The FalconFeeds X Account Takeover: How Hackers Bypassed MFA and Ran a Crypto Scam

Introduction

On the evening of January 23, 2024, FalconFeeds.io—one of the most trusted names in cybersecurity threat intelligence—became the target of a sophisticated cyberattack. For over seven hours, our official X (formerly Twitter) account was under the control of cybercriminals, who used it to promote a fraudulent cryptocurrency giveaway. Despite having Multi-Factor Authentication (MFA) enabled, attackers managed to bypass security controls and post scam messages at an alarming rate. This attack was not an isolated event but part of a broader campaign targeting high-profile accounts. Here, we break down what happened, how it happened, and the critical lessons learned.

The Incident Analysis: Takeover of FalconFeeds' X Account

At 6:00 PM PST on January 23, 2024, FalconFeeds' X account was compromised. Within minutes, the attackers had full control, using the account to spread crypto scam messages.

The Attack Timeline

• January 23, 2024, 6:00 PM PST – First signs of compromise detected.
• January 23, 2024, 6:05 PM PST – January 24, 2024, 1:30 AM PST – Continuous scam posts published (one per minute).
• January 24, 2024 1:52 AM PST – Attackers changed the account's email to "[email protected]."
• January 24, 2024, 8:08 AM PST – Email reverted from "[email protected]."
• January 24, 2024, 5:21 PM PST – Email changed back to "******@falconfeeds.io."

During the attack window, over 400 scam posts were published, redirecting users to a malicious website: "mstr-x2-giveaway[.]com".

Account Compromise Details

• Account Email: ******@falconfeeds.io
• Username: FalconFeedsio
• Account ID: 1554426222876426242
• Account Created: August 2, 2022

Indicators of Compromise (IoCs)

1. Malicious Domains

• mstr-x2-giveaway[.]com
• saylor-giveaways[.]com
• saylorgiveaway[.]com
• saylorgiveaway[.]net
• saylor-x2giveaway[.]com
• Additional domains targeting brands like SpaceX, MicroStrategy

2. Suspicious Email and Phone Number

• Email: [email protected]
• Phone: +7.9629743222

3. Device Tokens Identified

• 279kiaG30eUrgqYhAczfAskzi7mSMYrvhohnOoN0 (Created: January 24, 2025)
• NfPMtCaN8QLyfcNSzl6A0a9PIK29R574tGfGTguQ (Created: January 24, 2025)

Attack Analysis

The attackers exploited vulnerabilities in the connected applications, particularly through unauthorized device tokens generated via "Twitter Web App (Twitter Inc)" and "Twitter for iPhone." Despite MFA, they managed to bypass security measures, likely using session hijacking or exploiting OAuth-related flaws.

The account email was changed multiple times, indicating persistent attempts to maintain access. Fraudulent tweets promoted crypto scams using deepfake images of Michael Saylor, redirecting to malicious domains linked to prior scams.

Potential Attack Phases Identified 

1. Initial Compromise (Recon Phase):

• IPs: 152.58.245.11, 152.58.245.229
• Actions: Likely credential stuffing or phishing attempts to gain access.

2. Privilege Escalation (Takeover Phase)

• IPs: 152.58.245.32152.58.245.33152.58.245.44
• Actions: Email change to attacker-controlled address, device token generation.

3. Persistence Phase (Post-Incident Access Attempts)

• IPs: 152.58.245.155, 152.58.245.62
• Actions: Attempts to regain access after account recovery measures were initiated.
• Session Hijacking: There’s strong evidence suggesting the user account was compromised via stolen browser cookies from the employee's laptop.This allowed the attacker to maintain access without re-authentication, bypassing 2FA protections.

A Well-Orchestrated Scam

The fraudulent posts were strategically designed to look convincing:

• They mimicked financial promotions, appearing as if they were official MicroStrategy Bitcoin giveaways.
• They included deepfake images of Michael Saylor to add legitimacy.
• They contained high-visibility crypto-related hashtags to amplify reach: $BTC, $ETH, #Bitcoin, #Ethereum, $XRP, $TRUMP, #MicroStrategy.

The goal was simple: trick FalconFeeds' followers into clicking the link and stealing their cryptocurrency.

