X (Twitter) DM scam targets users with fake ‘Vote for me’ links sent from hacked accounts

A new wave of scams is spreading on X (formerly Twitter), with users reporting suspicious direct messages sent from accounts they know or follow.

Key takeaways

• Users are receiving suspicious DMs on X (Twitter) from accounts they know or follow, often asking for a quick favor like “Can you vote for me?” or “Can you help me with this?”
• Cybercriminals are using compromised accounts to send these phishing messages and links
• The links lead to fake pages that capture login details
• Compromised accounts are then used to target more people and promote other scams, including crypto-related fraud

How the scam works

Multiple users on X say they’ve started receiving DMs from people they know asking them for a quick favor. These messages don’t look dangerous at first.

In many cases, the account sending the message has already been compromised.

One user summed it up in a warning shared online:

“Please be aware of a phishing campaign. If you receive DMs from known accounts with ‘Please 🙏 vote for me,’ it is likely from a hacked account.
If you receive such a DM from me or others you know — DO NOT CLICK the link. Verify with the sender first.”

This is a simple account takeover scam that relies on people acting quickly.

In a nutshell:

• You receive a DM from someone you know or follow
• The message asks for a small favor, like voting on a website or an influencer program, and includes a link
• You click the link and land on a page that looks legitimate
• You’re asked to log in
• The page is fake, and your credentials are stolen

Once attackers gain access to your account, they don’t stop at sending messages.

The compromised account is often used to run additional scams, including posting content that promotes cryptocurrency schemes or other fraudulent offers. Because the account already has credibility, followers are more likely to trust the posts, click on links, and in some cases, lose money.

This isn’t the first time we’ve seen this

If this feels familiar, there’s a reason.

A very similar tactic has already been used on Instagram, where attackers sent messages asking people to vote in fake contests. The pattern is nearly identical:

• A message from someone you trust
• A simple request
• A link that leads to a phishing page

The same type of messages has also circulated on WhatsApp for years, often asking users to “vote for my child” or help someone win a contest.

How to stay safe

A few simple habits can make a big difference:

• Be wary of unexpected DMs
  Even if they come from someone you know
• Don’t click links right away
  Take a moment to think about whether the message makes sense
• Verify with the sender
  If something feels off, ask them directly on another channel
• Check the website before logging in
  Look closely at the URL before entering your details
• Use extra protection on your accounts
  Two-factor authentication and security tools can help reduce the risk
• Act quickly if you’ve already entered your details
  Change your passwords immediately and check your account for suspicious logins or activity
• Protect your phone from phishing attempts and scams
  Installing Bitdefender Mobile Security on your phone helps block phishing links, malicious websites, and scam attempts,  including those that arrive in DMs from trusted accounts. It’s available for both iOS and Android devices.

If you’re unsure about a link, you can check it with Bitdefender Link Checker or get a second opinion from Bitdefender Scamio for free.

If you’re a content creator or rely on your social media accounts for work, it’s worth taking extra precautions. Solutions like Bitdefender Security for Creators are designed to protect accounts across platforms like Instagram, Facebook, and YouTube, helping detect phishing attempts, secure logins, and reduce the risk of account takeovers.

This kind of protection matters because attackers don’t stick to one platform. Once they gain access to one account, they often try to move across others — especially if they’re connected or share the same login details.