You should: Sign up > Write articles > tell people about your articles > Monetize them > Earn money  > learn/do/earn more

2020 Twitter bitcoin scam

From Wikiafripedia, the free afripedia (encyclopedia)
Jump to navigation Jump to search

2020 Twitter bitcoin scam
Twitter bitcoin spam apple 2020- 07-15.png
A representative scam tweet, from Apple's account. The bitcoin address has been obscured.
DateJuly 15, 2020, 20:00-22:00 UTC
TargetVerified Twitter accounts
OutcomeScammers received at least US$110,000 worth of bitcoins

On July 15, 2020, between 20:00 and 22:00 UTC, a number of high-profile Twitter accounts, each with millions of followers, were compromised in a cyberattack to promote a bitcoin scam.[1][2] The scam asked individuals to send bitcoin currency to a specific cryptocurrency wallet, with the promise that money sent would be doubled and returned.[3] Based on sources speaking to Vice and TechCrunch, the perpetrators had gained access to Twitter's administrative tools so that they could alter the accounts themselves and post the tweets directly, with the access gained either possibly through paying off Twitter employees to use the tool, or from a compromised employee's account to access the tool directly.[4][5]

As of July 16, 2020, more than 12 bitcoins (BTC or ₿) had been sent to one of the addresses involved, the equivalent of more than US$110,000.[6] Minutes after the tweets were posted, more than 320 transactions had already taken place on one of the wallet addresses.[1]

Dmitri Alperovitch, the co-founder of cybersecurity company CrowdStrike, described the incident as "the worst hack of a major social media platform yet."[2][7] Security researchers expressed concerns that social engineering that may have been used to execute the hack can affect the use of social media in important online discussions, including the lead-up into the 2020 United States presidential election.[8][9]

Incident[edit source | edit]

Forensic analysis of the scam showed that the initial scam messages were first posted by accounts with short, one- or two-character distinctive names, such as "@6".[10] This was followed by cryptocurrency Twitter accounts at around 20:00 UTC on July 15, 2020, including those of Coinbase, CoinDesk and Binance.[11][9] The scam then moved to more high-profile accounts with the first such tweet sent from Elon Musk's Twitter account at 20:17 UTC.[12] Other apparently compromised accounts included those of individuals such as Barack Obama, Joe Biden, Bill Gates, Jeff Bezos, MrBeast, Michael Bloomberg,[6] Warren Buffett,[13] Floyd Mayweather,[9] Kim Kardashian, and Kanye West,[14][2] and companies such as Apple, Uber, and Cash App.[15] Twitter believed 130 accounts were affected;[16] most of the accounts that were accessed in the scam had at least a million followers.[2]

The tweets involved in the scam hack claimed that the sender, in charity, would repay any user double the value of any bitcoin they sent to given wallets, often as part of a COVID-19 relief effort. The tweets followed the sharing of malicious links by a number of cryptocurrency companies; the website hosting the links was taken down shortly after the tweets were posted.[3] While such "double your bitcoin" scams have been common on Twitter before, this is the first major instance of them being used with high-profile accounts.[2] Security experts believe that the perpetrators ran the scam as a "smash and grab" operation: knowing that the intrusion into the accounts would be closed quickly, the perpetrators likely planned that only a small fraction of the millions that follow these accounts needed to fall for the scam in that short time to make quick money from it.[2] Multiple bitcoin wallets had been listed at these websites; the first one observed had received more than US$118,000 in bitcoin and had about US$61,000 removed from it, while a second had amounts in only the thousands of dollars as Twitter took steps to halt the postings. It is unclear if these had been funds added by those led on by the scam,[17] as bitcoin scammers are known to add funds to wallets prior to starting schemes to make the scam seem legitimate.[2] Of the funds added, most had originated from wallets with Chinese ownerships, but about 25% came from United States wallets.[10] After it was added, the cryptocurrency was then subsequently transferred through multiple accounts as a means to obscure their identity.[10]

Some of the compromised accounts posted scam messages repeatedly, even after having some of the messages deleted.[18] The tweets were labelled as having been sent using the Twitter web app.[19] One of the phrases involved in the scam was tweeted more than 3,000 times in the space of four hours, with tweets being sent from IP addresses linked to many different countries.[20] The reused phrasing allowed Twitter to remove the offending tweets easily as they took steps to stop the scam.[9]

