are exploiting X’s own infrastructure, bypassing both passwords and two-factor authentication.

The issue was first reported by developer Zak Cole, who warned that the attack is “undetectable and active right now.” He explained that the method abuses X’s app authorization system.

Victims receive direct messages with a link disguised as the official Google Calendar domain. The preview shows the legitimate address calendar.google.com, but clicking redirects to x.ca-lendar.com, a domain registered only a few days earlier.

The page then prompts the user to authorize an X app called “Calendar.” In reality, it’s a fake app with Cyrillic characters in the name. Once the user clicks “Allow,” hackers gain full control of the account. They can change settings, post tweets, follow users, and spread more phishing links.

MetaMask security researcher Ohm Shah confirmed the attack is “actively being used in the wild.” Victims include not only crypto developers but also other public figures, such as an OnlyFans model.

See also: Social engineering in crypto: top 5 fraud schemes

The main signs of compromise are the appearance of unknown apps in the X Connected Apps section and redirects to Calendly instead of Google Calendar. Experts advise immediately revoking permissions from any suspicious “Calendar” apps.

According to Chainalysis, users lost more than $12 million to phishing in August alone. This new method highlights the growing sophistication of attacks, with criminals increasingly exploiting legitimate platform mechanisms, making scams harder to detect.

New X attack: accounts hacked via “fake calendar”