Coinmarketcap tests community security awareness with ‘token address’ in fake hack situation

Earlier today, Coinmarketcap posted a token contract address that looked like a post aggressive token promoters often share after hijacking social media accounts. The post caused fears of a possible hack when it appeared the account was compromised to create hype and exposure for a scam token. 

Coinmarketcap’s X account looked to have been compromised when it displayed a CA for an unknown token for over 50 minutes.

It turned out the crypto market aggregator used its X platform to warn users that it has no official token and will not promote it with a direct link. The data platform did not lose access to its account, instead warning its community that the link could have easily been malicious.

1xCh3ck0utTh32o2425CmcY3Ar8o0kR1gHtn0w2vpump

— CoinMarketCap (@CoinMarketCap) January 15, 2025

Coinmarketcap was not compromised

In this case, Coinmarketcap demonstrated how attacks often happen. The CA, “1xCh3ck0utTh32o2425CmcY3Ar8o0kR1gHtn0w2vpump,” does not lead to a token. Instead, it links to the CMC crypto yearbook. 

Impersonation attacks on X are common, and most services recover their accounts afterward. However, account thefts can be very expensive, especially if they are used to distribute wallet-draining links.

The Coinmarketcap impersonation drill came just days after the Litecoin account suffered a similar attack. Other recent hijacked accounts include PokerGPT and DAWN (@dawninternet).

Reports point to a dozen X accounts compromised over the weekend, usually due to exploited logs on different devices. 

New wave of Solana scams use X account hacks

X account hacks have become more common, affecting even prominent accounts like OpenAI. 

The attackers have switched from promoting Ethereum to Solana tokens. The chain allows for much easier token creation, either through Pump.fun or through a smart contract. The extremely low fees on Solana and the prevalence of trading bot users help attackers quickly gain more liquidity from FOMO buyers. 

The link distribution relies on the culture of sniping tokens early, often using bots to automate the process. 

Some of the recent account hijackings include WebWeaver. In that case, the attacker launched a live token, reaching the end of the bonding curve in 10 minutes and immediately rug-pulling all liquidity. The exploit was extremely fast and targeted, relying on the initial reaction of automated sniping. Since then, the REPLICATE token has been completely abandoned.

Usually, risky tokens or other types of rug pulls or honeypots will only take minutes or seconds to inflict damage. Hacking a high-profile account can quickly increase traffic to the assets launched on other platforms.

traders will probably become more skeptical of these types of attacks the more the pattern is repeated.

Stolen accounts pose malicious link threats

The token address posted in Coinmarketcap’s recent test was not dangerous or malicious. In other cases, hijacked X accounts may post riskier wallet-drainer links, requiring a wallet connection.

For Ethereum users, the exposed wallets can be secured by revoking permissions. However, once a Solana wallet is exposed, it remains at risk and the user needs to migrate to a new address. 

The initial trend of posting CAs still required traders to engage with the token. Investigators noted the trend had shifted, and some of the hijacked accounts posted links requiring Telegram login credentials. While this looks safer than connecting a wallet, such malicious logins can steal private Telegram information. 

Using that data, hackers can hijack a user’s Telegram account and drain the funds of any trading bots linked to a wallet. 

Those attacks still rely on users not noticing the threat, with almost no active engagement from the hackers. A riskier type of attack often includes chats with attackers, who convince users to download malicious links. 

A recent attack identified by ScamSniffer includes a fake CloudFlare verification. Users may also be urged to open the command prompt and use ‘clipboard verification,’ which pastes a command line to download a malicious file.

From Zero to Web3 Pro: Your 90-Day Career Launch Plan