On January 25, public information revealed that the X (formerly Twitter) account of Scroll co-founder Kenneth Shen was illegally compromised. After gaining control of the account, attackers impersonated official project representatives and sent mass direct messages containing phishing content, attempting to lure recipients into clicking malicious links or submitting sensitive information.
From an attack methodology perspective, this incident did not exploit on-chain protocol vulnerabilities. Instead, it represents a classic social engineering attack that leverages the industry influence and perceived credibility of a compromised account to lower victims’ psychological defenses.
The “Trust Amplification Effect” of Phishing Attacks
Compared with scams originating from ordinary fraudulent accounts, the risk of such attacks lies in their “trust amplification effect.” When attackers gain control of accounts belonging to well-known project founders or core team members, direct messages are far more likely to be mistaken for official announcements, internal communications, or urgent security notices.
In the crypto industry, attackers commonly use narratives such as “account anomalies,” “compliance reviews,” or “airdrop confirmations” to prompt users to click links or connect their wallets. Once users enter seed phrases, private keys, or authorize transactions on phishing pages, assets can be transferred within a very short time.
Social Platforms as High-Frequency Attack Surfaces
In recent years, as protocol-level security has generally improved, attackers have increasingly shifted their focus to user-facing channels and communication layers. Social media accounts, instant messaging tools, and email are becoming primary entry points for crypto-related fraud.
For developers and project teams, a compromised account can not only directly harm community users but also inflict long-term damage on a project’s reputation and trust foundation. As a result, securing social media accounts has become an essential component of project operations.
Practical Warnings for Users and Institutions
This incident serves as a reminder for users to remain highly vigilant toward any “official requests” received via direct messages, particularly those involving link redirection, wallet interactions, or information submission. Even when messages originate from familiar industry figures, cross-verification through other public channels is strongly advisable.
From an institutional perspective, strengthening account permission management, enabling multi-factor authentication, and establishing incident response mechanisms for abnormal activity are foundational measures for reducing such risks.
The Complementary Role of On-Chain Monitoring and Security Awareness
Although phishing attacks primarily occur off-chain, their ultimate objective is often the transfer of on-chain assets. Continuous analysis of abnormal transactions, suspicious addresses, and fund flows can help assess the scope of impact after an incident and provide a basis for subsequent response actions.
In this process, on-chain risk analysis capabilities—such as those provided by Trustformer KYT—are primarily reflected in the identification and correlation analysis of suspicious fund movements, offering an on-chain perspective to support post-incident investigation and risk assessment.
As attack techniques continue to evolve, closer coordination between account security, user education, and on-chain monitoring is increasingly becoming a core component of comprehensive risk management in the crypto industry.