Cybersecurity

Who are the X-account hunters? How they steal digital identities and followers

These attacks are often handled automatically by systems set up by criminals trying to collect some money by exploiting famous names

8 September 2025

4' min read

A few days ago, cybercriminals obtained access to Defence Minister Crosetto's X account (formerly Twitter) and used it to post two messages aiming, the first, to obtain cryptocurrency donations for Giorgio Armani's funeral and, the second, to obtain donations to support the people of Gaza. There is much speculation as to who carried out the attack, but judging from what the minister himself said, it would not appear to be an 'ad personam' attack as it has all the characteristics of a common mass attack. These attacks are often carried out automatically by systems set up by criminals who try to collect some money by exploiting famous names in order to disseminate requests for money for seemingly noble topics. In the past, there have been many cases of similar attacks conducted against accounts of famous people, ranging from the footballer Mbappé to the SEC, passing through various actors and singers to the former US president Barak Obama (which was, however, a high-profile technical attack).

Social network accounts have in fact become real tools with economic, reputational and political value, and those of X (the former Twitter) are among hackers' favourite targets, to be exploited for scams, propaganda or resale on the black market.

But how do they take possession of supposedly private accounts?

The techniques for are diverse, sometimes very sophisticated, and affect public figures as well as companies and ordinary users.

Classic phishing in various sauces, with multi-factor authentication circumvention

The most widespread scam is still the traditional phishing scam: an e-mail or chat message that imitates the official communication from X and warns, for instance, of an impending account suspension. By clicking on the link and entering credentials to 'keep the account active' or 'avoid suspension', the unsuspecting user sends them to a bogus site, delivering them into the hands of the criminals.

But users are getting smarter every day, which is why criminals have developed more targeted attacks called spear phishing. In this case, journalists, influencers, politicians and managers become specific targets: messages are tailor-made to circumvent mistrust barriers. Often, there is a person behind the management of the breach who can modify the attack to make it more credible and effective.

Complementing these attacks comes an increasingly common stratagem: SIM swap. The hacker convinces the telephone operator to transfer the victim's phone number to a new card of his own, thus gaining access to the authentication codes sent by SMS. This does not seem to be the case, since the minister did not report any problems with his phone number.

Stolen passwords, credential stuffing and other password attacks

If none of the above systems work, criminals may try to exploit a bad habit many people have, that of reusing the same password on multiple services. With credential stuffing, hackers use databases of stolen credentials from other breaches to try them out on X, trusting that the user has kept the same e-mail address/password combination. This approach is very common and often underestimated. It may be at the root of the compromise, but it is unlikely to be enough.

There is also the fact that the problem does not always come from outside: in attacks that steal usernames and passwords, in fact, everything stems from a device that is compromised. With malware and keyloggers, attackers record keystrokes or steal session cookies, gaining direct access to the account. In particular, the theft of session cookies gives criminals full operational powers, but they often cannot change passwords. Crosetto stated that the criminals changed the e-mail address associated with his X account, but also that he had retained access to it. This is a fairly typical case if compromise by stealing cookies is met with additional security measures that prevent password changes.

Then there is the chapter of OAuth hijacking, the abuse of authorisation systems for external services. With an unconscious click, a user can grant a malicious app permanent access to his profile X via session tokens. Very difficult not to fall for this if done right, this attack however assumes a type of access that is rarely seen on this platform for people of a certain importance.

Social engineering: psychological manipulation

Finally, the oldest and at the same time most modern of techniques: social engineering. Hackers pretend to be employees, business partners or even technical support staff of X, convincing the victim to share confidential data. In these cases, protection is not technical, but organisational: clear internal processes and the golden rule of always verifying identity before acting.

So which technique was used against Minister Crosetto? From a distance we cannot know, but almost certainly one of those listed. In some breaches, more complex vulnerabilities are used, but for serious things like stealing large amounts of money or secrets (whether state or industrial), not for trivial scams like the one reported. There is, however, one detail that should not be overlooked: Russia likes to ridicule (by their standards) their adversaries, and in their perspective they may have brought a sophisticated attack to our Defence Minister by disguising it as a 'stupid' attack to show his lack of 'defence' capability (if you pardon the pun). It could therefore be an attack

or sophisticated with an almost boorish purpose, if you like. It would be strange, but possible.

Brand connect

I prossimi eventi

Tutti gli eventi

Notizie e approfondimenti sugli avvenimenti politici, economici e finanziari.

Technology