A financial scam exploiting a vulnerability in X/Twitter’s advertising system has been uncovered. Cybersecurity researchers found that attackers were using trusted domain names, such as CNN.com, in ad display URLs while redirecting victims to cryptocurrency scam websites. This attack relies on a loophole in X/Twitter’s URL handling, allowing malicious actors to display one domain to crawlers while sending users to a completely different site. On May 1, 2025, a fraudulent advertisement for the “Apple iToken” cryptocurrency was spotted, misleading users into clicking links that led to scam websites designed to steal funds.
The fraudulent ads gave a false sense of legitimacy by displaying “From CNN.com” in the URL, though the link ultimately redirected users to fake cryptocurrency investment sites. These scam sites even featured Apple branding and fabricated endorsements from Apple CEO Tim Cook to enhance their credibility. Silent Push researchers, who discovered the attack, traced the infrastructure back to nearly 90 similar websites that had been active since 2024, all targeting cryptocurrency investors with false promises of a new Apple digital token.
This evolution in social media-based financial scams reflects the growing sophistication of cybercriminals.
The attackers utilized a multi-stage redirection process to bypass X/Twitter’s verification system and ensure their advertisements appeared legitimate. Initially, the attackers used a URL shortener like Bitly to link to a trusted site like CNN.com, which was then displayed in the ad. However, after X/Twitter’s crawler validated the URL, the attackers would change the destination URL to their malicious site, maintaining the illusion of a legitimate link. This technique effectively circumvented X/Twitter’s checks and led users to phishing sites like “ipresale.world” and “itokensale.live.”
Technical analysis revealed that the scam operation used multiple unique cryptocurrency wallet addresses, making it difficult to trace or attribute the attack. Each fraudulent website featured a different wallet address for users to send funds, further complicating the investigation. The persistence of this scam, despite public knowledge of similar attacks, highlights how cybercriminals are continually evolving their tactics. Researchers emphasized the need for heightened security measures on social media platforms to address such vulnerabilities and protect users from evolving financial threats.
Reference:
