Pump.fun X Account Hacked - Here's What We Know

Memecoin launchpad pump.fun’s X account was hacked on 26 February 2025.

The hacker promoted a fake governance token, impersonating pump.fun.

Based on current information, the hack was limited to the pump.fun X account.

Onchain detective ZachXBT initially warned users via Telegram, urging them to stay away from the account and avoid interacting with any posts and links.

Zach went on to confirm that the pump.fun X account hack is directly connected onchain to the Jupiter DAO (February 2025) and DogWifCoin (November 2024) X account hacks.

Zach went on to add that it is “likely” that these attacks are not the fault of either the pump.fun or Jupiter teams. His suspicion is that a threat actor is social engineering employees at X with fraudulent documents/emails, or a panel is being exploited (these aren’t confirmed to be true at this current moment in time).

Account access regained

pump.fun has confirmed via X that they’ve regained access to the @pumpdotfun X account, and based on current information, the hack was limited to just the X account. 

Co-founder @a1lon9 has since reposted the announcement.

Here are the facts (according to the pump.fun team in an X post):

- the team were notified of the account compromise at ~15:20 UTC (February 26th 2025)

- no messages were sent to the email that is connected to the @pumpdotfun X account regarding any email/password/delegation/two-factor authentication (2fa) changes. Usually when critical account information is changed, confirmation messages are sent to the account holder's email, but this wasn’t the case according to the pump.fun team.

- the email account connected to the @pumpdotfun X account was secured with 2fa (google 2fa app, unsynced with any email addresses)

- email logs confirm that no external actors ever had access to the email that is connected to the @pumpdotfun X account

- no delegations were made by the @pumpdotfun X account

- no phone numbers were connected to the @pumpdotfun X account

- the @pumpdotfun X account wasn't connected to any third-party apps

- Two-factor authentication (2FA) was turned on for the @pumpdotfun X account. In particular, a physical security key and Google 2FA (unsynced with any email addresses)

- the password to the @pumpdotfun X account has been changed regularly, and is managed by a secure password manager which can only be accessed with another password

- 2FA backups were physically written down and stored in a secure location. The people safeguarding this location confirmed that no one had access

- all passwords were complex, with sufficient length and using numbers, letters, and symbols

- at the time of the account compromise, only one person had access to the X account. this person did not click, interact, or engage with any suspicious links that could have led to this compromise

The team went on to confirm that pump.fun or anyone affiliated with the brand (including founder @a1lon9) would never post a token contract address (CA), a wallet address, or “anything of that sort”, before urging users to double check information with verified sources before making any decisions. 

Hack Szn?

The pump.fun hack is the latest in what is an apocalypse of attacks on Crypto brands and companies, especially via social media hacks that advertise fake tokens.

Just 5 days ago, we saw Cryptocurrency exchange ByBit get hacked for $1.4-billion-dollars – the biggest hack in Crypto history. Hackers are specifically targeting these Crypto companies, and it doesn’t seem like they’re going to stop anytime soon.

Be sure to stay vigilant and thoroughly verify any information you come across.

If it’s too good to be true, then it probably is.

Stay safe out there.

Disclaimer: The information provided in this article is NOT financial advice and has ONLY been presented for informational and educational purposes.