Ubuntu’s new AI dreams attracted a very old-fashioned crypto scam on X

The official Ubuntu account on X (formerly Twitter) was briefly compromised by unknown attackers who used it to promote a fake AI agent and send people to a well-built website where they could share their crypto wallet.

A few days before this incident, Canonical wanted to position Ubuntu as a privacy-friendly, local-first AI platform. Attackers weaponized that exact narrative within days.

A suspected compromise of Ubuntu’s official X account pushed a fake “Ubuntu AI agent” called ‘Numbat,’ directing users to a malicious crypto phishing website designed to steal wallet access.

The attack came shortly after Canonical revealed plans to expand AI integration inside Ubuntu, and after the company was recovering from a prolonged DDoS campaign targeting its infrastructure.

Key takeaways

• Attackers exploited recent Ubuntu AI announcements to launch a fake crypto campaign
• A suspected compromise of Ubuntu’s X account helped spread the scam
• The phishing operation used a fake “Numbat” AI agent tied to Solana
• The malicious site copied real Ubuntu AI content and branding
• Users were ultimately pushed toward connecting crypto wallets
• The campaign arrived shortly after Canonical suffered prolonged DDoS attacks

What really happened

On May 7, users noticed a suspicious thread posted from what appeared to be Ubuntu’s official X account. The posts announced “Numbat,” described as “Ubuntu’s newest AI agent built on Solana.”

At first glance, the announcement seemed plausible. Canonical had already been discussing Ubuntu’s AI direction publicly, and the branding referenced Ubuntu’s “Noble Numbat” naming convention.

Instead of using crude phishing tactics, they built a layered narrative that felt consistent with existing Ubuntu discussions. The X post used professional visuals, authentic branding, and language that closely aligned with Canonical’s previous messaging.

The phishing site operated under the domain “ai-ubuntu[.]com,” which looked enough like an official Canonical subdomain to likely fool distracted users. The attackers also disabled replies on the X thread, making it harder for users to publicly warn others about the scam.

The crypto wallet trap hidden behind the AI branding

The campaign's real objective emerged only after users interacted with the site. Visitors encountered language suggesting that early participants might qualify for future “$UM” token allocations, accompanied by urgent phrases such as “Snapshot approaching.”

The wording followed a familiar crypto scam formula: create a sense of urgency, imply exclusivity and reward early adopters. When users clicked buttons like “Check eligibility” or “Explore Ubuntu AI,” the site prompted them to connect cryptocurrency wallets.

Attackers likely intended to harvest wallet permissions, steal assets or collect sensitive account information through the approval process.

Were the DDoS attacks connected?

The phishing campaign was launched shortly after Canonical faced a DDoS attack that disrupted Ubuntu infrastructure for nearly five days.

Services including ubuntu.com, Launchpad, and Snap-related systems suffered outages or instability during the incident. According to an It’s Foss report, a group identifying itself as “313 Team” reportedly claimed responsibility for the attacks, although Canonical did not officially confirm attribution.

Canonical had not yet released a detailed public post-incident analysis explaining exactly what happened with the X account, and the post made by the attackers was quickly deleted. The good news is that the DDoS attack has stopped, and all services are up and running.