How a Hacked SpaceX Account Turned Brand Trust Into $135,000 in Minutes
On July 12, attackers compromised the verified X accounts of SpaceX and Starlink, using two million and 1.6 million followers respectively to promote a fake memecoin called SCATMAN, netting roughly $135,000 in under an hour. The breach exposed a critical vulnerability in crypto security: social media logins are now a more valuable target than smart contracts or blockchain bridges.
What Happened During the SpaceX Account Hack?
The attack unfolded with surgical precision. An account impersonating "Sam Catman," a pun on OpenAI chief executive Sam Altman, appeared with a false affiliation badge tied to SpaceX's artificial intelligence work. The name played on the public feud between Elon Musk and Altman, a conflict that had produced a $150 billion lawsuit and made the promotion feel plausible within Musk's brand voice.
The SCATMAN token was deployed on Robinhood Chain, a layer 2 network that had launched just eleven days earlier and permits anyone to deploy a token without approval. When the SpaceX and Starlink accounts reposted the promotion with the contract address and ticker, trading exploded. Market capitalization estimates varied wildly, from $800,000 in the first twenty minutes to $2 million on some trackers, with reported peaks as high as $32 million on certain onchain analytics platforms. The 24-hour trading volume reached approximately $5.7 million.
The attacker then dumped ten trillion SCATMAN tokens across two wallets. Onchain analytics firm Lookonchain traced 59 ether (roughly $108,000) from one wallet and 14.7 ether (about $27,000) from a second wallet controlled by the same actor. Liquidity drained instantly. The price collapsed 98 percent. By Sunday evening, the posts were removed, the Sam Catman account was suspended, and control of the SpaceX and Starlink handles was restored.
Why Is This Attack More Dangerous Than Traditional Crypto Hacks?
The dollar figure of $135,000 is deceptively small. SpaceX itself holds $1.16 billion in bitcoin on its balance sheet, and the payday represents a rounding error compared to the eight-figure exploits that dominate crypto security discourse. Yet this gap between the scale of the brand exploited and the size of the payday reveals the actual threat: the cheapest attack surface in crypto is not a smart contract vulnerability, a bridge exploit, or an oracle flaw. It is a login.
Traditional crypto defenses assume attackers must defeat cryptography, economics, or code. The July 12 attacker defeated none of those. They defeated a password, borrowed a decade of accumulated public trust for roughly forty minutes, and converted it directly into ether at the expense of anyone who believed what a verified account told them. As of publication, neither SpaceX nor X has explained how the accounts were compromised, and Robinhood has not commented on its chain hosting the token.
The pattern extends far beyond SpaceX. When attackers seized the dormant account of Keith Gill, better known as Roaring Kitty, in May 2026, they launched a token on Solana and cleared more than $600,000 in half an hour. When the Pump.fun account was compromised in February 2025, one wallet made over $135,000 in under a minute. A hijacked account belonging to former Malaysian prime minister Mahathir Mohamad produced $1.7 million in losses. The United States Securities and Exchange Commission's own account announced a fake bitcoin exchange-traded fund (ETF) approval in January 2024, moving the entire market.
How Do Attackers Exploit Verified Accounts for Crypto Scams?
- Speed Over Depth: Attackers do not need brand trust to last. They need it to survive for the length of a single candle, or trading period. A memecoin launched by an anonymous wallet reaches nobody; the same token reposted by an account with millions of followers reaches a market instantly.
- Market Depth as the Real Constraint: The attacker's profit was limited not by audience or credibility, but by liquidity. The attacker extracted essentially all the liquidity that existed in the pool. On a deeper chain or with a slower response from security teams, the same attack with the same inputs produces a much larger number.
- Plausibility Through Brand Voice: The Sam Catman account succeeded because the promotion felt consistent with observed Musk company behavior. Musk's companies post irreverently, and a crude swipe at a rival chief executive, delivered as a memecoin, sits within the plausible range of brand activity.
- Permissionless Token Deployment: Robinhood Chain's design enabled rapid token deployment without approval, allowing the attacker to launch SCATMAN and have it promoted to millions within minutes, before any verification or security review could occur.
What Does This Mean for Crypto Security?
The defense industry has no product for this category of attack. There is no audit that certifies a chief executive's password manager. There is no bug bounty covering a social media platform's session token handling. The security spend that protects a protocol treasury, multisig thresholds, hardware wallets, and timelocks all terminates at the edge of the blockchain, and the attack originates one layer above, in a social media account.
The incident also highlights an emerging threat in crypto: AI agents. In May 2026, attackers drained roughly $175,000 from a Grok-linked Bankrbot wallet using a hidden Morse code instruction embedded in a tweet. Unlike typical crypto exploits stemming from smart contract bugs, stolen private keys, or bridge vulnerabilities, this attack came from a carefully crafted prompt that the AI agent interpreted as a legitimate command. The transaction executed in seconds.
As AI agents become more popular in crypto trading and decentralized finance (DeFi), they introduce a new category of risk called prompt injection, where hidden instructions embedded in content hijack an agent's behavior. Traditional security tools cannot catch these attacks because they operate outside the blockchain layer.
The SpaceX breach and the broader pattern of account takeovers demonstrate that crypto's security infrastructure has solved the wrong problem. The industry has built elaborate defenses against smart contract exploits, bridge hacks, and oracle manipulation. What it has not solved is the human layer: the login, the password, the social media session token. Until that changes, verified accounts with large followings remain the cheapest and most profitable attack surface in crypto.