Zachxbt, an investigator on the chain, pointed out the risk flaws in the new X-Chat feature. Chats are deployed to a small group of users for testing, but ZachxBT believes that more filters are needed to protect users from malicious phishing attempts and files.
On-chain investigator Zachxbt discovered a bug in a newly deployed feature called Xchat. Social media platforms are testing the chat feature that Xchat replaces its current DM system. XChat does not change DMS completely, but updates and improves existing messaging systems.
Zachxbt said that now anyone can add users to group chats and open another vector for phishing attacks. He notified Elon Musk, who responded immediately.
Update your DMS & XChat by adding a filter to choose who can add to Group Chats.
Currently, users can add to groups unless they turn off messages completely. pic.twitter.com/nbp21bhsrf
– Zachxbt (@zachxbt) June 16, 2025
Zachxbt has discovered another potential threat that allows anyone to send files through Xchat. Musk’s quick response showed that crypto influencers are one of X’s key voices, trying to combine privacy with protection against attackers and fraudsters. End-to-end encryption can increase the security of legal users, but it can disguise an attacker. A vanishing message also undermines efforts to track and prove fraud.
ZachxBT also asked for filters to remove unknown users. A flawed file or link is one of the attack vectors of crypto robbery. DMS solicitations also pose the risk of malicious links to smart contracts, wallet drainers, fake tokens, or other attacks. Researchers on the chain have not pointed out any specific attacks via Xchat, but they may share some features with common DM fraud, solicitation, and hacking attempts.
The first XChat version may also be open to spam bots that send DMS and organize chats. Instead of a wave of visible promotions on social media, scams and token shillings could move to closed chat.
With Xchat rolling in 2025, the Crypto community already says it could become a hub for Crypto scams. Some of the potential solicitations and phishing could be similar to mismatched servers with fake token sales or fraudulent OTC transactions.
Xchat aims to turn X into “all apps”
Xchat has only been deployed to selected premium users groups since May 30th. Group chats include encrypted messages, lost timing messages, file sharing, voice calls, and video calls without registering a phone number.
All premium subscribers visited XChat in June, but there is no specific timeline to spread the feature to all users.
Chat aims to improve privacy, but privacy can be a useful feature for online scammers. Fishing accelerated in 2025, with over $47 million lost in May based on Certik data. In April, there was fishing. $337 million.
X is also the venue for account theft, a common form of attack from the past two years. Compromised accounts often posted meme tokens or malicious smart contracts.
X extended integration with the Crypto project and recently named Polymarket itself Official Partner Predictive pairs for the current event. So far, X hasn’t integrated any specific cryptocurrency, but there are third-party solutions for sending Crypto via social media.
Discover more from Earlybirds Invest
Subscribe to get the latest posts sent to your email.
