The reply-guy attack

X/Twitter, mid-2025. A holder posts a frustrated tweet at @OKX: "withdrawal stuck 6 hours, ticket #4471, please help." Within 90 seconds, three accounts with OKX-style usernames reply: @OKX_Help_US, @OKXSupport_Official, @OKXcare. Each has the OKX logo as avatar, 800–2,000 followers, and offers to help via DM.

The real OKX support account never DMs first either. The reply-guys are bots, scraped from the public mention feed of every major exchange. The DM funnel ends in a fake "verification portal" that harvests seed phrases.

How the bot farm works

One operator runs 200–500 lookalike accounts via a SOCKS proxy pool. A scraper watches the mention feed for @OKX, @Binance, @coinbase, @krakenfx. Within seconds of any complaint tweet, the bot replies with a templated DM invitation. Conversion rate is low — maybe 1 in 200 — but the cost per reply is approximately zero.

The three tells

  • The username has padding. @OKX is the only OKX account on X. Anything with an underscore, "support," "help," "official," "care," or numeric padding is fake by definition.
  • The reply time is too fast. Real exchange social teams reply in hours, not seconds. A 90-second response time to a non-urgent complaint is a bot fishing for the desperate.
  • The DM asks you to leave the platform. "Continue verification on our Telegram" or "Download our support app" moves you to a channel where X's own anti-phishing tools cannot see the conversation.

The defensive move

Stop replying. Open the OKX app on your phone, go to Help Center, file a ticket. Block every account that DMs you within the first hour of posting a complaint at an exchange — they are all scams. If you want to vent publicly, do it without tagging the exchange handle, or tag only after the ticket number is in hand.

What X is doing about it

As of mid-2025, very little. The bot farms migrate faster than the platform's enforcement cycle. The defensive responsibility sits with the user.