Yat Siu's X Account Falls Victim to Coordinated Token Scam Campaign

Yat Siu, the co-founder of Animoca Brands and one of the crypto industry’s most influential figures, saw his X account compromised in a sophisticated attack designed to promote a fraudulent token. The incident, which occurred in late December 2024, highlights the growing threat of social engineering attacks targeting high-profile industry leaders. Animoca Brands swiftly issued a warning to alert followers that Siu’s account had been breached and clarified that no official token or NFT launch was in progress.

How the Attack Unfolded: Phishing Tactics and Account Takeover

The breach was orchestrated through a deceptive email that impersonated X’s legal and compliance team, claiming to address copyright infringement concerns. This social engineering approach proved effective enough to grant threat actors access to Yat Siu’s account credentials. According to crypto security researcher ZachXBT, this attack was not an isolated incident—it was part of a coordinated campaign that resulted in multiple similar account compromises over the previous month, with perpetrators collectively siphoning approximately $500,000 from victims during that period.

The attackers moved quickly to exploit the compromised account by publishing posts promoting a counterfeit token, demonstrating how rapidly threats can escalate once account access is obtained.

The Counterfeit MOCA Token and Mocaverse Connection

The fraudulent posts from Yat Siu’s account promoted a fake token named MOCA on the Solana blockchain. This choice was deliberate—the scammers leveraged the reputation and recognition of the legitimate Moca Coin (MOCA), which is associated with Mocaverse, a project in which Animoca and Yat Siu maintain significant stakes. Mocaverse functions as an account and identity management system within the broader ecosystem, making it an attractive target for reputation-hijacking schemes.

The threat actors behind the counterfeit token were actively developing additional revenue streams, including deploying NFT collections on memecoin platforms like Pump.fun. On-chain data revealed that the wallet associated with this campaign held approximately $67,000 in USDC stablecoin, though it remains unclear whether these funds represent direct proceeds from the phishing operation or were accumulated through other means.

Response and Recovery: Securing Yat Siu’s Account

X moved swiftly to secure control of Yat Siu’s account and began the process of verifying his ownership. Mocaverse and Animoca Brands issued statements confirming that all official organizational accounts remained untouched and that robust security measures were in place to prevent further unauthorized access. “There is no compromise on Animoca Brands, Moca Network or MOCA Foundation official handles,” they reassured stakeholders, emphasizing the distinction between Yat Siu’s personal account and corporate infrastructure.

Broader Implications: A Month of Sophisticated Social Engineering

The incident underscores a troubling trend in crypto security. Over the course of a month, dozens of similar phishing campaigns targeted influential figures in the industry, each employing nearly identical tactics: fraudulent emails impersonating platform support teams, followed by account takeovers and token promotion schemes. ZachXBT’s investigation revealed the coordinated nature of these attacks, suggesting either a single sophisticated threat group or a network of copycat attackers exploiting the same vulnerabilities.

For the crypto community, the attack on Yat Siu serves as a critical reminder that even seasoned industry leaders with extensive knowledge are vulnerable to well-executed social engineering attacks. The incident highlights the importance of multi-factor authentication, security awareness training, and the need for platforms like X to strengthen their account recovery and verification processes to protect high-profile users from becoming vectors for scam promotion.