この記事はお役に立ちましたか?
もしこの記事が一つでもセキュリティリスクの明確化に役立ったのであれば、恩恵を受けそうな他の人々と共有することを検討してください😎
⬇️⬇️⬇️⬇️⬇️
Key Answer: X (formerly Twitter) has announced a policy to automatically lock any account that posts about cryptocurrency for the first time — a drastic measure driven by the scale of phishing attacks weaponizing hijacked accounts to promote fake tokens and wallet drainers. While platform-level defenses help, they can't protect your wallet once you click a malicious link. A hardware wallet keeps your private keys in an offline Secure Element that no phishing attack can reach, though it cannot stop you from approving a malicious transaction — verifying every detail on your device screen before signing remains your final defense.
30-Second Summary
What you need to know
- The policy: X is rolling out a feature to auto-lock accounts posting crypto content for the first time, requiring identity verification before the post goes live.
- Why: Hijacked accounts promoting fake tokens and phishing links became so widespread that X's Head of Product says this will "kill 99% of the incentive."
- The trigger: On April 1, 2026, Predictfully founder Benjamin White lost his account to a fake copyright violation email. Attackers immediately promoted fraudulent tokens.
- The real problem: Platform locks stop stolen accounts from spreading scams. But they don't protect you from clicking a phishing link from a still-compromised account — or from signing a malicious transaction.
- Your defense: Phishing can compromise your social account, your email, even your browser. It can't compromise a hardware wallet's Secure Element.
What's the New Policy?
On April 2, 2026, X Head of Product Nikita Bier announced that X is introducing a feature to automatically lock any account that mentions cryptocurrency for the first time. The system works like this:
- First-time crypto post detected — If an account has no history of crypto-related content and suddenly posts about tokens, giveaways, or trading, the account is locked.
- Verification required — The account owner must verify their identity before the post goes live.
For legitimate users posting about crypto for the first time, the verification process is designed to be fast. For attackers who just stole an account through phishing, it's an impassable wall — their exploitation window closes before they can profit.
Why Did X Need a "Kill Switch"?
The answer is simple: crypto phishing on social media is out of control.
The Attack Playbook
The typical attack follows a pattern that's become disturbingly routine:
- Phishing email — Victim receives a fake "copyright violation" or "security alert" email that looks exactly like it came from X.
- Fake login page — The link leads to a convincing replica of X's login screen that captures both password and 2FA code simultaneously.
- Account takeover — Attackers immediately change credentials and lock out the real owner.
- Scam promotion — The hijacked account blasts out links to fake token launches, "giveaway" scams, or wallet drainer contracts.
- Profit window — Attackers typically have minutes to hours before the platform responds. That's enough to reach thousands of the account's followers.
The Benjamin White Incident
The policy was triggered by a specific case. On April 1, 2026, Benjamin White, founder of Predictfully, received a fake X support email citing copyright violation. The phishing link perfectly mimicked X's login page, capturing his password and 2FA code. Within minutes, attackers were using his verified account to promote fraudulent tokens — and demanded $4,000 in extortion.
The Scale of the Problem
The numbers explain why X felt forced to act:
- Social media is one of the top channels for scam delivery, with platforms like X serving as primary vectors for phishing links
- X has hundreds of millions of monthly users — even a tiny success rate translates to thousands of victims
- In the 2020 Twitter hack, attackers accessed internal systems and used verified accounts for a Bitcoin giveaway scam, stealing over $100,000 in hours
- A single month of crypto phishing on X resulted in approximately $47 million in losses from 57,000 victims, according to Scam Sniffer data
Bier also criticized Google directly, calling out Gmail for failing to filter phishing emails before they reach users' inboxes — the upstream failure that makes these attacks possible.
These phishing techniques overlap heavily with the AI-powered deepfake scams now targeting crypto users across social platforms.
X's Lock Helps — But It Doesn't Protect Your Wallet
Here's what many people miss in this conversation: X's new policy protects the platform. It doesn't protect you.
The auto-lock stops stolen accounts from spreading phishing links. It doesn't stop you from:
- Clicking a link posted by a compromised account before X detects it
- Connecting your wallet to a malicious dApp disguised as a legitimate project
- Approving a transaction that drains your tokens through a smart contract exploit
- Entering your seed phrase on a fake "wallet verification" site
Once you've clicked the link and connected your wallet, the damage happens at the blockchain level — no social media policy can reverse it.
Where the Attack Chain Reaches Your Assets
| Stage | What Happens | X Policy Helps? | Hardware Wallet Helps? |
|---|---|---|---|
| 1. Phishing email | You receive a fake alert | No | No |
| 2. Account stolen | Attacker takes over your X | Yes (auto-lock) | No |
| 3. Scam posted | Fake token/link promoted | Yes (blocks post) | No |
| 4. You click a link | From another compromised account | No | No |
| 5. Wallet connection | You connect to malicious dApp | No | Yes (Blockaid scam detection) |
| 6. Transaction approval | You sign a drainer contract | No | Yes (Clear Signing shows what you're signing) |
| 7. Key extraction | Attacker tries to steal keys | No | Yes (keys never leave Secure Element) |
X solves stages 2-3. A hardware wallet solves stages 5-7. Nothing replaces your judgment at stages 1 and 4.
