A representative scam tweet, from Apple's hacked account.
|Date||July 15, 2020, 20:00–22:00 UTC|
|Cause||Coordinated social engineering attack|
|Target||High-profile verified Twitter accounts|
|Outcome||At least 130 accounts affected. The bitcoin addresses involved received about US$110,000 in bitcoin transactions.|
|Arrests||3, as of July 31,2020 [update]|
On July 15, 2020, between 20:00 and 22:00 UTC, reportedly 130 high-profile Twitter accounts were compromised by outside parties to promote a bitcoin scam.Twitter and other media sources confirmed that the perpetrators had gained access to Twitter's administrative tools so that they could alter the accounts themselves and post the tweets directly. They appeared to have used social engineering to gain access to the tools via Twitter employees. Three individuals were arrested by authorities on July 31, 2020 and charged with wire fraud, money laundering, identity theft, and unauthorized computer access related to the scam.
The scam tweets asked individuals to send bitcoin currency to a specific cryptocurrency wallet, with the promise of the Twitter user that money sent would be doubled and returned as a charitable gesture. US$110,000 had been deposited in one account before the scam messages were removed by Twitter. In addition, full message history data from eight non-verified accounts was also acquired.Within minutes from the initial tweets, more than 320 transactions had already taken place on one of the wallet addresses, and bitcoin to a value of more than
Dmitri Alperovitch, the co-founder of cybersecurity company CrowdStrike, described the incident as "the worst hack of a major social media platform yet."The Federal Bureau of Investigation (FBI) and other law enforcement agencies are investigating the scam and the security used by Twitter. Security researchers expressed concerns that the social engineering used to execute the hack can affect the use of social media in important online discussions, including the lead-up into the 2020 United States presidential election.
Forensic analysis of the scam showed that the initial scam messages were first posted by accounts with short, one- or two-character distinctive names, such as "@6".This was followed by cryptocurrency Twitter accounts at around 20:00 UTC on July 15, 2020, including those of Coinbase, CoinDesk and Binance. The scam then moved to more high-profile accounts with the first such tweet sent from Elon Musk's Twitter account at 20:17 UTC. Other apparently compromised accounts included those of well-known individuals such as Barack Obama, Joe Biden, Bill Gates, Jeff Bezos, MrBeast, Michael Bloomberg, Warren Buffett, Floyd Mayweather Jr., Kim Kardashian, and Kanye West; and companies such as Apple, Uber, and Cash App. Twitter believed 130 accounts were affected, though only 45 were actually used to tweet the scam message; most of the accounts that were accessed in the scam had at least a million followers.
The tweets involved in the scam hack claimed that the sender, in charity, would repay any user double the value of any bitcoin they sent to given wallets, often as part of a COVID-19 relief effort. The tweets followed the sharing of malicious links by a number of cryptocurrency companies; the website hosting the links was taken down shortly after the tweets were posted. 12 bitcoins from over 320 transactions, valued at more than US$118,000, and had about US$61,000 removed from it, while a second had amounts in only the thousands of dollars as Twitter took steps to halt the postings. It is unclear if these had been funds added by those led on by the scam, as bitcoin scammers are known to add funds to wallets prior to starting schemes to make the scam seem legitimate. Of the funds added, most had originated from wallets with Chinese ownerships, but about 25% came from United States wallets. After it was added, the cryptocurrency was then subsequently transferred through multiple accounts as a means to obscure their identity.While such "double your bitcoin" scams have been common on Twitter before, this is the first major instance of them being used with high-profile accounts. Security experts believe that the perpetrators ran the scam as a "smash and grab" operation: Knowing that the intrusion into the accounts would be closed quickly, the perpetrators likely planned that only a small fraction of the millions that follow these accounts needed to fall for the scam in that short time to make quick money from it. Multiple bitcoin wallets had been listed at these websites; the first one observed had received
Some of the compromised accounts posted scam messages repeatedly, even after having some of the messages deleted.The tweets were labelled as having been sent using the Twitter Web app. One of the phrases involved in the scam was tweeted more than 3,000 times in the space of four hours, with tweets being sent from IP addresses linked to many different countries. The reused phrasing allowed Twitter to remove the offending tweets easily as they took steps to stop the scam.
