A serious security breach has hit the official X accounts of SpaceX and Starlink. According to multiple online reports, the profiles reposted a promotional post for a fraudulent cryptocurrency, causing financial losses to investors. The incident raises questions about the security of verified accounts and X's affiliation system.
The scam mechanism: a stolen affiliate badge
The dynamics were particularly insidious. An account named "Sam Catman" displayed an official SpaceXAI affiliate badge, signaling a formal link to the company. The official SpaceX and Starlink profiles then shared the fake account's post, giving the scam an appearance of legitimacy. Buyers purchased the token, but soon after, whoever controlled the coin pulled liquidity, leaving holders with worthless tokens. The exact amount stolen and number of victims are not yet known.
X's affiliation system under fire
This incident differs from common impersonations because it exploited X's affiliation system, designed to indicate that an account is officially tied to a verified organization. The fact that an affiliate-badged account promoted a scam token, amplified by the parent brand's own verified handles, suggests direct access to the company's account cluster rather than an outside impersonation. How access was obtained remains unclear: stolen credentials, a third-party app, or an insider path.
Sponsored Protocol
SpaceX's silence and security implications
SpaceX has not yet issued an official statement. It is unknown how long the posts remained live before removal or whether an internal investigation has started. The incident highlights the vulnerability of even highly visible profiles. A similar case recently involved Apple, where a former engineer exploited a bug to steal trade secrets for OpenAI. In that case too, unauthorized access to critical systems caused reputational and legal damage.
Sponsored Protocol
Rug pull scams are unfortunately common in the crypto world, but when they occur through official channels of companies like SpaceX, user trust is shaken. According to Wikipedia, a rug pull is a scam where developers abandon a project after raising funds. Here, the manipulation was facilitated by fraudulent use of verified accounts.
This episode shows that no platform is immune to targeted attacks. For users, it is essential to always verify information, be wary of promises of easy profits, and check the source of messages even if they come from blue checks. Cybersecurity remains an open challenge for both tech giants and individual citizens.