A coordinated wave of account takeovers targeting LGBTQ+ content creators has exposed how cybercriminals are weaponizing social media hijacks to extort cryptocurrency payments. Attackers are using phishing tactics to steal login credentials, then demanding digital asset ransoms while repurposing compromised accounts to promote cryptocurrency schemes and political messaging.

How Are Hackers Stealing Creator Accounts?

The attack pattern is straightforward but effective. Victims receive direct messages that appear to come from trusted contacts whose accounts have already been compromised. These messages direct creators to what looks like an official X login page, but is actually a phishing site designed to harvest credentials. Once attackers gain access, they immediately change the account's recovery information, locking the legitimate owner out.

One of the highest-profile victims was Patrick Bewley, known online as Daddy Patrick, who had built an audience of more than 132,000 followers on X. After the attacker gained control, they demanded 2,000 GAT tokens in exchange for returning the account. When Bewley refused to pay, the ransom demand escalated to the equivalent of $3,000 in cryptocurrency.

What Are Attackers Doing With Stolen Accounts?

Once in control, hackers aren't just holding accounts for ransom. They're actively using the compromised profiles to spread cryptocurrency-related content and political messaging to tens of thousands of followers. This dual-purpose exploitation serves two goals simultaneously: pressuring victims into paying ransoms while amplifying fraudulent crypto promotions to a captive audience.

Creator Jasun Mark eventually regained access to his account after an extended disruption, but not before his profile had published cryptocurrency promotions to his followers. Other creators, including Fabian Quezada (known professionally as Buck Bronco) and Liam Angell, also fell victim to similar attacks. Some victims chose not to negotiate with attackers, fearing that paying would only encourage further financial demands.

Steps to Protect Your Social Media Accounts From Phishing Attacks

• Enable Two-Factor Authentication: Use authenticator apps rather than SMS-based codes, which can be intercepted. This adds a critical second barrier even if your password is compromised.
• Verify Login Pages Carefully: Always check the URL in your browser's address bar before entering credentials. Phishing sites often use URLs that look similar to legitimate ones but contain subtle misspellings.
• Be Suspicious of Unsolicited Messages: Even if a message appears to come from someone you know, verify through another channel before clicking links or following instructions, especially those directing you to login pages.
• Use Unique, Complex Passwords: Avoid reusing passwords across platforms. A password manager can help generate and store unique credentials for each account.
• Monitor Account Recovery Settings: Regularly check that your recovery email and phone number are still correct. Attackers often change these first to lock you out permanently.

Why Is This Trend Growing in the Crypto Space?

Cybersecurity specialists believe phishing remains one of the most effective methods for stealing access to high-profile social media accounts because it exploits human psychology rather than technical vulnerabilities. The crypto angle adds financial incentive: cryptocurrency payments are difficult to trace and reverse, making them ideal for extortion schemes.

Experts also warn that criminals may be using artificial intelligence to scale phishing campaigns and identify valuable targets ahead of major political events. The timing and coordination of these attacks suggest a level of organization beyond random opportunistic hacking.

This isn't an isolated incident. Earlier in June 2026, Supra, a blockchain project, confirmed that its official X account was accessed without authorization. The compromised account was used to spread a fake announcement promoting a "$SUPRA token launch on Ethereum" along with a phishing-style airdrop campaign designed to steal credentials from users trying to claim non-existent tokens.

What Should Platforms and Users Know?

The incidents highlight a critical vulnerability in how social media platforms handle account security. While X and other platforms offer security features, the burden of protection still falls largely on individual users. Creators with large followings are particularly attractive targets because their compromised accounts can reach thousands of people instantly, amplifying both the ransom pressure on the victim and the reach of fraudulent crypto promotions.

The pattern of using stolen accounts to promote cryptocurrency schemes suggests that attackers are operating with knowledge of the crypto ecosystem. They understand which tokens might be valuable to promote, how to craft convincing fake announcements, and how to pressure victims who may be reluctant to involve law enforcement due to the sensitive nature of their content or concerns about cryptocurrency's regulatory status.

For content creators and anyone with a substantial social media following, the message is clear: phishing remains a critical threat, and the financial incentive for attackers has only grown as cryptocurrency becomes more mainstream. The combination of social engineering, account takeover, and crypto-based extortion represents a new frontier in cybercrime that traditional security advice alone may not fully address.