By 21:45 UTC, Twitter released a statement saying they were "aware of a security incident impacting accounts on Twitter" and that they were "taking steps to fix it". US$280,000 from being sent.Shortly afterwards, it disabled the ability for some accounts to tweet, or to reset their password; Twitter has not confirmed which accounts were restricted, but many users with accounts Twitter had marked as "verified" confirmed that they were unable to tweet. Approximately three hours after the first scam tweets, Twitter reported they believed they had resolved all of the affected accounts to restore credentials to their rightful owners. Later that night, Twitter CEO Jack Dorsey said it was a "tough day for us at Twitter. We all feel terrible this happened. We're diagnosing and will share everything we can when we have a more complete understanding of exactly what happened." At least one cryptocurrency exchange, Coinbase, blacklisted the bitcoin addresses to prevent money from being sent. Coinbase said they stopped over 1,000 transactions totaling over
In addition to sending out tweets, the account data for eight compromised accounts was downloaded, including all created posts and direct messages, though none of these accounts belonged to verified users.Twitter also suspected that thirty-six other accounts had their direct messages accessed but not downloaded including Dutch Parliament Representative Geert Wilders, but believed no other current or former elected official had their messages accessed.
As Twitter was working to resolve the situation on July 15, Vice was contacted by at least four individuals claiming to be part of the scam and presented the website with screenshots showing that they had been able to gain access to a Twitter administrative tool, also known as an "agent tool",that allowed them to change various account-level settings of some of the compromised accounts, including confirmation emails for the account. This allowed them to set email addresses which any other user with access to that email account could initiate a password reset and post the tweets. These hackers told Vice that they had paid insiders at Twitter to get access to the administrative tool to be able to pull this off.
TechCrunch reported similarly, based on a source that stated some of the messages were from a member of a hacking forum called "OGUsers", who had claimed to have made over US$100,000 from it. According to TechCrunch's source, this member "Kirk" had reportedly gained access to the Twitter administrative tool likely through a compromised employee account, and after initially offering to take over any account on request, switched strategies to target cryptocurrency accounts starting with Binance and then higher-profile ones. The source did not believe Kirk had paid a Twitter employee for access.
The "@6" Twitter had belonged to Adrian Lamo, and the user maintaining the account on behalf of Lamo's family reported that the group that performed the hack were able to bypass numerous security factors they had set up on the account, including two-factor authentication, further indicating that the administrative tools had been used to bypass the account security.Spokespersons for the White House stated that President Donald Trump's account, which may have been a target, had extra security measures implemented at Twitter after an incident in 2017, and therefore was not affected by the scam.
Vice's and TechCrunch's sources were corroborated by The New York Times , who spoke to similar persons involved with the events, and from other security researchers who had been given similar screens, and tweets of these screens had been made, but Twitter removed these since they revealed personal details of the compromised accounts. The New York Times further affirmed that the vector of the attack was related to most of the company working from home amid the COVID-19 pandemic; the OGUsers members were able to gain access to the Twitter employees' Slack communications channel where information and authorization processes on accessing the company's servers remotely from home had been pinned.
Twitter subsequently confirmed that the scam involved social engineering,stating "We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools." In addition to taking further steps to lock down the verified accounts affected, Twitter said they have also begun an internal investigation and have limited employee access to their system administrative tools as they evaluate the situation, as well as if any additional data was compromised by the malicious users.
