Fake Grok / xAI subscription suspended or xAI API access revoked or Grok AI features disabled due to billing failure phishing

Phishing emails impersonating Grok or xAI claiming the Grok subscription has been suspended, xAI API access has been revoked, API keys are no longer active, or Grok AI features have been disabled due to a billing failure — directing victims to update payment through a credential-harvesting portal. A distinct and growing attack category in 2025 targeting xAI's rapidly expanding user base. Key facts: (1) Grok is NOT covered by the existing ChatGPT/Claude/Gemini AI assistant signal — the existing AI phishing signal covers openai, chatgpt, gemini, claude, anthropic, copilot, and perplexity, but not grok or xai; attackers exploit this recognition gap by mimicking xAI's billing notification format; (2) xAI has 80M+ X Premium subscribers (X Premium: $8-$22/month) who receive Grok AI access as part of their X subscription — a 'Grok access has been suspended due to a billing failure' email is credible because Grok is genuinely tied to X Premium billing, and users who miss a payment do lose Grok access; (3) xAI API is a separate billing product ($5-$15 per million tokens depending on model) targeting developers who integrate Grok into applications — a 'your API keys are no longer active, applications cannot access Grok models' email creates immediate development pipeline urgency; (4) Grok 3 and xAI's rapid development cycle means the platform sends frequent update and billing emails that users are already conditioned to receive and act on; (5) xAI credentials are particularly valuable: an xAI account compromise may expose X/Twitter API credentials (if the user has developer account integration), billing information, API usage logs showing what applications have been built, and in some cases enterprise xAI contracts; (6) The Grok phishing template has a unique angle compared to ChatGPT/Claude — because Grok is accessed primarily through X (Twitter), a 'Grok subscription billing failure' email can be used as a pretextual entry to harvest X/Twitter credentials under the guise of resolving a billing issue. Warning signs: sender not x.ai; genuine xAI billing through the X Premium subscription management at x.com/premium.