How Xmposter detects impersonators
A scan starts from your verified identity: you sign in with X, which proves you own the handle and gives the scan your real display name, profile photo, banner and bio as ground truth. Xmposter then searches X for accounts using your name (raw and Unicode-normalized) plus lookalike variants of your handle, and scores every candidate on nine forensic signals. The result is a 0–100 score and a HIGH / MEDIUM / LOW verdict, with each triggered signal shown as evidence.
1.Display-name match (with homoglyph folding)weight: high
Impersonators copy the display name exactly or almost: a Cyrillic "А" or Greek "ο" renders identically to the Latin letter while defeating naive text comparison. Xmposter normalizes Unicode (NFKC), folds known confusable characters, strips zero-width characters and decorative emoji, and only then compares names, so "Аdem Bilican" and "Adem Bilican" score as identical.
2.Profile-picture match (perceptual hash)weight: high
Stolen avatars are re-uploads, so URLs and file bytes differ even when the picture is the same. Xmposter computes a 64-bit difference hash (dHash) of both images: the images are shrunk to a tiny grayscale grid and each pixel is compared with its neighbor, producing a fingerprint that survives resizing, re-compression and small edits. A Hamming distance near 0/64 means the same picture; small distances catch tinted or slightly cropped copies.
3.Header/banner image matchweight: medium-high
The banner is the overlooked tell: scammers copy the whole profile, and nobody shares your exact header image by coincidence. Same dHash comparison as the avatar. In documented cases both avatar and banner were pixel-identical copies (distance 0/64).
4.Lookalike handle (typosquat analysis)weight: medium-high
Handles get typosquatted four ways: character swaps (a vowel change), leetspeak substitutions (1 for l, 0 for o, 5 for s), underscore tricks (added, removed or moved), and prefix-preserving mutations that keep the readable start of the handle and garble the tail. Xmposter folds leetspeak and underscores before comparing, grades edit distance, and separately detects long shared prefixes because people read the beginning of a handle and stop.
5.Bio similarityweight: medium
Cloned bios are pasted verbatim (often including the real person's contact email and affiliations) sometimes with scam bait appended. Token-overlap and containment scoring catches both the verbatim copy and the copy-with-additions.
6.Bulk-registration handle patternweight: medium
A handle like EE435681031276 (a couple of letters and a long digit run) is the auto-generated format X assigns at signup. Scam farms registering accounts in bulk don't bother changing it. Digit-run and entropy heuristics flag the pattern.
7.Account ageweight: medium
The real account is years old; clones are days to weeks old. Creation date is public and unforgeable, which makes it one of the most reliable signals in the set.
8.Follower profileweight: low
Single-digit followers combined with following thousands is the shape of an account built to send DMs, not to be found. Supporting signal, real namesakes can also be small accounts.
9.Verification statusweight: low
A paid checkmark proves a payment method, not an identity, so verification only mildly reduces suspicion, and its absence on an otherwise-matching profile adds a little.
Why several weak signals beat one strong one
Any single match can be innocent, namesakes share names, fans share avatars. The combination is what convicts: an identical photo and banner on a two-week-old account with a typosquatted handle has no innocent explanation. That is why the score is weighted across all nine signals rather than triggering on any one, and why legitimate namesakes reliably land in LOW while clones land in HIGH.
Want the human version of these checks? Read how to spot a fake X account, or if you're currently being impersonated, start with the playbook.
See it run on your own profile
Scan your handle for free →