How Did This Happen? The MFA Bypass Mystery

One of the biggest concerns surrounding this attack was how the attackers gained access despite MFA. After extensive forensic analysis, the most likely culprit was identified: session hijacking.

What is Session Hijacking?

Session hijacking occurs when an attacker steals an active session token, allowing them to access an account without needing a password or MFA code.

How Did They Get In?

1. Phishing or Social Engineering – The attacker likely used a fake login page to steal credentials and session tokens.
2. Session Token Theft – Once a session was hijacked (possibly via a malware tool or browser exploit), the attacker could log in without triggering MFA.
3. Email Change for Persistence – The attacker changed the account email to maintain access even if detected.

This bypassed all traditional security measures, giving them full control over the account for over seven hours.

What We Discovered: A Well-Coordinated Cybercriminal Operation

As the investigation unfolded, it became clear that this was not an isolated incident. Other verified X accounts had been compromised in the same way, all promoting similar cryptocurrency scams.

The Malicious Domain Network

The scam website used in the attack, mstr-x2-giveaway.com, was linked to a broader network of fraudulent domains, including:

• saylor-giveaways[.]com
• saylorgiveaway[.]com
• saylor-x2crypto[.]com
• saylorgiveaway[.]net
• saylor-x2giveaway[.]com

Some of these domains were previously used in YouTube crypto scams, confirming that the same group of cybercriminals had been running these attacks for months.

A Russian Cybercrime Connection?

A closer look at the domain registrations uncovered an email address linked to 200+ scam domains:

• [email protected]
• +7.9629743222

These findings suggest a large-scale, organized cybercrime operation targeting high-profile accounts to amplify fraudulent schemes.

How FalconFeeds Responded: Damage Control & Recovery

Once the attack was confirmed, immediate action was taken to regain control of the account.

Immediate Actions Taken

• Contacted X Support for emergency account recovery
• Flagged and reported all fraudulent posts
• Reset all passwords and revoked all active sessions
• Conducted an internal security audit

The Impact of the Attack

While the account was successfully recovered, the incident had far-reaching consequences:

• Over 60+ fraudulent tweets per hour, causing reputational damage.
• Potential exposure of followers to phishing and financial scams.
• Temporary loss of account control, affecting communication channels

Lessons Learned: Strengthening Security Defenses

This attack is a wake-up call—not just for FalconFeeds, but for the entire cybersecurity community.

How FalconFeeds is Strengthening Defenses

• Reevaluating Third-Party App Permissions – A deep audit of all apps with X API access is being conducted.
• Session Monitoring & Expiration – Stricter session expiration policies are being implemented to reduce the risk of hijacking.
• Enhanced Employee Security Training – Focused training on phishing, session security, and social engineering tactics is being reinforced.

Best Practices for Everyone

If you manage a high-profile account or deal with sensitive data, here’s how to protect yourself:

1. Revoke Old Sessions Regularly – Don’t stay logged in indefinitely.
2. Monitor Account Activity Closely – Be proactive in spotting unauthorized changes.
3. Be Cautious with Third-Party Apps – Only allow integrations you absolutely trust.

Final Thoughts: Cybercriminals Are Evolving—So Must We

The compromise of the @FalconFeedsio X (formerly Twitter) account highlights the increasing sophistication of cyber threats targeting high-profile social media accounts. Despite the implementation of MultiFactor Authentication (MFA), the attackers successfully bypassed security measures through session hijacking, gaining unauthorized access to an employee's session.

This incident not only caused reputational damage but also exposed followers to financial scams, demonstrating the far-reaching impact of such attacks. The attackers' use of deepfake images, strategic keyword manipulation, and a network of fraudulent domains suggests a well-coordinated effort to exploit cryptocurrency enthusiasts.

Moving forward, we are ensuring a proactive approach to cybersecurity by implementing stronger session security measures, conducting regular security audits, enforcing stricter access controls, and continuously monitoring for suspicious activities. Additionally, we are committed to enhancing employee training on session security best practices to prevent similar incidents in the future. Strengthening authentication mechanisms and refining incident response protocols will also be crucial in mitigating session hijacking risks.

This incident serves as a critical reminder that security defenses must evolve alongside emerging attack techniques to effectively safeguard digital assets and online identities. 

Stay vigilant. Stay informed. Stay secure.