@xcartermurphy (X impersonation account)
An X (Twitter) account described in a public post as an impersonator tied to a malware-focused social-engineering operation. Per the post, the account displayed (then removed) a well-known VC firm's tag in its bio, and a target was sent a malware-laden 'WeChat' installer plus an install command hosted on a now-scrubbed domain.
Also known as: xcartermurphy, @xcartermurphy, Carter Murphy
Note: This entry is based on a single public X post whose author was not recorded and which may since have been deleted. It includes inferences that are clearly marked unverified, and is published as a community warning — not a finding of fact about any individual's identity or nationality.
Summary
@xcartermurphy is an X (formerly Twitter) account described in a public post as an impersonation account connected to a malware-focused social-engineering operation. The account's profile lists a 2009 creation date, but the reported activity is recent. [1]
What the post described
- The post (author not recorded; likely since deleted) included a screenshot of a direct-message chat between the poster and
@xcartermurphy. [1] - The account that shared the screenshot presented itself as a startup founder funded by a well-known venture capital firm (the firm is intentionally not named here). The post characterized that account as complicit in the operation — an unverified allegation. [1]
- In the screenshot,
@xcartermurphy's bio displayed that VC firm's tag; per the post it has since been removed. [1] - The post's author said they were personally targeted: one vector was an attempt to get them to install a malware-laden version of the WeChat messaging app, delivered by email. [1]
- Linked infrastructure: a now-scrubbed domain
host01eu[.]comhosted setup instructions that included acurlcommand fetching content fromcaliforniasmallbusinesslaw[.]com. [1]
Assessment (unverified)
The post's author speculated the operator might be based in China or linked to North Korea — an inference drawn from the attack methods rather than confirmed attribution. The wiki treats the operator's nationality and identity as unverified. The described pattern — impersonating a funded founder/recruiter to push a malicious app or a curl-piped install command — resembles documented social-engineering campaigns that target developers and crypto workers, including the North Korea-linked "Contagious Interview" operation tracked by Palo Alto Networks' Unit 42. This resemblance is offered for context only and is not an attribution of this specific account.
People & entities involved
Known links
- https://x.com/xcartermurphy (social)
Links are shown as plain text and not clickable for safety.
Sources (2)
See also
- Solana 'Validator Rewards' GiveawaySocial accountsImpersonation + giveaway scam using a fake Solana Foundation account to solicit SOL for '2x rewards'.
- Hamza DoostIndividualsA member of the 'SE Enterprise' crew tied to ~$250M in crypto thefts including the $243M Genesis-creditor heist. He pleaded guilty to a RICO conspiracy charge and, per reporting, faces up to 11 years in prison.
- Marlon FerroIndividualsA member of the 'SE Enterprise' social-engineering crew (online alias 'GothFerrari') behind ~$250M in crypto thefts (2023–2025), including the $243M Genesis-creditor heist. He pleaded guilty and was sentenced in 2026 to 78 months in prison.
This page was last updated on Jun 8, 2026. View revision history.