A single Ethereum address minted 10 trillion SCATMAN tokens. Twelve minutes later, the same address swapped them for 59.3 ETH. Gross proceeds: $124,530. The attack surface? Two X accounts belonging to SpaceX and Starlink.
The incident lasted less than a quarter of an hour. The damage to trust? Indefinite.
On February 20, 2025, the official X accounts of SpaceX and Starlink simultaneously posted a message advertising a meme token called SCATMAN. The posts included a direct link to mint the token on Ethereum. Within minutes, the contract was live, the supply was minted, and the attacker executed a full rug pull.
Blockchain analysis firm Lookonchain identified the deployer wallet and tracked the flow: 10 trillion SCATMAN minted → liquidated on decentralized exchanges → proceeds consolidated into two wallets holding approximately 59 ETH. The code executed as written. The only failure was in human validation.
Context: Social Engineering Over Protocol Exploit
The attack did not exploit any smart contract vulnerability. No reentrancy, no flash loan manipulation, no oracle price tampering. The underlying blockchain functioned exactly as intended: permissionless minting, transparent swaps, immutable records. The attacker used a standard ERC-20 contract with a public mint function.
The real vulnerability was identity verification on X. The attacker gained control of two high-value accounts — likely through a SIM swap, credential stuffing, or an insider leak. Once authenticated, the platform’s own trust mechanisms became the weapon. The accounts had millions of followers, blue checkmarks, and decades of accumulated brand equity. That trust was monetized in under fifteen minutes.
This pattern is not new. The article mentions similar attacks on the Pump.fun protocol account, a Venezuelan political figure, and multiple other high-profile profiles. Each follows the same playbook: compromise a trusted account → push a freshly minted token → dump before the audience realizes the authority was fake.
Core: The Mechanics of a Perfectly Executed Trust Arbitrage
Let’s break down the exact sequence.
First, the attacker deployed a contract that allowed public minting. No whitelist, no vesting schedule, no lock. The code had no safety mechanisms — no timelock, no multi-sig override. Classic one-shot contract. I have audited similar structures in the 2017 ICO era. They are designed for one thing: rapid capital extraction.
Second, the attacker used the compromised X accounts to post a mint link. The post likely included urgency language like “limited supply” or “first come, first served.” Social trust substituted for technical verification. The crowd that clicked the link and minted were not irrational — they relied on a signal that had historically been reliable: the verified badge of SpaceX.
Third, the attacker minted the entire supply — 10 trillion tokens — in a single transaction. This is the key moment. The code does not lie, only the audits do. But in this case, no audit existed. The contract had no function to prevent the deployer from minting unlimited tokens. The mint function was permissionless, but the attacker controlled the deployer key. That is not a bug; it is a feature in a scam contract.
Fourth, the attacker dumped all tokens onto a decentralized exchange — likely Uniswap V2 or a similar automated market maker. The liquidity pool was artificially small. The overwhelming sell order sent the price to near zero within seconds. The attacker netted 59 ETH. The buyers who held SCATMAN after the dump were left with worthless tokens.

The entire process: mint → list → dump → exit. Execution time: 12 minutes. Profit: $124,530. That is a 100%+ return on the effort of compromising two X accounts.
Now, let's examine the on-chain data. Lookonchain published the deployer address (0x...). A quick scan shows a single incoming transaction for ETH funding, then the deploy, then the swap. No other activity. The address is a dead wallet now. The funds were moved to two separate wallets, presumably to obscure the trail, but the total ETH outflow from the DEX pool is clear. The blockchain recorded everything. Yet that transparency did nothing to prevent the fraud.
Contrarian: The Real Vulnerability Is Not the Blockchain — It Is the Centralized Identity Layer
Retail investors will read this and draw the surface lesson: don’t buy meme coins promoted by hacked accounts. That advice is correct but incomplete. The deeper issue is that we still rely on centralized identity providers for authentication of high-value actors.
SpaceX and Starlink are not crypto projects. They are aerospace companies with no native blockchain involvement. Yet their X accounts were used to promote a token because the platform’s identity system is brittle. A SIM swap or leaked password bypasses all cryptographic security. The attacker never had to crack a private key. They simply broke the front door of the social platform.
The nascent industry is building towards decentralized identity — self-sovereign identities anchored on-chain, verifiable credentials, and reputation systems. But those are not yet integrated into mainstream social platforms. Until then, every high-profile X account is a potential attack vector. The smart contracts execute logic, not intentions. But the logic of the social platform’s authentication is what allowed the rogue logic to execute.
Furthermore, the attacker’s profit is surprisingly low relative to the damage. $124,530 is a rounding error in the context of SpaceX’s valuation. Yet the brand damage is disproportionate. The event reinforces the narrative that crypto is a scam-ridden space. It gives regulators ammunition to argue for stricter platform liability. The attacker externalized the reputational cost onto the victims and the targets.
Takeaway: Separate Identity from Platform
The SCATMAN rug pull is a signpost, not an anomaly. The next attack may not be a meme coin; it could be a fake airdrop that drains wallets, a fraudulent NFT mint, or a phishing link that compromises hardware wallets. The attack vector remains the same: exploit the gap between social trust and on-chain verification.
Until the ecosystem adopts a decentralized identity standard — where a verified badge is a cryptographic signature, not a database flag — every follower is one hack away from being a bag holder. Trust the hash, not the hype. Verify the contract on Etherscan before clicking any link. Better yet, don't click. The yield is not worth the risk.
The code did not lie in this attack. It did exactly what it was programmed to do. The problem was that we trusted the avatar, not the address. And that is a lesson we will keep learning until we fix the identity layer.
Postscript: A Personal Note
In my years auditing contracts and building DeFi strategies, I have seen this pattern repeat with chilling regularity. Each time, the market promises to learn. Each time, a new hack emerges with a slightly different wrapper. The core mechanic remains the same: exploit human trust, not code flaws. The only defense is skepticism. Audit the source, not the icon. Because, as I remind my teams: smart contracts execute logic, not intentions. And sometimes, that logic serves the attacker.