By the end of July 17, 2020, Twitter affirmed what had been learned from these media sources, stating that "The attackers successfully manipulated a small number of employees and used their credentials to access Twitter's internal systems, including getting through our two-factor protections. As of now, we know that they accessed tools only available to our internal support teams."Twitter had been able to further confirm by July 30 that the method used was what they called a "phone spear phishing attack": they initially used social engineering to breach the credentials of lower-lever Twitter employees who did not have access to the admin tools, and then using those employee accounts, engaged in additional social engineering attacks to get the credentials to the admin tools from employees who did have authorization for their use.
Bloomberg News , after investigation with former and current Twitter employees, reported that as many as 1500 Twitter employees and partners had access to the admin tools that would allow for the ability to reset accounts as had been done during the incident. Former Twitter employees had told Bloomberg that even as late as 2017 and 2018, those with access would make a game of using these tools to track famous celebrities though the amount of data visible through the tools alone was limited to elements like IP address and geolocation information. A Twitter spokesperson told Bloomberg that they do use "extensive security training and managerial oversight" to manage employees and partners with access to the tools, and that there was "no indication that the partners we work with on customer service and account management played a part here".Former members of Twitter's security departments stated that since 2015, the company was alerted to the potential from an inside attack, and other cybersecurity measures, but these were put aside, in favor of more revenue-generating initiatives.
Security researcher Brian Krebs corroborated with TechCrunch's source and with information obtained by Reuters that the scam appeared to have originated in the "OGUsers" group. The OGUsers forum ("OG" standing for "original gangster") was established for selling and buying social media accounts with short or "rare" names, and according to its owner, speaking to Reuters, the practice of trafficking in hacked credentials was prohibited. Screenshots from the forum show various users on the forum offering to hack into Twitter accounts at US$2,000-3,000 each. Krebs stated one of the members may have been tied to the August 2019 takeover of Twitter CEO Jack Dorsey's Twitter account. The OGUsers owner told Reuters that the accounts shown in the screenshots were since banned.
The FBI announced July 16 it was launching an investigation into the scam, as it was used to "perpetuate cryptocurrency fraud", a criminal offense. US$1 million bounty against the hackers, with his company's Twitter account stating "He will personally pay those who successfully track down, and provide evidence for bringing to justice, the hackers/people behind this hack affecting our community."The Senate Select Committee on Intelligence also planned to ask Twitter for additional information on the hack, as the committee's vice-chair Mark Warner stated "The ability of bad actors to take over prominent accounts, even fleetingly, signals a worrisome vulnerability in this media environment, exploitable not just for scams but for more impactful efforts to cause confusion, havoc and political mischief". The UK's National Cyber Security Centre said its officers had reached out to Twitter regarding the incident. BitTorrent CEO Justin Sun announced a
The United States Department of Justice announced the arrest and charges of three individuals tied to the scam on July 31, 2020. A 19-year-old from the United Kingdom was charged with multiple counts of conspiracy to commit wire fraud, conspiracy to commit money laundering, and the intentional access of a protected computer, and a 22-year-old from Florida was charged with aiding and abetting the international access. Both will be tried in the United States District Court for the Northern District of California. A third individual, a minor from Florida, was also indicted but due to their age, the charges were sealed in juvenile court in Florida.The state will try him as an adult on over thirty charges related to felony counts, including organized fraud, communications fraud, identity theft, and hacking, under the state's law allowing them to convict minors as adults for financial fraud cases. The Florida teen had pled not guilty to the charges.
Affected users could only retweet content, leading NBC News to set up a temporary non-verified account so that they could continue to tweet, retweeting "significant updates" on their main account.Some National Weather Service forecast offices were unable to tweet severe weather warnings, with the National Weather Service Lincoln, Illinois initially unable to tweet a tornado warning. Joe Biden's campaign stated to CNN that they were "in touch with Twitter on the matter", and that his account had been "locked down". Google temporarily disabled its Twitter carousel in its search feature as a result of these security issues.
During the incident, Twitter, Inc.'s stock price fell by 4% after the markets closed.By the end of the next day, Twitter, Inc.'s stock price ended at $36.40, down 38 cents, or 0.87%.
