On Sunday, July 12, verified X accounts from SpaceX and Starlink were hacked and used to promote a memecoin called SCATMAN. The attack lasted less than an hour and netted the attacker approximately $135,000.
The message looked normal, with no defacement or altered banners. It looked like SpaceX was endorsing a token. Buyers reacted quickly, sending the token up 575% in the first 20 minutes. At the time the posts were deleted, the attacker had sold ten trillion tokens for approximately 73.7 ether, or a value of approximately $135,000. Everyone who bought based on the SpaceX post lost their money.
The dollar figure is small compared to the eight-figure hacks or the $1.16 billion in bitcoin on SpaceX’s balance sheet. But this gap is the real story. The cheapest attack surface in crypto isn’t a smart contract or a bridge, it’s a connection.
How it went
An account called Sam Catman appeared, with a fake affiliation badge linking him to SpaceX’s AI work. The name was a pun on Sam Altman, relating to the ongoing feud between Elon Musk and the head of OpenAI. The token was deployed on Robinhood Chain, a layer 2 network that launched on July 1 and allows anyone to create a token without approval. The SpaceX and Starlink accounts then reposted the promotion.
Exchanges exploded. The maximum market capitalization varied widely, from $800,000 to $32 million depending on the source. The attacker sold through two wallets, thereby draining liquidity. The price collapsed. The accounts were restored within hours, but no explanation was given as to how they were compromised.
Credibility arbitration
Attackers no longer create audiences: they borrow them for the duration of a single publication. A memecoin launched by an anonymous wallet reaches no one. The same token reposted by an account with millions of followers instantly reaches a market. The attacker does not need confidence to last; they just need it to survive for the duration of an exchange.
Salary is misleading as a measure of severity. The constraint was not the audience or the credibility: they were enormous. The constraint was the depth of the market. There were not enough buyers to absorb ten trillion tokens at a higher price. On a deeper chain, the same attack could produce a much larger number.
This model is not new. When Keith Gill’s account was hacked in May, the attackers recovered more than $600,000 in half an hour. The Pump.fun account compromise in February 2025 netted $135,000 in less than a minute. The common thread is not an industry or a channel, but the number of followers.
Why existing defenses don’t work
Crypto has spent years building defenses against a different threat model. Audits verify the contract code. Timelocks and multisigs guard the treasures. All of this assumes that the attack goes through the chain. The SCATMAN attack took place via a social media account. There was no contract to check, because the contract did what it was written to do. Every component behaved correctly and buyers still lost their money.
There wasn’t much a diligent buyer could have done within the 20 minute time limit. Check the contract? It was standard code. Check the concentration of the holder? The striker held everything that describes most of the chips in his opening minutes. Check the source? The source was SpaceX. That was the whole problem.
The only defense is one rule: no publication of a verified account is a reason to buy a token issued a few minutes earlier. This rule costs each real celebrity token launch, which most people should be happy to pay for.
The Robinhood Chain Factor
SCATMAN landed on a chain during his second week of life. Robinhood Chain launched on July 1 and quickly became dominated by memecoins, accounting for over 75% of trading volume in its first week. Over 19,000 new tokens were created in a single day on July 13. Cross-chain provider Relay Protocol has warned of the proliferation of honeypot tokens on the network.
This is the environment SCATMAN operates: a young chain with a focus on retail, minimal tooling, and too many chips to filter through. This is not a failure specific to Robinhood; this is what the permissionless launch infrastructure looks like in week two. But a channel named Robinhood inherits a duty of care that purely crypto-native chains never had.
The real cost
The dismissive reading considers $135,000 a detriment. But the real harm lies in the erosion of the verification mechanism that individual users rely on. When institutional accounts can be hacked, every legitimate ad comes at a discount. The industry is spending a shared reputation asset that it cannot replenish.
This attack costs next to nothing, has low consequences, and pays off in minutes. The attempt rate will increase as more mainstream brands acquire crypto surfaces. Every business account with a crypto-adjacent history is now an actual financial instrument.
The attacker needed no capital, no code, and about an hour. Defenders needed a way to say something faster than a robot can buy it. The asymmetry is complete: the attack executes at the speed of a repost, and the remediation executes at the speed of an enterprise security team.
What would change the calculations
Nothing in the current toolkit addresses the root cause: the authority of a verified account is transferred instantly to whoever controls the connection. The platform-side fixes (application of hardware keys, delays for posts with contract addresses, loss of affiliate badge for new accounts) are technically simple but commercially unattractive for platforms that monetize velocity.
Chain-side filtering, like blocking the Relay Protocol honeypot, goes against the ideology of permissionless systems. Expect more such voluntary layers and conflicts over whether this is careful management or a return of the gatekeepers.
The user-side defense is simple: a verified account promoting a token created a few minutes ago does not constitute proof of legitimacy. In current conditions, it is rather proof of the opposite.
Here’s some uncomfortable arithmetic: a brand worth billions of dollars was used to sell a worthless asset. The theft brought in the price of a modest car. Victims have no recourse. The platform said nothing. The mechanism remains intact. Fraudulent economics has discovered that crypto’s most valuable asset isn’t a token: it’s a moment of unearned belief. And the belief is not protected by any smart contract.
![]()



