A coordinated social media hijacking targeting two of the most recognized technology brands in the world has resulted in a cryptocurrency fraud netting roughly $125,000 in Ethereum — the latest and among the most brazen examples of a growing criminal playbook that exploits trusted digital audiences to execute token rug pulls at speed.
According to on-chain intelligence firm Lookonchain, an unidentified threat actor gained unauthorized access to the official SpaceXAI and Starlink accounts on X, the social media platform formerly known as Twitter, and used the compromised profiles to promote a fraudulent cryptocurrency token called SCATMAN. Once the token had attracted sufficient liquidity from retail buyers drawn in by the apparent legitimacy of two household-name accounts, the attacker executed a classic rug pull — draining the pooled funds and disappearing. Lookonchain subsequently traced the stolen proceeds across two separate cryptocurrency wallets, providing partial visibility into the movement of the illicit ETH.
The mechanics of the fraud are disturbingly simple, which is precisely what makes them so effective and so difficult to legislate against in real time. A rug pull occurs when the creator of a token — or in this case a fraudster who has seized promotional infrastructure — artificially inflates demand for a newly minted asset, then abruptly withdraws all liquidity, leaving buyers holding worthless tokens. The entire lifecycle of such a scheme can play out in minutes. Against the backdrop of verified or high-follower accounts associated with Elon Musk's aerospace and satellite internet ventures, prospective buyers face an almost impossible task in distinguishing authentic announcements from fraudulent ones without conducting deep technical due diligence before every purchase — an unrealistic standard for casual retail participants.
This incident does not stand alone. The SCATMAN rug pull mirrors a well-documented pattern of high-profile social media account takeovers specifically engineered to promote fraudulent tokens. Over recent years, the accounts of governments, central banks, major corporations, celebrities, and technology executives have all been compromised for similar ends. What distinguishes the current wave is the operational sophistication: attackers appear to be selecting targets not for their follower count alone, but for their thematic proximity to emerging technology and digital assets — areas where an audience is plausibly predisposed to engage with a new token announcement without immediate skepticism.
The choice of SpaceXAI and Starlink as vehicles is tactically deliberate. Both accounts carry enormous implicit credibility in technology and innovation circles, and both are associated with a figure — Elon Musk — who has demonstrated documented influence over cryptocurrency markets. A single post from either account under normal conditions would be taken as authentic by millions of followers, providing the fraud window of amplification that it requires. The compressed timeline between account compromise, token promotion, liquidity accumulation, and final exit is designed to outpace both platform moderation and the individual investor's capacity to react.
From a financial crime and compliance standpoint, the $125,000 ETH extraction tracked by Lookonchain across two wallets represents a forensically traceable sum — and one that blockchain analytics firms are well-equipped to monitor. Ethereum's transparent public ledger means that while the pseudonymous attacker may have obscured identity, the capital flows remain visible and potentially actionable by law enforcement agencies with the appropriate technical resources and jurisdictional reach. Whether that translates into a prosecution, however, remains another matter entirely. Cross-border cryptocurrency fraud of this nature continues to test the limits of international cooperation frameworks, and the lag between on-chain identification and legal enforcement remains a structural vulnerability that the industry has not solved.
Regulators across major markets — from the United States Securities and Exchange Commission to the European Securities and Markets Authority — have repeatedly flagged social media-facilitated token fraud as a priority concern. Yet the architecture of decentralized token issuance, combined with the speed of modern social platforms, continues to provide a structural advantage to bad actors operating in the gap between regulatory intent and practical enforcement.
What This Means
The SCATMAN incident is not merely a story about a $125,000 theft. It is a stress test of the entire information-trust model that underpins retail cryptocurrency participation. As long as verified social media accounts can be weaponized to confer false legitimacy on fraudulent assets — and as long as rug pulls can be executed and exited within the lifespan of a single trending post — no amount of investor education alone will close the gap. The burden must shift to platform security architecture, on-chain monitoring infrastructure like that demonstrated by Lookonchain, and coordinated regulatory action that treats social media account security as a financial crime vector, not merely a cybersecurity nuisance. Until that alignment occurs, the playbook will keep working.
Written by the editorial team — independent journalism powered by Codego Press.