Share
PHISHING THREAT REPORT

The X "vote for me to co-host a Spotify and Google podcast" DM steals your account

A DM landed in your inbox from a verified mutual you trust, asking you to vote for them to co-host a podcast run by Spotify and Google. It is a credential-phishing worm. The link opens a fake X login, and if you type your password there, your account becomes the next one blasting the same message. Here is the forensic breakdown of the July 1, 2026 outbreak.

SafeBrowz Threat Research Security ResearchJuly 1, 20268 min read

Is the "vote for me to co-host a Spotify and Google podcast" DM real?

Verdict: no. It is a phishing scam that hijacks X accounts. There is no program that lets you vote for someone to co-host a podcast run by Spotify and Google, and X never sends you a voting link by DM. The link opens a fake X login page on a throwaway domain that captures your password. The message reaches you from a real, verified account you trust only because that account is already hacked. Do not click the link. Log in only at x.com, never from a DM, and turn on two-factor authentication.

Why this is spreading now

On July 1, 2026, security researchers on X sounded the alarm after a verified account, @iMehreenAlam, was compromised and started blasting the "vote for me" DM to her followers and mutuals. Researcher Md Asif Khan and the account @Delhiite_ posted public warnings. @Delhiite_ put it bluntly: "ALERT: Koi bhi link mile, just don't click. Aur wo link tumhare trusted mutual se milega jiska account already hack ho chuka hoga," which means if you get any link, do not click it, and it will come from a trusted mutual whose account is already hacked. That last part is the whole engine of this attack: every hijacked account is used to phish the next batch of people who trust it, so the scam rides trust networks instead of cold spam.

The DM, word for word

The message is short and polished. Victim @Umma_sayed1 posted a screenshot of the exact text she received, followed by the link:

"Hi, can you vote for me to become a co-host of a podcast event organized by Spotify and Google in all European countries? As one of the few participant, I would really appreciate it if you vote"

Read it cold and it is designed to disarm you. It is a small favor, not a demand. It name-drops two brands everyone trusts, Spotify and Google, to borrow their credibility. It flatters the sender ("as one of the few participant") so voting feels like helping a friend hit a milestone. There is no threat, no urgency, no money. That softness is the trick. You are not on guard for a scam that just asks you to click and vote for someone you know.

Why it looks so trustworthy

The reason people click is that the message does not come from a stranger. It arrives from a real, verified account with a blue check, belonging to someone you actually follow and talk to, because that account was already taken over. There is no lookalike handle to catch, no typo in the display name, no fresh account with three followers. It is genuinely your mutual's account, sending the DM.

The social engineering goes one layer deeper. When a cautious recipient replied asking, "Is this you or is your account hacked?", the hijacked account answered "It's me." The attacker sits on the compromised inbox and replies in real time to keep the ruse alive. So a reassuring reply from the sender proves nothing. The only thing that would prove it is the sender confirming through a different channel you know is really them, like a phone call or a separate app.

What the link actually does

The link in the DM opens a page that looks like the X login screen and asks you to sign in. Victim @Umma_sayed1 confirmed exactly this: "when I received that dm, opened that link, that's asking for Password." It is not X. It is a fake X login sitting on a cheap, throwaway domain. Whatever username and password you type there go straight to the attacker, who then logs into your real account and locks you out or quietly takes it over.

The reported domains rotate, which is why no single blocklist entry is enough. Two that were used in this outbreak are on the SafeBrowz blocklist and return DANGER on our scanner. You can paste either one into the checker below and watch it flag, but do not visit them or enter anything:

  • vote.gtgv.top (fake X login, on the SafeBrowz blocklist)
  • vote.r3al.top (fake X login, on the SafeBrowz blocklist)

Both sit on the .top TLD, a cheap ending attackers churn through. The operator registers a new one, seeds it into hacked accounts, and moves on when it gets blocked. The real X login lives in exactly one place: x.com (and its older name twitter.com). Anything else asking for your X password is fake, no matter how perfect the page looks.

๐Ÿ›ก LIVE CHECK

Check a suspicious link right now

Got a "vote for me" link in an X DM and not sure about it? Paste it below. Our 3-layer engine (Local + APIs + AI) follows the link, reads the page it lands on, and returns a verdict in about three seconds. Free, no signup.

Full scan with deep AI analysis โ†’ ยท No URL is logged to your identity.

The worm: how it spreads through trust

This is the part that makes it dangerous. The moment you enter your password on the fake page, the attacker owns your account, and the first thing it does is send the same "vote for me" DM to your mutuals. Now your friends receive it from you, a verified account they trust, and the cycle repeats. Each takeover funds the next wave of phishing. That is why it is a worm and not just a one-off phishing email: it self-propagates through the social graph, always arriving from someone the target already knows.

It also explains why the usual advice, "don't click links from strangers," does not save you here. The link never comes from a stranger. It comes from a trusted mutual whose account got taken the same way an hour earlier. The trust you have in your own network is the exact thing the scam weaponizes.

The truth about the "podcast vote"

There is no "vote to co-host a Spotify and Google podcast" program. Spotify (spotify.com) and Google (google.com) are simply being name-dropped to make the ask sound official and low-risk; neither company runs anything like this, and neither would collect votes through DMs on X. X itself never sends you a voting link, and it never asks you to re-enter your password on a page you reached from a message. If a request checks all three boxes, unsolicited DM, a link, and a login prompt, it is phishing, every time.

How SafeBrowz blocks this threat

The DM is the bait, but the account is stolen on the fake login page. That is the layer a detection engine can break. Here is what SafeBrowz does with the "vote for me" link using its 3-layer detection (Local + APIs + AI).