Security experts expressed concern that while the scam may have been relatively small in terms of financial impact, the ability for social media to be taken over through social engineering involving employees of these companies poses a major threat in the use of social media particularly in the lead-up to the 2020 United States presidential election, and could potentially cause an international incident.Alex Stamos of Stanford University's Center for International Security and Cooperation said, "Twitter has become the most important platform when it comes to discussion among political elites, and it has real vulnerabilities."
Twitter chose to delay the rolling out of its new application programming interface (API) in the aftermath of the security issues.
Though not part of the Twitter incident, Steve Wozniak and seventeen others initiated a lawsuit against Google the following week, asserting that the company did not take sufficient steps to remove similar Bitcoin scam videos posted to YouTube that used his and the other plaintiffs' names, fraudulently claiming to back the scam. Wozniak's complaint identified that Twitter was able to act within the same day, while he and the other plaintiffs' requests to Google had never been acted upon.
Elon Reeve Musk is an engineer, industrial designer, technology entrepreneur and philanthropist. He is the founder, CEO, CTO and chief designer of SpaceX; early investor, CEO and product architect of Tesla, Inc.; founder of The Boring Company; co-founder of Neuralink; and co-founder and initial co-chairman of OpenAI. He was elected a Fellow of the Royal Society (FRS) in 2018. In 2018, he was ranked 25th on the Forbes list of The World's Most Powerful People, and was ranked joint-first on the Forbes list of the Most Innovative Leaders of 2019. As of July 29, 2020, his net worth was estimated at $68 billion and he is listed by Forbes as the 9th-richest person in the world. He is the longest tenured CEO of any automotive manufacturer globally.
Tesla, Inc. is an American electric vehicle and clean energy company based in Palo Alto, California. The company specializes in electric vehicle manufacturing, battery energy storage from home to grid scale and, through its acquisition of SolarCity, solar panel and solar roof tile manufacturing.
George Francis Hotz, alias geohot, is an American security hacker and known for unlocking the iPhone and developing various jailbreaks. He is also noted for his efforts with reverse engineering the PlayStation 3, and for the subsequent lawsuit against Sony. Since September 2015, he is working on his vehicle automation machine learning company comma.ai.
Bitcoin (₿) is a cryptocurrency invented in 2008 by an unknown person or group of people using the name Satoshi Nakamoto and started in 2009 when its implementation was released as open-source software.
Satoshi Nakamoto is the name used by the presumed pseudonymous person or persons who developed bitcoin, authored the bitcoin white paper, and created and deployed bitcoin's original reference implementation. As part of the implementation, Nakamoto also devised the first blockchain database. In the process, Nakamoto was the first to solve the double-spending problem for digital currency using a peer-to-peer network. Nakamoto was active in the development of bitcoin up until December 2010. Many people have claimed, or have been claimed, to be Satoshi Nakamoto.
A cryptocurrency is a digital asset designed to work as a medium of exchange wherein individual coin ownership records are stored in a ledger existing in a form of computerized database using strong cryptography to secure transaction records, to control the creation of additional coins, and to verify the transfer of coin ownership. It typically does not exist in physical form and is typically not issued by a central authority. Cryptocurrencies typically use decentralized control as opposed to centralized digital currency and central banking systems. When a cryptocurrency is minted or created prior to issuance or issued by a single issuer, it is generally considered centralized. When implemented with decentralized control, each cryptocurrency works through distributed ledger technology, typically a blockchain, that serves as a public financial transaction database.
Coinbase is a digital currency exchange headquartered in San Francisco, California. They broker exchanges of Bitcoin, Bitcoin Cash, Ethereum, Ethereum Classic, Litecoin, Tezos, and many others, with fiat currencies in approximately 32 countries, and bitcoin transactions and storage in 190 countries worldwide.
