As the public feud between Elon Musk and Donald Trump heats up online, cybercrooks are wasting no time cashing in on this clash of egos.
According to new findings from BforeAI’s PreCrime Labs, at least 39 malicious domains were registered within 48 hours of Musk’s widely publicized 4 June remarks criticizing Trump’s proposed trade legislation.
These domains are designed to impersonate betting sites, fake giveaways, and crypto multipliers, all under the guise of the Musk vs. Trump rivalry.
The tactic isn’t new. Threat actors have long exploited celebrity disputes and political theater to bait users into scams. But this campaign stands out for its speed, scale, and variety of domain tactics.
Opportunistic Infrastructure
Registered on June 5 and 6, the domains used a mix of traditional and abuse-prone top-level domains (TLDs). While “.com” made up the bulk (21 of the 39 domains) others included “.xyz”, “.info”, “.fun”, “.store”, and “.icu”, all of which are commonly used in phishing campaigns due to their lower cost and lighter oversight.
Keyword patterns point to an attempt to engineer trust and urgency. Domain names like trumpvselon.com, elonprivateaccess.xyz, and trumploveselon.fun were frequently tied to crypto-themed lures. Many sites promised “exclusive” access to giveaways or investment opportunities, aiming to harvest personal information, login credentials, or direct crypto transfers.
PreCrime Labs researchers noted a secondary layer of technical manipulation: Telegram bot integrations and auto-redirects via X (formerly Twitter). In one example, the domain trumpversuselon.com prompted users to share pre-filled posts on X while simultaneously redirecting them to Telegram-based crypto scams.
“The presence of Telegram integrations and fake app stores used in this campaign represents a shift to multi-channel attack vectors,” researchers said. “There is a strong potential that we will continue to see scams spreading to other popular social media platforms, where media consumption and redirection are high.”
Themes Tailored to the Moment
Beyond financial scams, the campaign plays on public emotion and divisiveness. Several domains were crafted to provoke visceral reactions. These pages often masquerade as grassroots campaigns or fan sites, with sign-up forms that quietly harvest user data.
Some sites pivoted toward popular internet habits. Fake betting pages mirrored online gambling platforms, while others impersonated gaming merchandise stores with names like elongame.icu and elonvstrump.store. In each case, the intention was obvious: blend in, capture clicks, extract value.
PreCrime Labs marked the presence of client-side scripting and meta-refresh tags used to execute redirects and simulate legitimate interaction flows, techniques common in engagement farming and phishing operations.
Fast-Moving, Event-Driven Threats
Cybercriminals always respond quickly to real-world news, jumping on every possible bandwagon. Public figures like Musk and Trump naturally draw attention, and threat actors exploit that attention window to distribute malware, phishing lures, and financial scams before the news cycle moves on.
Malefactors use of multi-platform deception, combining social media, Telegram bots, and spoofed domain infrastructure, to extend their reach while diversifying entry points.
Looking Ahead
The takeaway lies in how quickly bad actors can mobilize around any major news. Their campaigns don’t rely on timing, amplification, and just enough plausibility to trick the curious or distracted.
Defenders must stay alert. Monitoring domain activity in real time, particularly during high-profile media events.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.