  • Layer 1, local detection, runs inside the browser with 60+ URL pattern signatures and 550+ brand signatures. It resolves where the link actually lands and checks whether a known brand, in this case X, is being impersonated on a domain that is not x.com or twitter.com. A page that renders the X login on something like a .top throwaway host is flagged content-free, before the login form is ready to submit. The clone can be pixel-perfect; the brand-versus-domain mismatch is enough.
  • Layer 2, reputation and API checks, aggregate threat intelligence including Google Safe Browsing, PhishTank, URLhaus, and scam-TLD signals. The two domains reported in this outbreak, vote.gtgv.top and vote.r3al.top, are already on the SafeBrowz blocklist, so a reader who pastes either into our scanner gets DANGER immediately.
  • Layer 3, AI content analysis via our proxy (Premium), reads the live page in 100+ languages and recognizes a login-and-credential-capture layout impersonating a brand. This is what catches a brand-new rotated domain that no blocklist has seen yet, the moment it loads.

Honest scope: SafeBrowz flags and blocks the fake X login page before you type into it, which is the right place to stop this. It cannot pull back a password you have already submitted, so the human habit, never logging in from a DM link, plus two-factor authentication, sits alongside the engine. The free browser extension does this on desktop, and the SafeBrowz Android app on Google Play applies the same engine to links you open on your phone, where most DMs are read.

Detection signatures come from threat-intelligence research and our internal brand database, not from user browsing data. SafeBrowz does not store per-user browsing history.

Red flags: when a "vote for me" DM is a scam

  • It asks you to vote for a co-host of a Spotify and Google podcast. No such program exists. The brand names are borrowed credibility.
  • It came as a DM, even from a verified mutual you trust. A compromised account is still verified. The blue check does not prove the message is from your friend.
  • The link opens a page asking for your X password. X never asks you to re-enter your password on a page reached from a message.
  • The address is not x.com or twitter.com. A random domain, especially a cheap ending like .top, is the tell. The page can look perfect; the domain cannot lie.
  • The sender replies "it's me" when you ask if they were hacked. The attacker is reading the inbox. A reassuring reply proves nothing.
  • The tone is a soft favor, not a threat. This scam disarms you with flattery and a small ask, not urgency. That is deliberate.

Any one of these is reason to stop. Two or more, and you should assume the account is hacked and the message is hostile.

What to do if you clicked or entered your password

  1. Change your X password immediately at x.com. Type the address yourself or use a saved bookmark, never the DM link. If you can still log in, do this first.
  2. Revoke sessions and connected apps. Go to Settings, then Security and account access, then Apps and sessions, and sign out of everything you do not recognize.
  3. Turn on two-factor authentication, ideally with an authenticator app. If your password leaks again, this stops the takeover.
  4. Warn your contacts. Tell your mutuals not to click any "vote for me" link that came from you, because your account may have already sent it.
  5. Report the hacked mutual's account to X so it can be recovered, and report the message itself as spam or phishing.
  6. If you reused that password anywhere else, change it there too, and turn on 2FA on those accounts.

Updated July 1, 2026.

Block the fake X login before you type

SafeBrowz is a free browser extension for Chrome, Firefox and Edge (Safari coming soon) plus a live Android app that follows a "vote for me" DM link to where it lands and flags a fake X login before you enter anything. It recognizes 550+ brands, auto-flagged when a page tries to impersonate them, with AI content analysis in 100+ languages for brand-new rotated domains. Free forever, no account needed. Questions: [email protected].

Chrome Add to Chrome Firefox Add to Firefox Edge Add to Edge Android Get on Android

Bottom line: the "vote for me to co-host a Spotify and Google podcast" DM on X is a phishing worm that hijacks accounts, and it always arrives from a verified mutual whose account is already hacked. Do not click, log in only by typing x.com yourself, turn on two-factor authentication, and put SafeBrowz on your browser so the fake X login page gets flagged before you ever type your password.

Frequently asked questions

Is the "vote for me to co-host a Spotify and Google podcast" DM real?

No. There is no program that lets people vote for someone to co-host a podcast run by Spotify and Google, and X does not send voting links by DM. It is a phishing scam. The link opens a fake X login that steals your password, and the message reaches you from a verified mutual only because their account is already hacked.

The DM came from a verified account I trust. How can it be a scam?

Because that account was taken over. When an attacker hijacks a verified account, it keeps its blue check and sends the scam DM to that person's mutuals. The verification badge proves the account, not that your friend actually sent the message. Confirm through a separate channel, like a call, before trusting any link.

What does the "vote for me" link actually do?

It opens a page that looks like the X login and asks for your username and password. It is a fake login on a throwaway domain, not x.com. Anything you type there goes to the attacker, who then logs into your real account, locks you out, and sends the same DM to your contacts.

The person replied "it's me" when I asked if they were hacked. Doesn't that clear it?

No. The attacker is sitting on the compromised inbox and replies in real time to keep you clicking. A reassuring reply from the sender proves nothing. The only reliable confirmation is reaching the real person through a different channel you know is genuinely theirs.

What is the real X login domain?

Only x.com, and its older name twitter.com. Any login or "vote" page on a different domain, such as a .top host, is fake no matter how closely it copies the real X login. Reported domains in this outbreak include vote.gtgv.top and vote.r3al.top, and they rotate.

I entered my X password on the fake page. What now?

Go to x.com directly and change your password immediately, then revoke sessions and connected apps under Settings, Security and account access, Apps and sessions. Turn on two-factor authentication and warn your contacts not to click any "vote for me" link from you. If you reused that password elsewhere, change it there too.

Related reading