The Architecture of a Massive Turkish Phishing Attack that Hacked Me

On Jan 22, 3:25pm PST, my Twitter/X account was hacked in a Turkish phishing attack. The hacker had control of my account for about ~5hrs before X suspended my account. On Jan 28, 6:43PM, a whole 6 days later, I finally got my account back. I’ve been posting on X every day for nearly 5 years, so I’d be lying if I said the experience didn’t jolt me. I’m extremely thankful for my friends who notified me realtime as this was happening (I was hosting a large event in New York City at the time) as well as all the people who helped me get in touch with employees at X to help resolve the situation, although I must admit X support was not a fun experience.

It’s hard to describe the rollercoaster of emotions when you go through the experience of being hacked. From the outside it feels small: “oh, it’s just an online account! Don’t worry, you’ll get it back” but from the inside you see someone using your identity to misrepresent you and tarnish your reputation to the world while you feel helpless.

In this article, I share the cyber forensics of exactly how an attack like this happened, who did it, and how to prevent it happening to you. I regularly download archived copies of my X data and I made sure to run a diff after the attack and before to triangulate what really happened.

Timeline

Part 1 - The Hack [2hr]

Jan 21, 8:28 AM PST: I get an email from notify@authnotify-x.com that passes the Gmail spam filter. Others have reported getting one from notify@compliancereport-x.com. I’ve received similar emails from X when I get community notes or for policy violations and the email (likely vibe-coded) was extremely compelling unless you read the domain name. It uses my actual Twitter handle, a real post that I made.

The “Submit Appeal” links to a Google AMP domain, which probably helps them skirt some ML filter for safety. The link was: https://cdn.ampproject.org/c/s/zanitoya.com/href/deedydas. That redirects to zanitoya.com/href/deedydas which ultimately lands on https://appealpoint-x.com/copyright/deedydas which is now taken down, but as we’ll see, taking down individual domains doesn’t stop the operation.

Jan 22, 3PM PST: I was travelling in New York and saw this email on my phone while walking on a -10°C day between meetings. I recall receiving very similar emails before, but on closer inspection realized that I had inadvertently avoided a similar scam before (info@content.issuealert-x.com). I’ve had Community Notes and other such violations and they should always be through the X app and you should see something on the X post itself, not through email.

I clicked on it. The landing page looked legitimate, displaying my actual tweet. I was directed to contest the accusation and then asked to login. Because I was on mobile in the browser and this happens from time to time, I didn’t think much of it (and couldn’t really see the URL) and that was the start of getting phished. I thought I had 2FA on, but didn’t get a phone text.

Jan 22, 3:25PM PST: The hacker changes the email on the account to bellemsonja@gmail.com and officially compromises the account.

Part 2 - The Crypto Rugpull [1hr]

Jan 22, 5:01PM PST: Hacker posts this now deleted tweet from my account:

ANNOUNCING

Today, we’re introducing Cartograph, a knowledge graph for your internal codebase.

Cartograph parses commits, pull requests, reviews, and issues to map real expertise across files and modules…

Engineering orgs usually rely on intuition to answer critical questions:

• Who actually owns this system
• Where are our knowledge silos
• What breaks if someone leaves

Cartograph makes this visible. Instead of static org charts or outdated docs, Cartograph builds a living map of contribution and context.

This isn’t about productivity dashboards or surveillance. It’s about reducing bus risk, onboarding faster and making better architectural and staffing decisions. All using data that already exists.

Cartograph is live today and available on Bags as $CART.

Jan 22, 5:05PM PST: Hacker posts: “I don’t even need to mention that this is an early stage project. @BagsApp was made together with @finnbags. Fees are going directly to Cartograph development”

Jan 22, 5:09PM PST: Hacker starts a Twitter space called $CART with @finnbags

Jan 22, 5:16PM PST: Hacker responds to @FarzadXBT and leaves one non-deleted tweet. I’ve since deleted it myself since recovering the account. They also liked the original tweet and another tweet from @maxleebtc about an $NVDA memecoin.

Jan 22, 6:02PM PST: Hacker posts a crypto pump scam: “Ticker starts now! @MenloVentures X @Solana” with a pump.fun link.

