When a Hacker Slipped Through X’s Back Door: What Happened to Numbers Protocol on 20 July 2025

Tl;dr – An X employee’s account was hijacked at lunchtime on 20 July 2025, and the attacker used that foothold to seize control of @numbersprotocol. They pushed fake $LUMI airdrops and other crypto‑scam posts for hours while our team fought to regain access. We’re still waiting on a full resolution from X, but here’s everything we know so far, why blockchain receipts matter, and how to stay safe until the dust settles.

‍

Posted on July 21, 2025 by Sofia Yan, Co-founder of Numbers Protocol

In the fast-paced world of blockchain, security breaches are commonplace—but what if the platform is the weak link? On July 20, 2025, Numbers Protocol's X account (@numbersprotocol) was hacked via a compromised X employee's profile, disrupting community communications and exposing X's vulnerabilities. Here, we'll cover the timeline, our response, challenges faced, key lessons, and how our blockchain tech provides verifiable proofs—transparency is our core.

‍

The Incident: How It Unfolded

It all started around midday on July 20, 2025 (UTC+8, approximately 13:20). Our team attempted a routine login to the @numbersprotocol account using our standard Google sign-in with two-factor authentication (2FA) enabled. Shortly after, we received an email that appeared to be from X Support, requesting a Telegram number for "ownership verification." Importantly, we did not share any details or codes—the conversation ended there.

Despite our caution, about 20 minutes later, we discovered the account had been taken over. Scammers began posting fraudulent content, including promotions for a fake $LUMI airdrop and pump signals designed to phishing unsuspecting users. The breach was traced back to a hacked X employee account (@alypetru), which the attackers used to reply to our content and gain credibility. Screenshots and posts from the time show the employee account promoting the scam before it was quickly recovered and all traces erased—within minutes, according to our observations.

While the employee's account was swiftly restored (with no visible history of the malicious activity remaining), our company account remained under hacker control. The scammers continued to post deceptive schemes, deleted some of our legitimate content, and even closed comment sections to limit warnings from the community.

‍

Our Immediate Response: Mobilizing the Team and Community

As soon as we detected the compromise, our team sprang into action. Here's a step-by-step breakdown of what we did:

1. Issued Public Warnings: We posted security notices across alternative channels, including our founder Bofu Chen's personal X account (@bafuchen), our product channel (@captureapp_xyz), Telegram, and Discord. We urged the community to ignore any recent posts or DMs from @numbersprotocol and avoid clicking links.
   
   
2. Contacted X Support: We submitted multiple support tickets (e.g., ID: 5892571) and emails with detailed information, including our username, associated email (hi@numbersprotocol.io), and timestamps of the incident. We also provided personal verification details from Bofu Chen to expedite recovery. Despite these efforts, responses were slow—initial emails went unanswered for hours, and follow-ups yielded no immediate action.
   
   
3. Leveraged Blockchain for Proofs: True to our mission at Numbers Protocol, we used our Capture app to create verifiable, blockchain-signed proofs of the incident. These immutable records include screenshots of the fraudulent posts, the suspicious email from "X Support," and other evidence. For transparency, here are the links:
   
   • Proof of the suspicious verification email: https://asset.captureapp.xyz/bafybeiacpfwhlshyo633k2of6k3yllo46szzupe6h7cceipu23vfvukwqq
   • Evidence of the hacked employee's reply promoting the scam: https://asset.captureapp.xyz/bafybeif2malngauehhzzymlxpw6l5wgohiidyyi4qlvflheadux347chcu
   • Proof of our community update post: https://asset.captureapp.xyz/bafybeicu5r2r5gk77yq4ndlq7fv46pfcnwjm2enpsdpclukvrxjymped7m
   • Latest evidence of ongoing scams and lack of response: https://asset.captureapp.xyz/bafybeihg33cq2io53l2pnqa7o7pcllvf67niavnj4d6hpjjjkbp6o4xp2i
     ‍
4. All future official announcements from us will include such Capture-signed proofs to ensure authenticity.
   
   
5. Engaged the Community and Escalated Publicly: We pinned detailed updates on @bafuchen (e.g., https://x.com/bafuchen/status/1946830626633691531) and encouraged our community to tag @Safety, @elonmusk, and @grok to amplify pressure. We also commented under X's official Safety posts to highlight the irony: If even X employees can be hacked, what does that say about user security? We called out the perceived favoritism—quick recovery for the employee account versus none for ours, a paid Premium user.
   
   
6. Explored Alternatives: In light of this, we're accelerating plans to expand to platforms like BlueSky and Threads for more resilient community engagement.
   
   

Internally, our team viewed this as a "risk to opportunity." While frustrating, it provided real-world material to demonstrate the value of blockchain proofs and push for better platform accountability.

Challenges and Frustrations: A Tale of Unequal Treatment

After 24+ hours with no resolution by July 21’s afternoon—despite our alerts—hackers kept scamming our @numbersprotocol community, while the X employee’s account was instantly cleaned up, hinting at favoritism toward their own. X’s “zero tolerance” for scams rings hollow as our verified Premium account (blue badge and all) serves scammers instead. 

We’re now turning to the media to expose X’s focus on their company and boss over users—time for a security reckoning!

Lessons Learned and a Call to Action

This hack, despite 2FA, shows that no system is foolproof—especially when social engineering targets platform insiders. Key takeaways:

• Always Verify Communications: Even emails from "official" support can be faked. Never share sensitive info without confirmation.
• Blockchain as the Ultimate Proof: Our Capture app proved invaluable for creating tamper-proof records. This incident validates why we're building tools for digital integrity.
• Platform Accountability Matters: X (and similar platforms) must prioritize user security equally, regardless of whether it's an employee or a company account. Faster response times, better 2FA bypass prevention, and transparent investigations are essential.

To our Numbers community: Thanks for your support—keep tagging @Safety and sharing proofs. Reach us on Telegram or hi@numbersprotocol.io. Since X is no longer a trustworthy platform

To X: We've provided all the details—let's fix this and collaborate on making the platform safer for everyone. @elonmusk, @grok, @Safety: Security first!

We'll update this post as developments unfold. Stay safe out there.

All images and proofs in this post are blockchain-verified via Numbers Protocol's ProofSnap app.

‍

Final Thanks

To everyone who sounded the alarm, archived proof, and kept spreading the word—thank you. Transparency is our best defence against social engineering. We’ll publish a full post‑mortem once access is restored and will open‑source our breach‑response checklist so other projects can harden their defences.

Stay vigilant.

‍— The Numbers Protocol Team

‍