Silent Push Threat Analysts have recently exposed a sophisticated financial scam leveraging a vulnerability in X/Twitter’s advertising display URL feature to deceive users.
This attack manipulates the platform’s URL display mechanism to present a legitimate-looking link, such as “From CNN[.]com,” while redirecting unsuspecting victims to a malicious cryptocurrency scam site impersonating Apple’s brand.
This campaign, centered around a fictitious “Apple iToken,” represents a new level of deception in social media advertising fraud, exploiting technical loopholes to trick users into engaging with harmful content.
.png
)
Spoofed URLs in X/Twitter Ads
The core of this attack lies in an exploit of X/Twitter’s URL handling and metadata retrieval process.
When a URL is posted on the platform, X/Twitter’s bot fetches metadata using a consistent User Agent (UA) string to generate a preview card.
Malicious actors exploit this by configuring their servers to redirect the bot to a benign site like cnn[.]com, while real users are rerouted to a fraudulent domain such as ipresale[.]world.
Alternatively, attackers use URL shorteners like bit[.]ly to initially point to a legitimate site for metadata collection, later updating the redirect to a malicious destination.
This results in a preview card that displays a trusted domain, masking the true, harmful landing page.
After the redirect chain-often involving intermediate links like t[.]co/OswjDCIcFI-victims land on scam sites promoting a fake cryptocurrency presale.
These sites, complete with forged endorsements from Apple CEO Tim Cook, lure users into creating accounts and transferring funds to one of 22 provided crypto wallets across various blockchain networks, including Bitcoin, Ethereum, and Solana.
Silent Push Uncovers Crypto Scam Network
Further investigation by Silent Push revealed a sprawling network of nearly 90 related domains, active since 2024, likely operated by the same threat actor group.
The campaign expanded with a second X/Twitter ad on May 5, 2025, redirecting through chopinkos[.]digital to itokensale[.]live, displaying nearly identical scam content.
Using advanced tools like Silent Push’s Web Resource Scan, analysts identified reused files, favicons, and infrastructure fingerprints-such as specific IP addresses (e.g., 51.15.17[.]214) and name servers (ns1.chsw.host)-linking these domains to a broader ecosystem of financial fraud.
Many sites also abuse Apple trademarks or impersonate other brands, with some tied to suspicious .ru domains, though direct attribution remains uncertain.
This sophisticated operation underscores the evolving tactics of cybercriminals in exploiting social media platforms for financial gain, highlighting the urgent need for enhanced URL validation mechanisms and user awareness.
Below is a curated list of Indicators of Compromise (IOCs) associated with this campaign, provided by Silent Push to aid in threat detection and mitigation:
| Type | Indicator | Description |
|---|---|---|
| IP Address | 51.15.17[.]214 | Dedicated IP used by scam domains |
| Domain | ipresale[.]world | Primary scam landing page |
| Domain | itokensale[.]live | Secondary scam landing page |
| Domain | chopinkos[.]digital | Redirect domain in recent campaign |
| NameServer | ns1.chsw.host | Suspicious name server used by many scam sites |
Setting Up SOC Team? – Download Free Ultimate SIEM Pricing Guide (PDF) For Your SOC Team -> Free Download