By 21:45 UTC, Twitter released a statement saying they were "aware of a security incident impacting accounts on Twitter", and that they were "taking steps to fix it".[21] Shortly afterwards, it disabled the ability for some accounts to tweet, or to reset their password;[22] Twitter has not confirmed which accounts were restricted, but many users with accounts Twitter had marked as "verified" confirmed that they were unable to tweet.[23] Approximately three hours after the first scam tweets, Twitter reported they believed they had resolved all of the affected accounts to restore credentials to their rightful owners.[24] Later that night, Twitter CEO Jack Dorsey said it was a "tough day for us at Twitter. We all feel terrible this happened. We're diagnosing and will share everything we can when we have a more complete understanding of exactly what happened".[9]

Method of attack[edit source | edit]

Redacted screenshot of the Twitter administrative panel used to conduct the scam which had been sent to Vice

As Twitter was working to resolve the situation on July 15, Vice was contacted by at least four individuals claiming to be part of the scam and presented the website with screenshots showing that they had been able to gain access to a Twitter administrative tool that allowed them to change various account-level settings of some of the compromised accounts, including confirmation emails for the account. This allowed them to set email addresses which any other user with access to that email account could initiate a password reset and post the tweets.[10] These hackers told Vice that they had paid insiders at Twitter to get access to the administrative tool to be able to pull this off.[4]

TechCrunch reported similarly, based on a source that stated some of the messages were from a member of a hacking forum called "OGUsers", who had claimed to have made over US$100,000 from it.[5] According to TechCrunch's source, this member "Kirk" had reportedly gained access to the Twitter administrative tool likely through a compromised employee account, after initially offering to take over any account on request, switch strategies to target cryptocurrency accounts starting with Binance and then high-profile ones. The source did not believe Kirk had paid a Twitter employee for access.[5]

The "@6" Twitter had belonged to Adrian Lamo, and the user maintaining the account on behalf of Lamo's family reported that the agency that performed the action were able to bypass numerous security factors they had set up on the account, including two-factor authentication, further indicating that the admistrative tools had been used to bypass the account security.[10][25] Spokespersons for the White House stated that President Donald Trump's account, which may have been a target, had extra security measures implemented at Twitter after an incident in 2017, and thus was not affected by the scam.[10]

Vice's and TechCrunch's sources were corroborated from other security researchers who had been given similar screens, and tweets of these screens had been made, but Twitter removed these since they revealed personal details of the compromised accounts. Twitter subsequently confirmed that "We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools."[4][26] In addition to taking further steps to lock down the verified accounts affected, Twitter said they have also begun an internal investigation and have limited employee access to their system administrative tools as they evaluate the situation, as well as if any additional data was compromised by the malicious users.[27][24]

Perpetrators[edit source | edit]

Security researcher Brian Krebs corroborated with TechCrunch's source and with information obtained by Reuters that the scam appeared to have originated in the "OGUsers" group.[28][29][5][30] The OGUsers forum ("OG" standing for "Original Gangster") was established to legitimately trade social media accounts with short names, and according to its owner, speaking to Reuters, the practice of trafficking in hacked credentials was prohibited.[30] Screenshots from the forum show various users on the forum offering to hack into Twitter accounts at US$2,000-3,000 each. Krebs stated one of the members may have been tied to the August 2019 takeover of Dorsey's Twitter account.[28] The OGUsers owner told Reuters that the accounts shown in the screenshots were since banned.[30]

The Federal Bureau of Investigation (FBI) announced the following day it was launching an investigation into the scam, as it was used to "perpetuate cryptocurrency fraud", a criminal offense.[31] The Senate Select Committee on Intelligence also planned to ask Twitter for additional information on the hack, as the committee's vice-chair Mark Warner stated "The ability of bad actors to take over prominent accounts, even fleetingly, signals a worrisome vulnerability in this media environment, exploitable not just for scams but for more impactful efforts to cause confusion, havoc and political mischief".[10] The UK's National Cyber Security Centre said its officers had reached out to Twitter regarding the incident.[32]

Reaction[edit source | edit]

Affected users retained the ability to retweet content, leading NBC News to set up a temporary non-verified account so that they could continue to tweet, retweeting "significant updates" on their main account.[33] Joe Biden's campaign stated to CNN that they were "in touch with Twitter on the matter", and that his account had been "locked down".[1]

During the incident, Twitter, Inc.'s stock price fell by 4% after the markets closed.[34]

Security experts expressed concern that while the scam may have been relatively small in terms of financial impact, the ability for social media to be taken over through social engineering involving employees of these companies poses a major threat in the use of social media particularly in the leadup to the 2020 United States Presidential election, and could potentially cause an international incident.[8] Alex Stamos of Stanford University's Center for International Security and Cooperation said "Twitter has become the most important platform when it comes to discussion among political elites, and it has real vulnerabilities."[9]

