Everyone expected X to keep throwing money at the crypto scam problem. Instead, Elon Musk’s platform is trying something architectural: auto-locking any account that mentions cryptocurrency for the first time in its history.
This isn’t a band-aid. This is a structural pivot. And it reveals something crucial about how scams actually work on social platforms—they depend on speed and credibility, both of which vanish the moment an account gets frozen.
Why X’s Phishing Problem Got So Bad
X inherited a crypto scam catastrophe from Twitter. These attacks have metastasized into a reliable revenue stream for criminals: hijack an account with real followers, post about fake tokens or “double your money” schemes, and vanish before moderation catches up. Cryptocurrency transactions don’t reverse. Once someone sends money, it’s gone.
The 2020 breach was the watershed moment. Hackers accessed Twitter’s internal systems, took control of accounts belonging to Apple, Barack Obama, and Musk himself, and netted over $100,000 promoting a fake bitcoin giveaway. One attacker got five years in federal prison. But the real damage? It showed every scammer on the planet that major accounts with massive followings could be weaponized.
Since then, the tactics have evolved. Phishing emails disguised as copyright notices. Pixel-perfect fake login pages. Two-factor authentication harvesting. Attackers lock legitimate users out, then go to work pumping scam tokens.
What X Is Actually Doing Here
Nikita Bier, X’s Head of Product, claims the auto-lock feature will “kill 99% of the incentive” behind these attacks. Here’s how it works: if your account has never mentioned crypto before and you suddenly post about it, the system locks you. You’ll need additional verification—probably email, SMS, maybe biometric—before you can post again.
“This should kill 99% of the incentive,” Bier wrote, referring to the current wave of phishing that tricks users into giving up their credentials, then uses their accounts to push crypto scams.
The math here is elegant. Hijackers want anonymity and speed. A frozen account—even for 30 minutes—destroys both. If verification takes 15 minutes and the attacker’s window is 2 minutes, the attack becomes economically pointless.
But (and this is a big but) X is also calling out Google for letting phishing emails slip through Gmail. Bier’s public criticism of Google’s email filtering is worth unpacking—it’s X deflecting responsibility. Yes, Gmail could block more phishing emails. But X could also implement more aggressive account recovery protocols, better email authentication requirements, or mandatory security keys for high-value accounts. Instead, X chose the friction approach: make it annoying for attackers to use hijacked accounts.
Will This Actually Work?
The honest answer: partially.
This feature targets a specific attack vector—accounts posting crypto for the first time post-hijack. It doesn’t touch impersonation attacks (where scammers create fake accounts that look like Elon or crypto influencers). It doesn’t block memecoins or fraudulent airdrops. And most importantly, it only affects new crypto mentions. If an account has posted about crypto before, the kill switch won’t activate.
Adaptation is inevitable. Scammers will start by posting a single innocuous crypto tweet months before conducting their hijack. Then the real attack comes later, sidestepping the auto-lock entirely. Or they’ll pivot to accounts that already have crypto history—easier to find than you’d think.
There’s also a user experience trade-off hiding in this policy. Legitimate users who get hacked will have their account frozen, forcing additional verification steps. It’s friction in service of security, which generally works—but it’ll frustrate real people. And false positives? If you’re just really excited about discovering crypto for the first time and tweet about it—congrats, your account’s locked until you verify your identity.
The Bigger Picture: X Is Playing Defensive
X has tried bot purges, API restrictions, and behavioral detection before. None of them killed scams. That’s because every major social platform with real users and financial incentives gets scammed. Facebook, TikTok, YouTube—they all have crypto fraud problems. The difference is they threw moderation budgets at it. X went the automation route.
The auto-lock feature isn’t revolutionary. It’s pragmatic. When you can’t afford to hire enough people to catch phishing attacks in real-time, you automate friction. You make it harder and slower for attackers than for real users.
Here’s the uncomfortable truth: X probably can’t solve this alone. Google needs to stop phishing emails before they arrive. Users need to enable two-factor authentication and stop clicking sketchy links. Hardware wallet adoption would help—if people can’t paste wallet addresses into a browser, scammers lose their attack surface. But none of those things happen without user behavior change, which is rare.
X’s auto-lock is a reasonable tactical move. It should reduce some scam volume, maybe 30-40% of the simplest hijack-and-pump schemes. But sophisticated attackers will work around it. And new scam tactics will emerge.
The real test isn’t whether this kills 99% of the incentive (it won’t). It’s whether it kills enough that X users start to trust the platform again when they see crypto mentions. Right now, crypto on X is synonymous with scams. A single feature doesn’t change that perception, no matter how elegant the design.
🧬 Related Insights
- Read more: Bitcoin’s $68,000 Wall: Why This Level Matters More Than The Headlines
- Read more: Franklin Templeton Buys Into Crypto With 250 Digital Acquisition—Here’s Why It Matters
Frequently Asked Questions
Will X auto-lock my account if I mention crypto for the first time? Yes. If your account has no prior crypto mentions and you post about cryptocurrency, X will auto-lock it and require additional verification (email, SMS, possibly biometric) before you can post again. The lock should last only until verification completes, typically minutes.
Can scammers bypass this by hijacking accounts that already posted about crypto? Absolutely. The auto-lock only affects accounts with zero crypto history. Attackers will target accounts with existing crypto mentions or pre-seed hijacked accounts with innocuous crypto tweets before launching their scam. This feature closes one door but doesn’t lock the house.
Why is X blaming Google instead of fixing its own account security? Because phishing emails are technically Google’s problem—Gmail is where most of these fake copyright notices land. But X could also mandate security keys, aggressive account recovery protocols, or stricter email verification. X chose to blame Google partly because moderation infrastructure is expensive, and blaming another company is cheaper.
