Someone broke into the official SpaceXAI and Starlink accounts on X on July 13 and used them to promote a newly launched meme coin called SCATMAN, walking away with approximately $125,000 in Ethereum before the posts were flagged and taken down. On-chain analytics platform Lookonchain traced the scheme to two wallets: one that minted 10 trillion SCATMAN tokens and sold the entire supply for 59 ETH, worth roughly $108,000, and a second connected wallet that unloaded another 59.28 million tokens for 14.7 ETH, adding about $27,000 to the haul.
Screenshots circulating on social media showed the SpaceXAI and Starlink accounts reposting content from an account called Sam Catman, which displayed a badge falsely linking it to SpaceX's artificial intelligence initiatives. The reposts appeared alongside routine SpaceX content, making the promotion look authentic rather than signaling a compromise. Neither SpaceX nor Starlink had issued a public statement about the breach at the time of reporting, and the reposts were no longer visible on either account hours after the incident surfaced.
If hackers can turn SpaceX and Starlink accounts into meme coin billboards for 125 grand, the question isn't whether this happens again. It's which verified account goes next.
CoinBatmi Newsroom
The playbook is now familiar. A high-trust account gets taken over, a token launches within minutes, and the attacker sells before the account owner can regain control. The SpaceXAI and Starlink accounts carry the name recognition of Elon Musk's space ventures, making them premium targets. The SCATMAN rug pull was executed swiftly, and the attacker's wallet addresses have been publicly identified by Lookonchain for anyone tracking on-chain movements.
This is not an isolated event. In February 2025, hackers took over Pump.fun's X account to push a fake PUMP token, with one wallet making over $135,000 in under 60 seconds. Former Malaysian Prime Minister Mahathir Mohamad's account was similarly hijacked to promote a token in a scheme that resulted in $1.7 million in losses. Myanmar's junta leader and World Liberty Financial co-founder Zach Witkoff were also hit with identical attacks earlier that year. The consistency of the method suggests a coordinated set of actors or a widely available exploit toolkit rather than isolated incidents.
The total haul of roughly 73.7 ETH is modest by crypto scam standards, but the breach raises questions about X's account security for high-profile verified handles. Social engineering and phishing have been the primary vectors in previous X account takeovers rather than platform-level vulnerabilities. The fact that two Elon Musk-affiliated accounts were compromised simultaneously points to either a targeted operation against Musk-related properties or a broader credential-stuffing campaign that netted multiple accounts at once.
For anyone holding SCATMAN tokens purchased during the promotional window, recovery is unlikely. Rug pulls of this type drain all available liquidity immediately, leaving remaining tokens functionally worthless. Lookonchain's public disclosure of the wallet addresses allows blockchain forensics firms to track where the ETH goes, but tracing stolen funds and recovering them are two very different outcomes. Most X account hijackings for crypto scams result in the attacker successfully laundering the proceeds through mixers or cross-chain bridges within hours.
The incident underscores a recurring vulnerability in crypto's promotional pipeline. Projects and personalities spend years building account authority that scammers can weaponize in minutes. Until X implements stronger verification workflows for high-profile accounts or enforces hardware-key requirements for privileged access, the incentive to target verified handles will persist. The SCATMAN scam was straightforward, cheap to execute, and profitable enough that the attacker has no reason not to try again.
Key takeaways
- Hackers hijacked SpaceXAI and Starlink X accounts on July 13 to promote a fake SCATMAN meme coin, minting 10 trillion tokens and making ~$1…
- Lookonchain traced the scheme to two wallets, identifying the attacker's addresses publicly.
- The attack follows a pattern of X account hijackings for crypto rug pulls, including the Pump.fun hack in February 2025 and the Mahathir Mo…
Live multi-source prices on CoinBatmi Markets. Research only — not financial advice.