Barça is hacked on Instagram with a cryptoscam: fake cryptocurrencies and thousands of people affected

FC Barcelona, one of the most followed sports clubs on the planet, has been the victim of a sophisticated attack on its official Instagram account, used by cybercriminals to promote a cryptocurrency scam that has left thousands injured and refocused the security of the social networks of large entities.

‍

What happened in the cyberattack on Barça's Instagram?

The attack occurred on October 7, 2025, when Barça's main account (with nearly 144 million followers) was hijacked for about an hour. During that time, the attackers published two messages announcing the alleged launch of a Barça token on the Solana network, inviting fans to invest with promises of great benefits and messages such as “building something huge in Solana” and “we are going to the moon”.

The reaction was not long in coming: thousands of users bought the fake $FCB token through the Pump.fun platform, generating a trading volume that reached 3 million dollars in minutes before it almost completely collapsed. According to blockchain analysis, the hacker made about $26,000 in profit before erasing a trace and leaving fans with worthless assets.

​

The Express Scam: How It Operated and Why It Worked

The success of the scam was due to the trust generated by FC Barcelona's verified channel and the speed with which the token was launched and speculation sparked. The hoax garnered more than 169,000 views, 1,600 comments and 1,400 reposts in record time. The club regained control on the spot, but the damage had already been done.

To gain access, cybercriminals used techniques such as cookie theft or session hijacking, which allow conventional authentication to be circumvented without knowing the password. This attack once again reminds us of the critical importance of strengthening security and monitoring controls on accounts with millions of followers.

​

Risks and context: sport as a priority objective

Elite sports are a growing target of cybercrime. Clubs such as Barça, Real Madrid or Bologna manage enormous volumes of personal data, complex ticketing systems, e-commerce and mobile apps, making them coveted pieces for fraud, extortion or attacks on members and fans. Platforms such as Pump.fun, although legal, can be used for “rug pulls” or lightning fraud, due to the lack of verification and authenticity checks on the part of the promoter.

​

Tips and conclusions for users and organizations

• Be wary of investments and news communicated only on social networks, even if they come from verified accounts.
• Don't access suspicious links or connect your wallet to unverified projects.
• Periodically review the security of your accounts by instituting double authentication, monitoring sessions and evaluating access.
• Organizations and companies must train teams and reinforce the oversight of channels, authentication systems and monitoring of automated publications.

‍

Do you want to protect your company's social networks and public profiles against cyberattacks?

🛡️ At Apolo Cybersecurity, we analyze vulnerabilities, train teams and assist with auditing and response. Learn how to protect your digital reputation and that of your followers against emerging threats.

‍