In certain instances, we may earn revenue when a reader makes a purchase or completes a form through our pages or on a partner’s website. We adhere to a strict 
Bad actors do not let any commotion slip by without trying to turn it into a tool to advance their cause. From little moments of system downtime to social media spats, there’s always one way or perhaps many ways a threat actor could build out an attack from them.
Earlier in June 2025, a heated exchange between Elon Musk and President Donald Trump over trade policy set off a wave of opportunistic cyber activity.
Within 48 hours of Musk’s criticism of Trump’s “big, beautiful bill,” scammers had registered dozens of themed domains, according to the research team at BforeAI. The media buzz around the clash became the foundation for phishing sites, fake crypto giveaways, and engagement scams.
Techopedia reviewed BforeAI’s findings and spoke with the company’s Threat Research Lead, Abu Qureshi, about the speed and strategy behind the campaign.
Key Takeaways
- Fraudsters rapidly launched 39 domains within 48 hours of the Trump vs. Musk feud to exploit public attention.
- These domains mimicked livestreams, crypto platforms, and fake apps, often using Telegram bots and auto-posting tools.
- The campaign relied on emotional triggers and action-oriented keywords to lure users into scams.
- Abuse-friendly domains like .xyz and .wtf enabled quick, low-cost deployment with minimal oversight.
- BforeAI classifies this as an “event-driven” attack model, designed to scale with viral news cycles.
- Security teams need proactive visibility into domain activity, while individuals must be cautious around trending, emotionally charged content.
The 48-Hour Domain Gold Rush
After US President Trump and Musk’s conflict erupted publicly, BforeAI researchers found that cybercriminals moved with speed to register 39 malicious domains within 48 hours.
When Techopedia asked why the malicious actors had to move that fast, BforeAI’s Qureshi explained that moving at speed helped them capitalize on the media frenzy surrounding the rift.
He told Techopedia:
“The rush to spin up infrastructure signals who we are dealing with: opportunistic threat actors who also have pre-built templates and workflows, ready to clone, brand-squat, and deploy payloads in hours, not days.”
Most of the sites used emotionally charged language and paired it with action-based keywords like trumpvselon.space, elonprivateaccess.com, and trumpbilliondollar.com. They even went as far as offering promises of giveaways, insider access, fake crypto trading platforms, or investment opportunities.
The report notes that many imitated live streams or wallet connection tools, while others integrated social media automation and Telegram bots.
Qureshi said this level of preparation reveals something troubling about the current threat landscape. He stated:
“It’s the industrialized exploitation of attention cycles, and it’s only getting faster and more automated.”
BforeAI also found that 21 of these sites used “.com” to build trust, while the rest used abuse-friendly top-level domains (TLDs) such as .xyz, .wtf, .icu, and .info. These are often chosen by bad actors due to their low registration costs and limited oversight.
The Infrastructure Behind the Scams
The scams linked to the Trump vs. Musk row used advanced tactics beyond what we normally see in typical phishing campaigns.
The researchers observed the use of automated bots, dynamic redirects, and multi-platform distribution.
For example, trumpversuselon.com directed users to Telegram chats and auto-posted on X. This approach extends reach and uses social proof to gain clicks. This way, when users unknowingly share the fake links, their contacts are more likely to trust and engage with them.
Speaking about the attack methods, Qureshi noted:
“Telegram bots have become backends for fraud-as-a-service. As such, they have been observed to collect credentials, automate victim interaction, and even dispatch phishing URLs.”
The threat researcher also emphasized that attackers are diversifying their tactics. “We’re also seeing more campaigns blend mobile APK lures, QR codes, and domain cloaking to avoid traditional filters and evade detection,” he said.
Fake gaming pages were also a prominent vector in the campaign, according to BforeAI. For example, elonvstrumpfight.com appeared as a browser-based game but redirected visitors to a betting scam. Similarly, elongame.icu mimicked Google Play Store to distribute a fake app.
Event-Driven Scams Demand New Security Measures
Threat actors watch social media and news for flashpoints that spark emotional, high-traffic moments. Once a target appears, they quickly deploy domain infrastructure, web templates, and social engineering hooks. The researchers called these event-driven attacks.
The Trump versus Musk war of words followed this pattern and reflects a model of agile, mass-targeted deception relying on emotional response, fast traffic surges, and the proven effectiveness of political scams.
We witnessed a similar tactic in 2020, when hackers compromised high-profile Twitter accounts belonging to Joe Biden, Barack Obama, Elon Musk, Bill Gates, and Kim Kardashian to promote a Bitcoin (BTC) scam.
When asked what security teams and individuals can do not to fall prey to this type of scam, Qureshi stated that we will be playing catch-up if we stick to “detection and response” frameworks.
He explained:
“You can’t protect against this kind of activity if you are still exclusively focused on the detect-respond cycle. Security teams need visibility into domain registrations, infrastructure spin-ups, and bait campaigns about trending items before they go live.”
He further notes the need to integrate “threat intel feeds that flag newly registered infra, automating takedowns, and training end users to recognize real-time scams tied to trending topics are no longer optional; they are a necessity.”
The Bottom Line
The surge in malicious phishing domains linked to popular figures shows how viral moments are now central to large-scale online scams. BforeAI’s findings show this is part of a repeatable playbook and not a one-off event.
Security teams must adapt by implementing real-time domain monitoring that tracks trending topics and newly registered domains containing current event keywords.
For individuals, the defense is simpler but requires discipline: pause before clicking on content that promises exclusive access to viral stories, verify domain legitimacy through official channels, and remember that emotional investment in political spectacle makes you a prime target for sophisticated manipulation schemes.
