TWITTER

DESCRIPTION OF EVENTS

"On July 15, 2020, Twitter suffered one of the biggest security lapses in its history." "What happened is that multiple Twitter accounts with large following, in and outside of the crypto community were compromised and used to send Tweets offering the opportunity for people to to double their money. All they had to do was send $x of BTC to a specified BTC address and they would get back double."

"[A]ttackers managed to hijack nearly 130 high-profile Twitter accounts pertaining to politicians, celebrities, and musicians, including that of Barack Obama, Kanye West, Joe Biden, Bill Gates, Elon Musk, Jeff Bezos, Warren Buffett, Uber, and Apple." "Very high profile individuals like Kanye West and Kim Kardashian, Warren Buffet, Jeff Bezos and more. Within the crypto community accounts like Coinbase and CoinDesk were tricked to sending messages. Coinbase even went a step further and blocked users from sending transactions to these addresses."

"Subsequent investigation into the incident revealed that Clark and the other attackers seized the accounts after stealing Twitter employees' credentials through a successful phone spear-phishing attack, subsequently using them to gain access to the company's internal network and account support tools, change user account settings, and take over control."

"The Florida Department of Law Enforcement found that he accessed Twitter’s systems by convincing an employee he worked in the company’s information technology department. He then managed to access the company’s customer service portal." "Clark used the phony tweets to direct people to send bitcoin to accounts he owned, prosecutors said."

"The social engineering that occurred on July 15, 2020, targeted a small number of employees through a phone spear phishing attack. A successful attack required the attackers to obtain access to both our internal network as well as specific employee credentials that granted them access to our internal support tools. Not all of the employees that were initially targeted had permissions to use account management tools, but the attackers used their credentials to access our internal systems and gain information about our processes. This knowledge then enabled them to target additional employees who did have access to our account support tools."

"This attack relied on a significant and concerted attempt to mislead certain employees and exploit human vulnerabilities to gain access to our internal systems. This was a striking reminder of how important each person on our team is in protecting our service. We take that responsibility seriously and everyone at Twitter is committed to keeping your information safe." "The New York Times further affirmed that the vector of the attack was related to most of the company remote working during the COVID-19 pandemic. The OGUsers members were able to gain access to the Twitter employees' Slack communications channel where information and authorization processes on accessing the company's servers while remote working had been pinned."

"Ars Technica obtained a more detailed report from a researcher who worked with FBI on the investigation. According to this report, attackers scraped LinkedIn in search for Twitter employees likely to have administrator privileges account-holder tools. Then attackers obtained these employees' cell phone numbers and other private contact information via paid tools LinkedIn makes available to job recruiters. After choosing victims for the next stage, attackers contacted Twitter employees, most who were remote working due to the COVID-19 pandemic, and, using the information from LinkedIn and other public sources, pretended to be Twitter personnel. Attackers directed victims to log into a fake internal Twitter VPN. To bypass two-factor authentication, attackers entered stolen credentials into the real Twitter VPN portal, and "within seconds of the employees entering their info into the fake one", asked victims for the two-factor authentication code."

"By obtaining employee credentials, they were able to target specific employees who had access to our account support tools. They then targeted 130 Twitter accounts - Tweeting from 45, accessing the DM inbox of 36, and downloading the Twitter Data of 7," the company said on July 31.

"The broadly targeted hack posted similarly worded messages urging millions of followers of each profile to send money to a specific bitcoin wallet address in return for larger payback."

"Everyone is asking me to give back, and now is the time," a tweet from Mr Gates' account said. "You send $1,000, I send you back $2,000."

"The attack appears to have been initially directed against cryptocurrency-focused accounts, such as Bitcoin, Ripple, CoinDesk, Gemini, Coinbase and Binance, all of which were hacked with the same message:"

"We have partnered with CryptoForHealth and are giving back 5000 BTC to the community," followed by a link to a phishing website that has since been taken down.

"On the official account of Mr Musk, the Tesla and SpaceX chief appeared to offer to double any Bitcoin payment sent to the address of his digital wallet "for the next 30 minutes"."

"As of writing, the scammers behind the operation have amassed nearly $120,000 in bitcoins, suggesting that unsuspecting users have indeed fallen for the fraudulent scheme." "The scheme netted about $117,000 in bitcoin before it was shut down." "All in all, nearly 13 BTC ($120,000) was taken." "Of the funds added, most had originated from wallets with Chinese ownerships, but about 25% came from United States wallets." "At least one cryptocurrency exchange, Coinbase, blacklisted the bitcoin addresses to prevent money from being sent. Coinbase said they stopped over 1,000 transactions totaling over US$280,000 from being sent."

"We are aware of a security incident impacting accounts on Twitter. We are investigating and taking steps to fix it. We will update everyone shortly." "Although the tweets from the compromised accounts have been deleted, Twitter took the extraordinary step of temporarily stopping many verified accounts marked with blue ticks from tweeting altogether."

"Account hijacks on Twitter have happened before, but this is the first time it's happened at such an unprecedented scale on the social network, leading to speculations that hackers grabbed control of a Twitter employee's administrative access to "take over a prominent account and tweet on their behalf" without having to deal with their passwords or two-factor authentication codes."

"The accounts appear to have been compromised in order to perpetuate cryptocurrency fraud," the FBI's San Francisco field office said in a statement. "We advise the public not to fall victim to this scam by sending cryptocurrency or money in relation to this incident." "The US Senate Commerce committee has demanded Twitter brief it about the incident next week."