Bitcoin is a cryptocurrency, a digital asset designed to work as a medium of exchange that uses cryptography to control its creation and management, rather than relying on central authorities. It was invented and implemented by the presumed pseudonymous Satoshi Nakamoto who integrated many existing ideas from the cypherpunk community. Over the course of bitcoin's history, it has undergone rapid growth to become a significant currency both on and offline – from the mid 2010s, some businesses began accepting bitcoin in addition to traditional currencies.
Dogecoin is a cryptocurrency featuring a likeness of the Shiba Inu dog from the "Doge" Internet meme as its logo. Introduced as a "joke currency" on 6 December 2013, Dogecoin quickly developed its own online community and reached a capitalization of US$60 million in January 2014.
Ethereum is the second-largest cryptocurrency platform by market capitalization, behind Bitcoin. It is a decentralized open source blockchain featuring smart contract functionality. Ether is the cryptocurrency generated by Ethereum miners as a reward for computations performed to secure the blockchain. Ethereum serves as the platform for over 260,000 different cryptocurrencies, including 47 of the top 100 cryptocurrencies by market capitalization.
HackingTeam is a Milan-based information technology company that sells offensive intrusion and surveillance capabilities to governments, law enforcement agencies and corporations. Its "Remote Control Systems" enable governments and corporations to monitor the communications of internet users, decipher their encrypted files and emails, record Skype and other Voice over IP communications, and remotely activate microphones and camera on target computers. The company has been criticized for providing these capabilities to governments with poor human rights records, though HackingTeam states that they have the ability to disable their software if it is used unethically. The Italian government has restricted their licence to do business with countries outside Europe.
BTC-e was a cryptocurrency trading platform until the U.S. government seized their website. It was founded in July 2011 by Alexander Vinnik and Aleksandr Bilyuchenko, and as of February 2015 handled around 3% of all Bitcoin exchange volume. Until the 25th of July 2017, it allowed trading between the U. S. dollar, Russian ruble and euro currencies, and the bitcoin, litecoin, namecoin, novacoin, peercoin, dash and ethereum cryptocurrencies.
Kraken is a US-based cryptocurrency exchange, founded in 2011. The exchange provides cryptocurrency to fiat trading, and provides price information to Bloomberg Terminal.
Quadriga Fintech Solutions was the owner and operator of QuadrigaCX, which was believed to be Canada's largest cryptocurrency exchange. In 2019 the exchange ceased operations and the company was declared bankrupt with C$215.7 million in liabilities and about C$28 million in assets.
Bitfinex is a cryptocurrency exchange owned and operated by iFinex Inc., which is headquartered in Hong Kong and registered in the British Virgin Islands. Their customers' money has been stolen or lost in several incidents, and they have been unable to secure normal banking relationships.
A crypto wallet is a device, physical medium, program or a service which stores the public and/or private keys. In addition to this basic function of storing the keys, they more often also offer the functionality of encrypting and/or signing information. Signing can for example result in executing a smart contract, a cryptocurrency transaction, identification or legally signing a 'document'.
Predictions of a collapse of a speculative bubble in cryptocurrencies have been made by numerous experts in economics and financial markets.
Cryptocurrency and security describes attempts to obtain digital currencies by illegal means, for instance through phishing, scamming, a supply chain attack or hacking, or the measures to prevent unauthorized cryptocurrency transactions, and storage technologies. In extreme cases even a computer which is not connected to any network can be hacked.
A SIM swap scam is a type of account takeover fraud that generally targets a weakness in two-factor authentication and two-step verification in which the second factor or step is a text message (SMS) or call placed to a mobile telephone.
The Tesla Cybertruck is an all-electric, battery-powered, light commercial vehicle launched by Tesla, Inc. Three models have been announced, with EPA range estimates of 250–500 miles (400–800 km) and an estimated 0–60 mph time of 2.9–6.5 seconds, depending on the model.
TRON Founder & CEO of @BitTorrent, Justin Sun is putting out a Bounty for the hackers in the amount of $1 million.