Twitter accounts of prominent companies and individuals such as former President Barack Obama, presidential candidate Joe Biden, Tesla and Space X CEO Elon Musk, Bill Gates, Kanye West and Apple were breached July 15. The large-scale hack appeared to involve a Bitcoin scam gathering thousands of dollars of the currency, according to The Verge, a technology news publication.
Following the attack, Twitter immediately blocked accounts from tweeting, verified or not, and put compromised accounts on lockdown.
“We have locked accounts that were compromised and will restore access to the original account owner only when we are certain we can do so securely,” Twitter support said on their official account at 4:45 p.m. CDT.
The company later released a statement broken up into a series of tweets, sharing the information they gathered starting at 9:38 p.m. CDT.
“We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools,” Twitter support stated on their official account. “We know they used this access to take control of many highly-visible (including verified) accounts and Tweet on their behalf. We’re looking into what other malicious activity they may have conducted or information they may have accessed and will share more as we have it.”
While Twitter didn’t release specific information about exactly which tools the hackers accessed and manipulated to carry out their attack, Motherboard, Vice news’s tech journalism outlet, reported that individuals (who remained anonymous) in the underground hacking community shared screenshots of a tool used by Twitter’s administration staff.
Motherboard contacted some of the individuals and they stated how the attack was carried out.
“We used a rep that literally done all the work for us,” an individual told Motherboard.
Later, Motherboard found out from a second source that the group of hackers paid a Twitter employee to assist the hackers in carrying out the attack using the tools the employee had access to. However, a Twitter spokesperson who spoke to Motherboard said the details about if the employee hijacked accounts themselves or if the employee just gave the hackers access to the tool is still under investigation.
According to the screenshots that Motherboard received, some accounts were seen to be hacked by changing the address linked to them using Twitter’s tool. Motherboard also reported that the Twitter user tool panel “was also used to change ownership of so-called OG accounts — accounts that have a handle consisting of only one or two characters-as well as facilitating the tweeting of the cryptocurrency scams from the high-profile accounts.”
Motherboard also obtained screenshots from Twitter users who associated themselves with the Twitter attack which detailed if accounts that were compromised were blacklisted, protected, inactive, suspended, and more. Included in these screenshots were accounts associated with the Bitcoin trade, such as Coinbase and Gemini, which were also tweeting that they teamed up with an organization called Crypto For Health and claimed that they were going to provide people with Bitcoin as long as they sent some to an Bitcoin wallet address first.
The account that is reported to be the origin of the attack and widespread Bitcoin Twitter scam is Elon Musk’s account which started sending tweets of illegitimate Bitcoin promotions starting at 3:17 p.m. CDT.
“I’m feeling generous because of COVID-19. I’ll double any BTC payment sent to my BTC address for the next hour,” the first tweet read. “Good luck and stay safe out there!”
The illegitimate tweets also contained a Bitcoin wallet address that is assumed to belong to the hacker and was also the same address that was used on tweets sent by other compromised accounts.
It was reported that users fell for the scam as records of bitcoin transactions are public on sites like Blockchain. According to Blockchain, at the time of writing, the Bitcoin wallet address has received 12.86644654 Bitcoin which, according to the current conversion rate, equals $117,115.16, sent 12.85345191 Bitcoin which equals $116,996.88 (whether this Bitcoin that was sent was sent back to the original owners, other hackers , transactions made by the hacker elsewhere, or cashed out ). Also, at the time of writing, the Bitcoin wallet address contains a balance of 0.01299463 Bitcoin which equals $118.28.
The attack is still under investigation and Twitter stated it will release more information as it becomes available. For more information, follow Twitter support @TwitterSupport.