SimpleX Chat, a privacy-first messaging platform known for avoiding user identifiers and emphasising metadata protection, confirmed that its official X (formerly Twitter) account was compromised in a coordinated attack designed to trick users into connecting their cryptocurrency wallets to a fake website which mimicked the SimpleX Chat interface.
The Incident
According to SimpleX, the attackers exploited the “delegate” feature on X, which allows business accounts to assign posting permissions to third-party profiles. An unauthorised delegate was added to the @SimpleXChat account, and shortly afterwards, a tweet promoting a fake initiative called “Perpetuals Early Access” appeared, linking to a lookalike domain: simplexspot.com.
The tweet promised users the chance to “become a founding user of the perpetual communication network” and pitched “Security & Ownership That Never Expires.” The goal was to lure users into connecting their wallets through a button labelled “Connect Wallet,” mimicking typical Web3 project onramps.
Over 30 verified X accounts were also contacted via direct message from the compromised @SimpleXChat profile, urging them to engage or repost the fraudulent message. Accounts belonging to @Netlify and @wellowealth were also compromised and used to amplify the scam.
Wello Wealth has confirmed that their account was hacked and has since been restored. However, Netlify has not publicly confirmed or denied the incident.
The Scam Site
A screenshot of the fake site shows a professionally designed interface almost identical to SimpleX Chat’s real homepage, complete with visuals of a connected earth, glowing network arcs, and familiar fonts. The call to action “Connect Wallet” is not found on the legitimate SimpleX Chat platform, which does not offer crypto-based onboarding or token integration.
The page features branding, colours and layout consistent with the official SimpleX design, including misleading references to 2022 and 2024 security audits and links to download apps, reinforcing its false legitimacy.
SimpleX’s Response
SimpleX’s founder, Evgeny Poberezkin, confirmed the breach, saying the team lost access to 2FA during the incident, preventing them from logging in or removing the post in time. Though they managed to reset the password, the unauthorised delegate retained access and posted the scam tweet before the team could intervene.
SimpleX has since restored access to the X account and thanked the platform’s support team for quick action. The fraudulent tweet remained live for about three hours before removal, thanks in part to community members who publicly flagged the scam. Poberezkin also noted that his personal account was blocked by the attackers during the breach to limit public warnings.
Reports have been filed with Cloudflare, the domain registrar NiceNIC, and the hosting provider OVHcloud to take down the malicious site, but as of this writing, the fake site remains active.
No Crypto, No Tokens
SimpleX clarified that it has no plans to offer cryptocurrency-based services or launch tradable tokens. While the project may use blockchain for certain infrastructure components in the future, none of these would require users to hold or interact with crypto assets.
The team warned users to treat any offer involving token presales, wallet connections or crypto incentives as fraudulent unless announced clearly through official channels. SimpleX emphasised that it does not engage in short-term hype campaigns or time-sensitive offers, and all roadmap updates are shared publicly well in advance for transparency and community input.
SimpleX has also urged X to improve security around its delegate feature, suggesting stricter controls and better notifications for delegated access. The ease with which a trusted profile was turned into a malicious tool shows how attackers are abusing business account features for phishing and financial theft.
Know this X users
If you are on X and active in the crypto world, you must follow these simple yet vital security precautions to protect your account and funds:
- Never connect wallets to unverified sites.
- Report impersonation sites directly to hosting and domain providers.
- Avoid clicking on suspicious links from official-looking profiles without cross-checking.