TheCryptoUpdates
Crypto Scams

SpaceX and Starlink X accounts hacked in $135K memecoin scam

On Sunday, July 12, the verified X accounts of SpaceX and Starlink were hacked and used to promote a memecoin called SCATMAN. The attack took less than an hour and netted the attacker about $135,000.

The post appeared normal, with no defacement or changed banners. It looked like SpaceX was endorsing a token. Buyers responded quickly, pushing the token up 575% in the first 20 minutes. By the time the posts were removed, the attacker had sold ten trillion tokens for roughly 73.7 ether, worth around $135,000. Everyone who bought based on the SpaceX post lost their money.

The dollar figure is small compared to eight-figure hacks or the $1.16 billion in bitcoin on SpaceX’s balance sheet. But that gap is the real story. The cheapest attack surface in crypto is not a smart contract or a bridge—it’s a login.

How it unfolded

An account called Sam Catman appeared, with a fake affiliation badge tying it to SpaceX’s AI work. The name was a pun on Sam Altman, timed to the ongoing feud between Elon Musk and the OpenAI chief. The token was deployed on Robinhood Chain, a layer 2 network that launched on July 1 and allows anyone to create a token without approval. The SpaceX and Starlink accounts then reposted the promotion.

Trading exploded. Peak market capitalization varied widely, from $800,000 to $32 million depending on the source. The attacker sold through two wallets, draining liquidity. The price collapsed. The accounts were restored within hours, but no explanation has been given about how they were compromised.

Credibility arbitrage

Attackers aren’t building audiences anymore—they’re borrowing them for the length of a single post. A memecoin launched by an anonymous wallet reaches nobody. The same token reposted by an account with millions of followers reaches a market instantly. The attacker doesn’t need trust to last; they just need it to survive for the length of a trade.

The payday is misleading as a measure of severity. The constraint wasn’t the audience or credibility—those were enormous. The constraint was market depth. There weren’t enough buyers to absorb ten trillion tokens at a higher price. On a deeper chain, the same attack could produce a much larger number.

This pattern isn’t new. When Keith Gill’s account was hacked in May, attackers cleared over $600,000 in half an hour. The Pump.fun account compromise in February 2025 netted $135,000 in under a minute. The common thread isn’t an industry or a chain—it’s a follower count.

Why existing defenses don’t work

Crypto has spent years building defenses against a different threat model. Audits check contract code. Timelocks and multisigs guard treasuries. All that assumes the attack comes through the chain. The SCATMAN attack came through a social media account. There was no contract to audit, because the contract did what it was written to do. Every component behaved correctly, and buyers still lost their money.

A diligent buyer couldn’t have done much in the 20-minute window. Check the contract? It was standard code. Check holder concentration? The attacker held everything, which describes most tokens in their first minutes. Check the source? The source was SpaceX. That was the whole point.

The only defense is a rule: no verified account’s post is a reason to buy a token minted minutes earlier. That rule costs every genuine celebrity token launch, which most people should be happy to pay.

The Robinhood Chain factor

SCATMAN landed on a chain in its second week of life. Robinhood Chain launched on July 1 and quickly became dominated by memecoins—over 75% of trading volume in its first week. More than 19,000 new tokens were created in a single day by July 13. Cross-chain provider Relay Protocol warned about honeypot tokens proliferating on the network.

That’s the environment SCATMAN exploited: a young chain with retail attention, minimal tooling, and too many tokens to screen. It’s not a Robinhood-specific failure; it’s what permissionless launch infrastructure looks like at week two. But a chain carrying Robinhood’s name inherits a duty of care that purely crypto-native chains never had.

The real cost

The dismissive reading treats $135,000 as the harm. But the real harm is the erosion of the verification mechanism retail users rely on. When institutional accounts can be hijacked, every legitimate announcement arrives pre-discounted. The industry is spending down a shared reputational asset it cannot replenish.

This attack costs almost nothing to attempt, carries low consequences, and produces a payday in minutes. The rate of attempts will rise as more mainstream brands acquire crypto surfaces. Every corporate account with a crypto-adjacent story is now a live financial instrument.

The attacker needed no capital, no code, and roughly one hour. The defenders needed a way to un-say something faster than a bot can buy. The asymmetry is total: the attack executes at the speed of a repost, and the correction executes at the speed of a corporate security team.

What would change the math

Nothing in the current toolkit addresses the root cause: a verified account’s authority transfers instantly to whoever controls the login. Platform-side fixes—hardware key enforcement, delay windows on posts with contract addresses, loss of affiliation badge for new accounts—are technically simple but commercially unattractive to platforms that monetize velocity.

Chain-side screening, like Relay Protocol’s honeypot blocking, cuts against the ideology of permissionless systems. Expect more such voluntary layers, and fights over whether they’re prudent stewardship or a return of gatekeepers.

The user-side defense is simple: a verified account promoting a token minted minutes ago is not evidence of legitimacy. Under current conditions, it’s closer to evidence of the opposite.

Here’s the uncomfortable arithmetic: a trillion-dollar brand was used to sell a worthless asset. The theft netted the price of a modest car. The victims have no recourse. The platform has said nothing. The mechanism remains intact. The scam economy has discovered that the most valuable asset in crypto is not any token—it’s a moment of unearned belief. And belief has no smart contract protecting it.

Loading

Related posts

Haedal Protocol Pauses Vault Pools After Abnormal Liquidity Drop

Timm

MetaMask Denies Wallet Exploit Allegations Following Loss of Over 5,000 ETH

Mridul Srivastava

Iran used $2 billion in crypto to fund militant proxies in 2025

Timm