Part 3 - The Official X Impersonation and Phishing Spread [2hrs]

Jan 22, 6:14PM PST: Hacker first retweets 23 tweets from @X and @XCreators (full list with timestamps here). Then they change my username from @deedydas to @XLegalAppeal and change the photo to an “X” official photo. My Menlo Ventures flair still remained.

Jan 22, 6:19PM-8:06pm PST: Hacker reaches out to 157 prominent accounts (I initially thought it was 33 based on the X archive but it looks like the archive actually missed a bunch). The things in common between all accounts were that they had 10k+ followers, were verified, they followed me and I followed them. The DM with the same kind of phishing attack that they sent to me via email with their content used front and center. Thankfully, most did not reply or click and informed me by text immediately but I’m aware of at least 2 accounts who were compromised this way.

Part 4 - Account Suspension and Restoration [1hr]

Jan 22, 8:13PM PST: X learns about the hack and suspends the account. The email changes from bellemsonja@gmail.com to nothing and the handle changes from @XLegalAppeal back to @deedydas.

Jan 22, 8:10-8:39PM PST: There seems to still be some activity from malicious IPs which I later find are based in Turkey.

Jan 22, 9PM PST: The account is restored to an older snapshot (with an older profile description, removed header image, removed location, and NO display picture). All my tweets were retained but the RTs as @XLegalAppeal still persisted as well as one like and reply from the hacked account.

Part 5 - Getting My Account Back [6 days]

Jan 22, 7:05PM PST: I get an email from impersonation-support@x.com that is legitimate with the title “TS-1046251: User Impersonation - XLegalAppeal”, but Gmail decides to classify this one as Spam so I don’t see it.

Jan 22, 7:06PM PST: I get free from my event and check my texts. My friends inform me that they’re working on it.

One of my friends at X said I should reach out to getsupport@x.com so I do. My emails bounce. Apparently, that’s an internal X only email.

Jan 23, 7:24AM & 10:23AM PST: I get two emails from access-support@x.com of the form “ACCESS-11082497: Regain access - Hacked or compromised” which both go to spam.

Jan 23, 11:03PM PST: I find the support emails in my spam folder. They ask me to reset my password if I can’t log in (I can’t) and if I can’t, then to reply to the message with a) my username b) my email associated with the account c) last date of access d) phone number with the account. I promptly replied.

Jan 25-26: After not hearing back from them, I try to reset my password but keep getting redirected to the support page. I end up accidentally filing 3 more pending tickets. At this point, I’ve also texted multiple of my friends who are at X or xAI to help me resolve this (thank you Ayush, Ash Arora, Eden Chan, Yuchen Jin). They tried their best, but said they had limited visibility into the support team.

Jan 27, 3:03PM PST: I get a response on one of my tickets which said “After reviewing your request, we realized the email address you contacted us with doesn’t match the email connected to the X account you’re reaching out about.” This of course makes no sense to me because I have always received X email on my email account. Of course, later I realized that when X kicked the hacker out and locked my account, my email got changed to an empty string and later on Jan 25, 9:21 PM PST, it was changed “from dd367@cornell.edu” instead of to it, leaving the email still empty.

Jan 28, 6:02PM PST: I get an email stating “We’re sorry that you’ve been unable to regain access to the account through our standard processes. We may be able to help by transferring the account to connect with another email address of your choice that you have access to.” and asking for a list of some verification information. I replied promptly.

Jan 28, 6:03-6:08PM PST: The email is changed back to dd367@cornell.edu on the account. I get an email saying “Thanks for providing an email address, we’ve connected it to the account for you!”

Jan 28, 6:37PM PST: X doesn’t let me log in because I’ve exceeded the number of attempts so I reach back out on email.

Jan 28, 7:37PM PST: Support replies saying they have fixed it and give me another password reset link.

Jan 28, 7:39PM PST: I have access to my account back, 6 days later.