"It cannot be overstated how troubling this incident is, both in its effects and in the apparent failure of Twitter's internal controls to prevent it," Senator Roger Wicker wrote to the firm.

"We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools," the company said in a series of tweets. "Internally, we've taken significant steps to limit access to internal systems and tools while our investigation is ongoing."

"With so much power at their fingertips the attackers could have done a lot more damage with more sophisticated tweets that could have harmed an individual or organisation's reputation."

"But the motive seems to be clear - make as much money as quickly as they can. The hackers would have known that the tweets wouldn't stay up for long so this was the equivalent of a "smash and grab" operation."

"For up to eight of the Twitter accounts involved, the attackers took the additional step of downloading the account’s information through our “Your Twitter Data” tool. We are reaching out directly to any account owner where we know this to be true." "There is a lot speculation about the identity of these 8 accounts. We will only disclose this to the impacted accounts, however to address some of the speculation: none of the eight were Verified accounts."

"We believe that for up to 36 of the 130 targeted accounts, the attackers accessed the DM inbox, including 1 elected official in the Netherlands. To date, we have no indication that any other former or current elected official had their DMs accessed."

"Graham Ivan Clark, 17, of Tampa, was arrested on 30 charges. Authorities say he was the "mastermind" of a July 15 Twitter hack scheme which gave him and two others access to the high-profile accounts of Bill Gates, Barack Obama and many other celebrities with millions of followers." "Clark, a student at Gaither High School, was arrested days later at his home in the Northdale area of Hillsborough County."

"Specifically, 30 felony charges were filed against Clark, including one count of organized fraud, 17 counts of communications fraud, one count of fraudulent use of personal information with over $100,000 or 30 or more victims, 10 counts of fraudulent use of personal information, and one count of access to computer or electronic device without authority."

"Prosecutors charged Clark in state court, they said, because state law allowed greater flexibility to try a minor as an adult in a financial fraud case."

"He took over the accounts of famous people, but the money he stole came from regular, hard-working people," Hillsborough State Attorney Andrew Warren said in a statement.

“Graham Clark needs to be held accountable for that crime, and other potential scammers out there need to see the consequences,” Hillsborough State Attorney Andrew Warren said in a statement. “In this case, we’ve been able to deliver those consequences while recognizing that our goal with any child, whenever possible, is to have them learn their lesson without destroying their future.”

"Provisions of the plea agreement require that Clark will be barred from using computers without permission and supervision from law enforcement. He will have to submit to searches of his property and give up the passwords to any accounts he controls."

"His defense attorney, David Weisbrod, confirmed that Clark had turned over all the cryptocurrency he had acquired."

"Additionally, the three individuals attempted to monetize this entrenched access by selling the hijacked accounts on OGUsers, a forum notorious for peddling access to social media and other online accounts."

"Two others, Nima Fazeli of Orlando and Mason Sheppard of the United Kingdom, were also charged with federal crimes related to the scheme."

"In light of the hacks, Twitter said it's making security improvements aimed at detecting and preventing inappropriate access to its internal systems, which were used by more than 1,000 employees and contractors as of early 2020."

"We’re always investing in increased security protocols, techniques and mechanisms – it’s how we work to stay ahead of threats as they evolve. Going forward, we’re accelerating several of our pre-existing security workstreams and improvements to our tools. We are also improving our methods for detecting and preventing inappropriate access to our internal systems and prioritizing security work across many of our teams. We will continue to organize ongoing company-wide phishing exercises throughout the year."

On July 15th, 2020, the largest breach ever occurred on Twitter with over 130 accounts compromised, including 45 password resets, which were then used to launch giveaway scams. In total, $120,000 worth of bitcoin were taken in the attacks. While the funds were recovered by authorities, there is no information on whether any of the funds were returned to victims, most of whom were located in China.

What is this Bitcoin scam on Twitter? - Quora (Mar 20)
Tampa Twitter hacker agrees to three years in prison (Mar 20)
18-Year-Old Hacker Gets 3 Years in Prison for Massive Twitter 'Bitcoin Scam' Hack (Mar 20)
@TheHackersNews Twitter (May 3)
Address bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh - Bitcoin(BTC) - BTC.com Professional Data Service for Global Blockchain Enthusiasts (May 3)
Several High-Profile Accounts Hacked in the Biggest Twitter Hack of All Time (May 3)
@RachelTobac Twitter (May 3)
https://www.bbc.com/news/technology-53425822 (May 3)
@jack Twitter (May 3)
@TwitterSupport Twitter (May 3)
An update on our security incident (May 3)
@cameron Twitter (May 3)
https://www.bbc.com/news/technology-53433894 (May 3)
@TwitterSupport Twitter (May 3)
2020 Twitter account hijacking - Wikipedia (May 3)
Talk:2020 Twitter account hijacking/Archive 1 - Wikipedia (May 3)
https://web.archive.org/web/20200716223043/https://www.nytimes.com/2020/07/16/technology/twitter-hack-investigation.html (May 3)
From Hacking $4.1 Million to Prison | The IRL Money Doubler - YouTube (Jul 12)
@amanusk_ Twitter (Jul 24)
Bitcoin / Transaction / 63015d329fc7b9fde1809291ca4b483112ea9abe05bbe47fa6b8677ee860f119 — Blockchair (Jul 24)
Bitcoin / Address / bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh — Blockchair (Jul 24)
Darknet Diaries - 112: Dirty Coms (Feb 5)
Watch Out For These 4 Bitcoin Scams – Forbes Advisor (Oct 17)

More case studies

Uniswap/BZRX
IDO Exploited

Forsage Multi Level
Marketing Scheme