Hackers Impersonate X Staff Using Compromised Scroll Founder Account: A Stark Reminder of Crypto’s Security Paradox

Another day, another high-profile hack—this time, the exploit didn't target a protocol's code, but its human layer. Attackers, wielding a compromised social media account belonging to a Scroll founder, posed as platform staff to launch a sophisticated phishing campaign.

The Anatomy of a Social Engineering Attack

Forget brute-force attacks on smart contracts. This operation was a masterclass in psychological manipulation. By hijacking a trusted voice within the ecosystem, the bad actors bypassed the natural skepticism of their targets. The message? Even the most technically sound projects are vulnerable where flesh meets keyboard.

The Persistent Weak Link

Layer 2s like Scroll promise scalability and security, building fortresses on Ethereum's foundation. Yet, the front door—social media, Discord, Telegram—remains guarded by a single, often reused, password. It's the crypto equivalent of installing a vault door on a tent. The industry pours billions into consensus mechanisms while personal account security gets a shrug and a 'maybe later.'

A Costly Lesson in Trust

While the immediate financial damage is still being tallied, the real cost is eroded confidence. Every such incident is a gift to regulators itching to paint the entire space as a lawless frontier. It fuels the narrative that for all its decentralized idealism, crypto still has a massive, centralized point of failure: us.

So, next time you're dazzled by a project's TVL or its roadmap to a zk-future, remember: the flashiest tech stack can be undone by a single phishing link. In crypto, the most volatile asset isn't the token—it's human vigilance. And as any good trader knows, that's a chart that's looking dangerously bearish.

The attackers flooded the feed with reposts from X’s verified accounts to enhance perceived legitimacy, then launched their phishing campaign via direct messages.

Sophisticated Attack Mirrors Growing Pattern

The breach follows established tactics where hackers exploit trusted accounts to distribute malicious links disguised as urgent platform notifications.

Recipients received messages appearing to come from X’s rights management team, complete with fake compliance warnings and time-sensitive appeals processes designed to create panic and bypass security awareness.

Blockchain security researcher Wu Blockchain first identified the compromise and alerted the community to ignore any communications from the account.

The warning emphasized particular concern given Chen’s extensive network of high-profile cryptocurrency executives, developers, and investors who might trust messages from his verified account.

Scroll co-founder @shenhaichen's X account has been hacked and is currently sending phishing private messages impersonating X employees. This account has a large following among prominent figures in the crypto industry; the community and users are advised to be aware of the… pic.twitter.com/ctXk2G0bQm

The attack represents the latest escalation in social media compromises targeting crypto industry leaders, in which hackers increasingly leverage delegated account access and expired domain registrations to bypass security measures, including two-factor authentication.

Industry Faces Relentless Social Engineering Wave

BNB Chain’s official account suffered a similar breach in October when hackers posted fake reward programs with phishing links after Binance co-founder CZ warned followers against clicking suspicious content.

The compromised account promoted fraudulent BSC token distributions, promising early payouts to users who voted on reward dates through malicious URLs designed to drain digital wallets.

Binance co-CEO Yi He’s WeChat account was also hijacked in December to promote meme coin schemes, with attackers conducting a coordinated pump-and-dump operation around the token MUBARA.

Two wallets created hours before the breach accumulated 21.16 million tokens before dumping holdings as retail traders flooded in, netting attackers approximately $55,000 while leaving later buyers exposed to price collapse.

Changpeng Zhao @cz_binance warned that new co-CEO Yi He’s @heyibinance abandoned WeChat account was hacked and used to push a meme coin called MUBARA.#Binance #Memecoins https://t.co/sdyH325OMD

Among other notable accounts hacked were ZKsync and Matter Labs, which were compromised in May through what the team described as “” with limited posting privileges.

Hackers published false claims about an SEC investigation alongside fake airdrop promotions, triggering a 5% drop in the ZK token price despite a prior 38.5% weekly rally.

The prominent crypto media company, Watcher.Guru also confirmed its account breach in March after fake Ripple-SWIFT partnership claims spread across connected Telegram, Facebook, and Discord channels through automated content bots.

The team suspects the compromise originated from a suspicious LINK containing unusual query strings shared in their Telegram group weeks earlier.

Record Theft Year Exposes Escalating Threats

The crypto ecosystem witnessed over $3.4 billion stolen in 2025, according to Chainalysis’s 2026 Crypto Crime Report, with North Korean state-backed hackers accounting for a record $2.02 billion across fewer but increasingly sophisticated attacks.

The Democratic People’s Republic of Korea now represents 76% of all service compromises, bringing cumulative DPRK cryptocurrency theft to $6.75 billion since operations began.

Personal wallet compromises surged to 158,000 incidents affecting at least 80,000 unique victims, triple the 54,000 cases recorded in 2022.

Address poisoning scams drove December’s single-largest loss, when one victim transferred $50 million to a fraudulent wallet mimicking their intended destination, while private key leaks resulted in $27.3 million stolen from multi-signature wallets.

Personal Security Breaches Surge Across Platforms

Most recently, Ubuntu developer Alan Pope warned that attackers are hijacking Snap Store publisher accounts by registering expired domains linked to legitimate developers, then pushing malicious updates to previously trusted packages.

The technique exploits automatic update systems and established trust signals, with at least 2 confirmed cases of wallet-stealing malware distributed through seemingly normal applications.

Hackers are exploiting trusted Snap Store packages to steal cryptocurrency by hijacking existing publisher accounts.#Hack #Cryptohttps://t.co/YV5Yoiwb0F

Given these growing, multifaceted attack vectors, Better Business Bureau officials are warning consumers about phishing campaigns that lock X users out of their accounts and are subsequently used for cryptocurrency promotions.

Kentucky journalist Jennie Rees described receiving direct messages from apparent colleagues requesting contest votes, only to find her account posting fake Audi purchase claims tied to crypto earnings after clicking the malicious link.