Damage Control

While getting the account back, I filed abuse reports for the phishing domains: authnotify-x.com, appealpoint-x.com and zanitoya.com. Several of these were taken down (like appealpoint-x.com) or are no longer active, but as we’ll see in the following section, this is not as good news as it sounds. You can fairly easily find who is the domain name registrar for a domain and then file a report with them.

Shortly after getting my account back:

Basic clean up: I had to reset my profile picture, change my description to what it was before, add a location and link to my profile. I un-retweeted the @X content that the hacker retweeted. I also deleted the one reply and several likes the hacker left on other posts. Initially, I thought my old tweets had disappeared but they were all still there.

Apologies: I made sure to delete the phishing email “for all” in the DMs that were sent out where I could and send a hand-written apology note outlining the basic details of what happened.

At least 2 known accounts, if not more, were compromised through this phishing chain.

Forensics

My investigation uncovered a massive, long-running phishing campaign with over 60 identified domains operating since August 2024. All domains follow the -x.com naming pattern, designed to look like official X/Twitter domains. The campaign is still active, with 2 new domains registered on Jan 31, 2026.

The evidence strongly points to Turkish actors. Over 16 domains were registered through Turkticaret.net, a Turkish registrar, and 8 of those domains are currently live on a Turkish server (31.186.11.254). Turkticaret.net serves as both the registrar and hosting provider for these domains. IP analysis reveals connections through Turkish ISPs including Vodafone Turkey and Turk Telekom. Perhaps the smoking gun: when I downloaded the .eml file of the original phishing email, buried in the source code was the Turkish comment “Tamamı eski hâli — Hiçbir satır değişmedi” (meaning “All the old version — No line has changed”). The email was sent via SMTP2GO behind a hidden IP from account ID 933299.

The primary registrar used is Hostinger with 25+ domains, followed by Turkticaret.net with 16+ domains, and Atak Domain with 1 domain. Other registrars involved include Dynadot, NameCheap, Porkbun, Spaceship, and Squarespace.

As of this writing, 8 domains remain live on Turkish infrastructure at 31.186.11.254, including securitycheck-x.com and notifycenter-x.com which were both registered on Jan 31. The January 2026 wave saw 1 domain suspended and 15+ parked. The redirect domain zanitoya.com remains active, funneling victims to the various -x.com phishing domains.

The IP addresses I found in my account’s access logs revealed the attacker’s real location. At 3:26 PM and 5:28 PM, the attacker accessed from 85.100.64.30, an Istanbul IP on Turk Telekom (AS9121). Then at 6:21 PM, a new IP appeared: 176.54.163.57, located in Kayseri, Turkey on Vodafone Turkey (AS15897). This was confirmed at 6:38 PM when a second Kayseri IP, 5.229.110.224, also on Vodafone Turkey, appeared. The pattern suggests the attacker started sloppy, accessing directly from Turkish mobile IPs, and only realized their mistake around 7:36 PM when they switched to proxy rotation. From that point on, I found evidence of automated IP rotation through ISPNET Communications (AS398539), a residential proxy network, with 12 different IPs from the 23.161.192.0/24 range appearing within just 63 minutes. By then, the damage was done—the attacker’s true location in Kayseri, Turkey was exposed.

Complete Domain List

I’ve compiled a list of all the phishing domains I could identify connected to this campaign. The table below shows 70+ domains, their registrars, creation dates, and current status.

Don’t let this happen to you

Always check sender domains. This goes without saying, but is very easy to miss. Make sure your spam filters aren’t sending x.com emails to spam. And make sure “-x.com” domains go to spam. The -x.com pattern is bad news.

X will never ask you to login via email or DM link. Don’t do it. Any such notifications should come to you via notifications.

Use an authenticator app, not SMS. I really thought I had 2FA enabled, but SMS-based 2FA can be bypassed or may not trigger on phishing pages that capture session tokens. Use an authenticator.

Be extra careful on mobile. I got phished because I was on my phone, walking in the cold, and couldn’t easily see the full URL.

Download your data regularly. Doing a diff of the data was super valuable to give me comfort that I knew everything that happened on my account. Without this, I may have been flying blind on the analysis and not known everything the hacker did. Go to Settings → Your Account → Download an archive of your data.