A $135,000 memecoin scam executed through hijacked SpaceX and Starlink X accounts on July 12 highlights a growing threat: attackers bypassing crypto-native defenses by stealing social media logins to borrow brand trust for rapid token dumps. The incident, which lasted under an hour, saw the verified accounts repost promotional content for a token called SCATMAN, leading to a 575% price surge before the posts were removed and the attacker cashed out.
The attack in detail
The attacker created an account posing as "Sam Catman," a pun on Sam Altman, and falsely linked it to SpaceX's AI work. The SpaceX and Starlink accounts, with a combined 3.6 million followers, reposted the promotion without any usual signs of compromise like banner changes. Onchain analytics from Lookonchain show the attacker minted 10 trillion SCATMAN tokens on Robinhood Chain, which had launched just 11 days earlier and allows permissionless token deployment. The tokens were sold across two wallets for about 73.7 ether, worth roughly $135,000.
Trading volume reached $5.7 million in 24 hours, with peak market cap estimates varying wildly from $800,000 to $32 million, reflecting the token's thin liquidity. The attacker extracted nearly all available liquidity, leaving buyers with worthless tokens once the posts were taken down and the accounts restored the same evening. Neither SpaceX nor X has explained how the accounts were compromised, and Robinhood has not commented.
Credibility as a cheap attack surface
The $135,000 profit is modest compared to typical crypto hacks, but the breach underscores a systemic vulnerability: social media logins are now a cheaper and more effective attack vector than smart contract exploits. The attacker didn't beat cryptography or code—they beat a password, borrowing a decade of accumulated public trust for roughly 40 minutes. This "credibility arbitrage" model has been used repeatedly: a hijacked Roaring Kitty account cleared $600,000 in May 2025, a Pump.fun compromise netted $135,000 in under a minute, and a former Malaysian prime minister's account led to $1.7 million in losses.
The pattern extends across industries and platforms, from the SEC's fake bitcoin ETF announcement in 2024 to compromised accounts of Scroll co-founder Ye Chen and Pepe creator Matt Furie. What unites these attacks is follower count, not security posture. Crypto's existing defenses—audits, bug bounties, formal verification—all terminate at the blockchain's edge, while the attack originates one layer above, in consumer social media platforms with no stake in crypto's outcomes.
The industry's blind spot
The core risk isn't just stolen funds but the erosion of trust in verified institutional accounts. The attacker's profit was constrained not by audience size but by market depth: on a deeper chain or with slower security response, the same method could yield far more. The industry has outsourced its most important trust primitive to social networks without any contractual relationship. There is no audit for a CEO's password manager, no bug bounty for session token handling—leaving brands and their followers exposed to a threat model that crypto's defenses were never designed to address.