1. A New Line of Defense Against a Persistent Problem
Social media platform X is preparing a security measure that would automatically lock any account the moment it mentions cryptocurrency for the first time in its history, according to a public statement from the company's Head of Product, Nikita Bier. Affected accounts would remain inaccessible until the account holder completes an additional verification process. The goal is to disrupt what has become one of the most reliably profitable tactics in the online fraud landscape: stealing legitimate user accounts and converting them into temporary vehicles for crypto scam promotion.
The announcement was made by Bier in a direct response to a user who had publicly documented their experience having their account compromised and used to push fraudulent tokens. It signals that X is shifting from reactive enforcement — removing scam posts after the fact — toward preventive friction that targets the moment of attack execution.
2. The Phishing Pipeline That Makes It Possible
To understand why the auto-lock measure is being designed the way it is, it helps to trace the sequence that typically leads to a compromised account being used to spread crypto fraud. The starting point is almost always a phishing email — in the current wave, these are crafted to impersonate copyright violation notices from X itself. Recipients are warned that their accounts are at risk of suspension or deletion for alleged content violations, and are directed to a linked page where they can contest the claim.
That linked page is a precision-engineered replica of X's login interface. When the target enters their username, password, and two-factor authentication code on the fake page, those credentials are captured in real time by the attacker. The authentic login session is immediately hijacked. The attacker locks the legitimate user out by changing the recovery email and phone number, then begins using the account to post scam content — typically fake token launches, fraudulent airdrops, or "double your money" cryptocurrency offers — before the original owner can regain access or the platform can detect the misuse.
Because the account being used for the scam has an established history and genuine followers, the fraudulent content carries a level of apparent credibility that newly created fake accounts cannot replicate. This is the specific dynamic the auto-lock mechanism is designed to interrupt.
3. Bier's Statement and the Logic Behind the Feature
Bier confirmed the upcoming feature in a post on X in response to a detailed account shared by Benjamin White, founder of the prediction market platform Predictfully, who described having his account stolen and used to promote scam tokens. Bier wrote that X is in the process of implementing automatic locking and verification for any account that posts about cryptocurrency for the first time in the history of that account. He characterized the measure as targeting the core economic incentive that makes these attacks worth conducting. His assessment was that it should eliminate roughly 99% of the motivation for the current wave of phishing attacks directed at X accounts.
The logic is straightforward. The value of a hijacked account to a scammer depends almost entirely on the ability to immediately post crypto-related content to the account's followers. If that action now triggers an automatic lock and a verification requirement before the post is visible or the account can continue operating, the scammer's window of exploitation collapses. The effort required to compromise an account no longer produces a usable promotional vehicle.
Bier also directed pointed criticism at Google, noting that the phishing emails driving the current wave are being delivered through Gmail without meaningful intervention from Google's spam and fraud detection systems. He characterized the lack of action on Google's side as a contributing factor to the scale of the problem, suggesting that platform-level defenses on X's end are being forced to compensate for filtering failures upstream.
4. The Anatomy of a Typical Crypto Scam on X
Crypto scams on X have evolved considerably in sophistication since the platform's early days as Twitter. The current generation of attacks exploits several compounding factors that make them more effective and harder to counter than earlier iterations.
Account age and follower count are central to the scheme's effectiveness. An account that has existed for years and accumulated thousands of followers is far more convincing as a source of crypto news, token announcements, or giveaway promotions than a newly created account. Scammers know this and specifically target established accounts rather than creating new ones, because the social credibility of the compromised account does a significant portion of the persuasion work.
The irreversibility of cryptocurrency transactions compounds the damage. In traditional financial fraud involving bank transfers or credit card payments, victims have recourse through chargebacks, dispute processes, and regulatory protections. Cryptocurrency transfers have no equivalent mechanism. Once funds are sent to a scammer's wallet, they are gone. This makes the harm from even a brief window of fraudulent posting disproportionately severe, and it explains why even temporary access to a legitimate account is worth significant effort to obtain.
5. The 2020 Precedent That Still Resonates
The most high-profile demonstration of the damage that account hijacking combined with crypto fraud can cause occurred in July 2020, when attackers gained access to Twitter's internal administrative tools and used them to seize control of some of the platform's most prominent accounts. Accounts associated with Apple, Barack Obama, Elon Musk, and numerous other major public figures and brands were simultaneously taken over and used to post bitcoin giveaway scams. The operation netted the perpetrators more than $100,000 in bitcoin before it was contained.
That incident highlighted how the crypto scam model scales when applied to highly credible accounts, and it created lasting awareness within the platform's security teams about the specific risks posed by the combination of account compromise and crypto promotion. The current wave of phishing-based attacks represents a decentralized version of the same model — rather than requiring access to internal systems, attackers use social engineering at scale to compromise individual accounts one at a time, achieving collectively similar outcomes without the technical complexity.