Keep your keys offline. D'CENT Biometric Wallet keeps your private keys in an EAL5+ Secure Element — where no phishing attack can reach them.
Explore D'CENT WalletHow to Actually Protect Yourself
1. Treat Every Crypto Link on Social Media as Suspect
Even verified accounts get compromised. If a post promotes a token, airdrop, or giveaway — especially with urgency ("limited time", "first 1,000 users") — verify through official channels before clicking anything. Fake airdrop campaigns are one of the most common lures; see how to claim airdrops safely.
2. Never Enter Your Seed Phrase Online
No legitimate service, platform, wallet, or government agency will ever ask for your Recovery Phrase. If a site asks for it, close the tab immediately. This is non-negotiable.
3. Use a Hardware Wallet with Threat Detection
A hardware wallet keeps your private keys in an isolated Secure Element chip that phishing attacks can't reach. With built-in threat detection like Blockaid, suspicious contracts and known phishing addresses are flagged before you sign.
D'CENT Biometric Wallet adds:
- Clear Signing (WYSIWYS) — Full transaction details displayed on the device. You see exactly what you're approving, not an abstract hash. Learn more: Blind Signing vs Clear Signing.
- Biometric authentication — Physical fingerprint required to confirm. Can't be remotely triggered by malware.
- EAL5+ Secure Element — Keys are cryptographically isolated. Even the device's own firmware can't extract them.
Important: Even with a hardware wallet, you must verify what you're signing. If a transaction looks wrong — wrong address, unexpected token approval, unfamiliar contract — reject it. The device shows you the truth; you make the final call.
4. Secure Your Email First
Bier is right that email is the upstream vulnerability. Most account takeovers start with a phishing email, not a platform exploit. Enable hardware-key 2FA (like YubiKey) on your email account — not just SMS or app-based 2FA, which can be phished.
5. Revoke Old Token Approvals
If you've interacted with any project promoted through social media, check your token approvals. Old approvals can be exploited later, even if the original project seemed legitimate.
For more on this: How to Revoke Token Approvals and Protect Your Wallet
For a complete breakdown of crypto scam tactics and defenses: How to Avoid Cryptocurrency Scams with Hardware Wallets
The Bottom Line
X's auto-lock policy is a meaningful step — it closes the exploitation window that made hijacked accounts profitable. But platform defenses only cover part of the attack chain. The phishing link you click, the wallet you connect, and the transaction you sign are all decisions that happen outside any platform's control.
Your strongest defense is layered: verify before you click, use a hardware wallet with threat detection and clear signing for every transaction, secure your email with hardware-key 2FA, and revoke old token approvals regularly. The device shows you the truth — but you make the final call.
Take control of your crypto security. EAL5+ Secure Element, biometric authentication, Blockaid threat detection, and clear signing built in.
Explore D'CENT Biometric WalletFAQ
Why is X locking crypto accounts?
To combat phishing attacks that hijack accounts and use them to promote fake tokens and scam links. X's Head of Product Nikita Bier says the policy will "kill 99% of the incentive" for attackers who steal accounts specifically to promote crypto scams.
Will legitimate crypto users get locked out?
Potentially, if it's your first time posting about crypto on X. The verification process is described as fast for legitimate users, but it adds friction for newcomers. Existing crypto posters with established history should not be affected.
How do crypto phishing attacks actually work?
The typical chain: fake email (copyright violation or security alert) → phishing login page → password and 2FA captured → account takeover → scam promotion. The attack from email to account takeover can happen in minutes.
Can a hardware wallet protect me from social media phishing?
A hardware wallet can't stop you from clicking a phishing link or having your social account stolen. What it does is protect your crypto assets at the point of transaction: built-in threat detection flags malicious contracts, clear signing shows you exactly what you're approving, and your private keys never leave the Secure Element chip — so even if everything else is compromised, your keys remain secure.
What should I do if my X account is compromised?
Change your password immediately from a secure device. Enable hardware-key 2FA. Check for any authorized apps or connected services you don't recognize. If the attacker posted crypto scam links, report it to X support. Then check your wallet — revoke any token approvals you don't recognize and move assets to a new wallet if you suspect your keys may have been exposed.
Is this the same as the 2020 Twitter Bitcoin hack?
Different scale, same principle. The 2020 hack involved internal system access and targeted high-profile verified accounts for a Bitcoin giveaway scam. Today's attacks are decentralized — thousands of individual phishing emails stealing accounts one by one. X's new policy targets this distributed threat model.
