Incident Overview

On June 8th, 2024, Oscar Ramos's X account (@realOscarRamos1) posted a suspicious Tweet promoting a collaboration with CozyMetaWorld. The post contained an urgent call to action and linked to a possibly malicious website (cozyland[dot]xyz), which has been flagged for scams in the past. The nature of the Tweet and associated behavior strongly suggests that Oscar Ramos's account was compromised.

Incident Summary

The compromised Tweet promoted a collaboration with CozyMetaWorld, but red flags were raised due to:

• The suspicious urgency in the post and lack of detailed information.

• The domain cozyland[dot]xyz, which was recently created on May 29th, 2024, and registered in Russia, as flagged by scam-detector.com.

• Historical evidence linking CozyMetaWorld to scams, with older X posts referencing other domains now associated with this suspicious activity. Wayback Machine analysis shows the scam page was present on the earlier domain as far back as December 2023.

The Tweet included comments disabled, a common tactic for malicious actors to limit user feedback or warnings, and offered a high-value NFT (~$1,000), attempting to lure users into downloading potentially harmful files.

Timeline of Events (UTC+2)

• June 8th, 2024 (early morning): A Tweet from @realOscarRamos1 promoted a collaboration with @CozyMetaWorld and directed users to the suspicious cozyland[dot]xyz domain.

  

• June 8th, 2024 (throughout the day): The Tweet was mass DM-ed to Oscar's followers, urging them to participate in the suspicious NFT giveaway.

  

• June 8th, 2024 (8 pm): Oscar Ramos regained control of his account, and the malicious post was deleted.

Impact Assessment

The potential impact includes users falling victim to phishing attacks or malware by engaging with the malicious link, resulting in possible data breaches or financial losses. While the extent of the compromise is unknown, the widespread DMs and public Tweet suggest the attackers aimed for mass exploitation.

Root Cause Analysis

The likely cause of this incident was a compromise of Oscar Ramos’s X account. The behavior of the Tweet, including its urgency, disabled comments, and questionable domain, suggests unauthorized access. Bad actors used the account to spread a scam that enticed users to download potentially malicious files under the guise of receiving a valuable NFT.

Resolution & Mitigation

• Oscar Ramos successfully regained control of his X account by the evening of June 8th, and the malicious Tweet was removed.

• Users were advised to disregard the earlier post and avoid interacting with the cozyland[dot]xyz link.

• No official statement has been released at the time regarding any security measures taken to prevent future compromises.

Post-Incident Analysis

• For Projects and Users:

  • Be cautious when engaging with posts that promote high-value rewards and urgent actions, especially if linked to unfamiliar domains.

  • Ensure account security by enabling two-factor authentication and monitoring account activity for unusual behavior.

• For X Users:

  • Do not download files or interact with links promising quick financial rewards, particularly if the source seems suspicious or unverifiable.

  • Always verify the authenticity of collaborations by checking official project channels or social media profiles.

Conclusion

The incident involving Oscar Ramos's X account demonstrates how even prominent figures can fall victim to account compromises. It is crucial for both users and project owners to stay vigilant, especially when encountering suspicious offers and unknown links. Maintaining strong account security practices and scrutinizing unexpected promotions can help prevent similar incidents.

Share