6. How the Auto-Lock Feature Targets the Attack's Weak Point
The design of the proposed feature reflects a precise understanding of where in the attack sequence friction will be most effective. Rather than attempting to identify and remove scam content after it has been posted — an inherently reactive and often slow process — the auto-lock approach interrupts the scammer's workflow at the moment they attempt to execute the fraudulent promotion.
When a hijacked account attempts to post content mentioning cryptocurrency for the first time, the automatic lock activates before the post is published or reaches followers. The account is suspended pending verification, which requires the legitimate account owner to confirm their identity through a separate channel. For the scammer, who by definition does not have access to the verification pathway tied to the original owner's identity, this creates an insurmountable barrier. The account becomes useless for its intended purpose the moment the lock triggers.
The feature does introduce a degree of friction for legitimate users posting about cryptocurrency for the first time on their accounts. Those users would need to complete a verification step before their post is published. This is a deliberate design trade-off — accepting some inconvenience for legitimate new crypto discussants in exchange for making the attack model structurally unworkable.
7. Criticism of Google's Role in Enabling the Attacks
Bier's public comments placing partial responsibility for the current phishing wave on Google's failure to block the fraudulent emails represent an escalation of a broader industry conversation about the division of responsibility for online fraud prevention. The phishing emails that initiate the account takeover process are delivered through Gmail, and Bier's statement implies that Google's anti-spam and fraud detection systems are failing to catch them before they reach users' inboxes.
The criticism reflects a real structural challenge in combating phishing at scale. The emails are designed to appear legitimate — they mimic official platform communications closely enough to bypass automated detection thresholds that would catch obviously fraudulent messages. Defeating them requires either more sophisticated email-level detection on Google's side, or countermeasures at the point where the compromised accounts are used, which is the approach X is now pursuing. Bier's public comments suggest that coordination between the two platforms on this issue has not produced sufficient results, and that X is proceeding with its own defensive measures in the absence of upstream remediation.
8. Wider Context: The Scam Ecosystem on X
The specific phishing tactic driving the current response is one variant within a broader and persistent ecosystem of crypto fraud activity on X. The platform has historically been a favored channel for various forms of cryptocurrency-related deception. Impersonation accounts — profiles mimicking the appearance of well-known figures, major crypto companies, or prominent investors — routinely appear despite the platform's verification systems and are used to distribute links to fake token sales, fraudulent exchanges, or credential-harvesting sites.
The "double your money" format, in which users are invited to send cryptocurrency to a specified address in exchange for a promised larger return, has proven durable precisely because it exploits the combination of social proof and urgency. Posts made from accounts with genuine credibility, either compromised accounts or convincingly spoofed ones, generate enough engagement before removal to deliver a return to the operators. The tokenized nature of the proceeds makes the revenue difficult to trace and effectively impossible to recover.
Mass-tagging — where scam accounts simultaneously mention dozens of users in a single post to maximize initial reach — has also been a persistent tactic. Bier separately indicated in his response thread that this behavior should already be suppressed under existing platform rules, suggesting that enforcement of those rules has not been fully effective.
9. Implications for Legitimate Crypto Users and Projects
The auto-lock measure will have practical consequences for users, projects, and companies that are genuine participants in the crypto space. Any account that has not previously posted about cryptocurrency on X — including dormant accounts reactivated by their original owners, newly created accounts by legitimate businesses or individuals entering the crypto space, or accounts belonging to users who simply have not historically discussed the topic — will encounter the verification friction when they first attempt to do so.
For individual users, this is a one-time process and represents a relatively minor inconvenience. For crypto projects or companies launching promotional campaigns on X that involve accounts posting about cryptocurrency for the first time, the delay could require additional planning to ensure verification steps are completed before time-sensitive announcements. The measure represents an explicit prioritization of security over frictionless experience for new crypto discussants — a trade-off that the scale of the current fraud problem appears to justify from X's perspective.
10. What Remains to Be Seen
Bier's announcement establishes the intent and general mechanism of the feature, but several implementation details have not yet been publicly clarified. The specific definition of "cryptocurrency-related" content that triggers the lock — whether it applies to any mention of terms like bitcoin or Ethereum, to links referencing crypto platforms, or to a broader range of signals — will significantly influence both the feature's effectiveness and its impact on legitimate users.
The verification process that locked accounts must complete has also not been described in detail. The robustness of that process against attackers who have gained access to some account recovery information will determine whether sophisticated adversaries can circumvent the lock by completing verification on behalf of the original account owner. And the timeline for deployment has not been specified, leaving the current wave of phishing attacks unaddressed in the near term. What is clear is that X has acknowledged the systemic nature of the problem and committed to a structural response — one that, if implemented as described, would fundamentally change the economics of the account-hijacking-to-crypto-scam pipeline that has plagued the platform for years.