On-chain investigator ZachXBT pointed out risk flaws in the new X Chat feature. The chat is rolled out to a small group of users for testing, but ZachXBT believes more filters are needed to protect users from malicious phishing attempts and files. On-chain investigator ZachXBT discovered bugs on the newly rolled out feature called XChat. The social media platform is testing chat capabilities, where XChat will replace the current DM system. XChat will not change DMs completely, but update and improve the existing messaging system. ZachXBT noted that currently, anyone can add users to a group chat, opening up another vector for phishing attacks. He notified Elon Musk, who responded immediately. Please update DMs & XChat by adding a filter to choose who can add you to group chats. Currently any user can add you to a group unless you turn off your messages entirely. pic.twitter.com/Nbp21BhsrF — ZachXBT (@zachxbt) June 16, 2025 ZachXBT discovered another potential threat, where anyone can send files though XChat. Musk’s quick reaction showed crypto influencers are one of the significant voices on X, attempting to combine privacy with protection against attackers and scammers. End-to-end encryption may increase the security of legitimate users, yet disguise attackers. Disappearing messages also undermine efforts to track and prove fraud. ZachXBT also called for filters to remove unknown users. Flawed files or links have been one of the attack vectors for crypto heists. Solicitation through DMs is also poses a risk of malicious links to smart contracts, wallet drainers, fake tokens, or other attacks. The on-chain researcher has not pointed out any specific attacks through XChat, but it may share some features with general DM scams, solicitations and attempts at hacking. The initial XChat version may also be open to spam bots sending out DMs or organizing chats. Instead of the wave of visible promotion on social media, the scams or token shilling may move on to closed chats. As XChat was rolled in 2025, the crypto community already noted it had the potential to become a crypto scam hub. Some of the potential solicitations and phishing may be similar to Discord servers, with fake token sales or dishonest OTC deals. XChat aims to turn X into an ‘everything app’ XChat has been rolled only to a selected group of premium users from May 30 onward. The group chat will include encrypted messages, timed vanishing messages, file sharing and audio and video calls without a phone number registration. All premium subscribers gained access to XChat in June, but there is no specific timeline for spreading the feature to all users. The chat aims for greater privacy, but the privacy may become a convenient feature for online scammers. Phishing has accelerated in 2025, with over $47M lost in May, based on Certik data. In April, phishing took up to $337M . X is also a venue for account thefts, a common form of attack in the past two years. Compromised accounts often posted meme tokens or malicious smart contracts. X has extended its integration with crypto projects, recently naming Polymarket as its official partner in predictive pairs on current events. So far, X has not integrated any specific cryptocurrency, though there are third-party solutions for sending crypto through social media. Cryptopolitan Academy: Want to grow your money in 2025? Learn how to do it with DeFi in our upcoming webclass. Save Your Spot
