Elon Musk’s X is rolling out a blunt new defense against one of crypto’s nastiest scams: accounts that suddenly start promoting fraudulent tokens after being hijacked. The platform will now automatically lock any account the first time it posts about cryptocurrency, forcing a quick verification step before the user can post again. X says the change is designed to snuff out the incentive for attackers who steal access and immediately monetize followers with scam tokens, fake giveaways, and memecoins.
How it works
- The auto-lock triggers on an account’s first-ever crypto-related post. Once that trigger fires, the account is locked and the owner must complete additional verification to resume posting.
- X says long-term users who’ve never mentioned crypto will be able to regain access quickly after they verify, but the extra step stops hijacked profiles from being weaponized instantly.
Why X is doing this
Security lead Bier framed the feature as a fix for the platform’s core attack vector: phishing emails and fake login pages that harvest credentials and two-factor codes, letting attackers lock out real owners and exploit the account’s follower trust. “This should kill 99% of the incentive,” Bier wrote in response to a user’s account of losing their profile after falling for a pixel-perfect phishing page.
Bier also publicly blasted Google for letting phishing emails slip into Gmail inboxes, calling the auto-lock “a platform-level workaround” for a problem originating with email providers: “Google isn’t doing shit to stop the phishing,” he wrote.
Context and stakes
Crypto-related account hijackings have plagued X since the Twitter era, and the new auto-lock builds on earlier attempts to curb mention-spam and coordinated crypto-promotion networks. The U.S. Federal Trade Commission has documented how social-media crypto scams have ballooned into a multi-billion-dollar problem, driven in part by the irreversibility of on-chain transfers that make stolen funds nearly impossible to recover.
Limitations and criticism
Security experts and users have pointed out two major limits:
- The auto-lock intervenes only after a user’s first crypto post, so it doesn’t stop the initial phishing that enabled the takeover. If email providers don’t block phishing upstream, attackers can still compromise accounts.
- The rule can create friction for legitimate users making their first crypto-related post, though X says the verification will be brief for genuine accounts.
Why it matters now
Crypto exploit totals have trended down in recent months—February 2026 recorded the lowest monthly losses since March 2025—but high-profile incidents like this week’s $285 million Drift Protocol exploit show headline risk remains acute. X’s auto-lock targets one high-volume, high-impact attack vector by breaking the link between account access and immediate monetization via crypto promotions. It won’t solve every form of crypto fraud, but it could blunt a very profitable tactic that has fueled countless scams.
Read more AI-generated news on: undefined/news