BitTorrent CEO Justin Sun announced a US$1 million bounty against the hackers. The announcement was made on BitTorrent's Twitter account, and added that "He will personally pay those who successfully track down, and provide evidence for bringing to justice, the hackers/people behind this hack affecting our community."[35]

References[edit source | edit]

  1. 1.0 1.1 1.2 Lua error in ...ribunto/includes/engines/LuaCommon/lualib/mwInit.lua at line 23: bad argument #1 to 'old_ipairs' (table expected, got nil).
  2. 2.0 2.1 2.2 2.3 2.4 2.5 2.6 Lua error in ...ribunto/includes/engines/LuaCommon/lualib/mwInit.lua at line 23: bad argument #1 to 'old_ipairs' (table expected, got nil).
  3. 3.0 3.1 Lua error in ...ribunto/includes/engines/LuaCommon/lualib/mwInit.lua at line 23: bad argument #1 to 'old_ipairs' (table expected, got nil).
  4. 4.0 4.1 4.2 Lua error in ...ribunto/includes/engines/LuaCommon/lualib/mwInit.lua at line 23: bad argument #1 to 'old_ipairs' (table expected, got nil).
  5. 5.0 5.1 5.2 5.3 Lua error in ...ribunto/includes/engines/LuaCommon/lualib/mwInit.lua at line 23: bad argument #1 to 'old_ipairs' (table expected, got nil).
  6. 6.0 6.1 Lua error in ...ribunto/includes/engines/LuaCommon/lualib/mwInit.lua at line 23: bad argument #1 to 'old_ipairs' (table expected, got nil).
  7. Lua error in ...ribunto/includes/engines/LuaCommon/lualib/mwInit.lua at line 23: bad argument #1 to 'old_ipairs' (table expected, got nil).
  8. 8.0 8.1 Lua error in ...ribunto/includes/engines/LuaCommon/lualib/mwInit.lua at line 23: bad argument #1 to 'old_ipairs' (table expected, got nil).
  9. 9.0 9.1 9.2 9.3 9.4 9.5 Lua error in ...ribunto/includes/engines/LuaCommon/lualib/mwInit.lua at line 23: bad argument #1 to 'old_ipairs' (table expected, got nil).
  10. 10.0 10.1 10.2 10.3 10.4 10.5 10.6 Lua error in ...ribunto/includes/engines/LuaCommon/lualib/mwInit.lua at line 23: bad argument #1 to 'old_ipairs' (table expected, got nil).
  11. Lua error in ...ribunto/includes/engines/LuaCommon/lualib/mwInit.lua at line 23: bad argument #1 to 'old_ipairs' (table expected, got nil).
  12. Lua error in ...ribunto/includes/engines/LuaCommon/lualib/mwInit.lua at line 23: bad argument #1 to 'old_ipairs' (table expected, got nil).
  13. Lua error in ...ribunto/includes/engines/LuaCommon/lualib/mwInit.lua at line 23: bad argument #1 to 'old_ipairs' (table expected, got nil).
  14. Lua error in ...ribunto/includes/engines/LuaCommon/lualib/mwInit.lua at line 23: bad argument #1 to 'old_ipairs' (table expected, got nil).
  15. Lua error in ...ribunto/includes/engines/LuaCommon/lualib/mwInit.lua at line 23: bad argument #1 to 'old_ipairs' (table expected, got nil).
  16. Lua error in ...ribunto/includes/engines/LuaCommon/lualib/mwInit.lua at line 23: bad argument #1 to 'old_ipairs' (table expected, got nil).
  17. Lua error in ...ribunto/includes/engines/LuaCommon/lualib/mwInit.lua at line 23: bad argument #1 to 'old_ipairs' (table expected, got nil).
  18. Lua error in ...ribunto/includes/engines/LuaCommon/lualib/mwInit.lua at line 23: bad argument #1 to 'old_ipairs' (table expected, got nil).
  19. Lua error in ...ribunto/includes/engines/LuaCommon/lualib/mwInit.lua at line 23: bad argument #1 to 'old_ipairs' (table expected, got nil).
  20. Lua error in ...ribunto/includes/engines/LuaCommon/lualib/mwInit.lua at line 23: bad argument #1 to 'old_ipairs' (table expected, got nil).
  21. Lua error in ...ribunto/includes/engines/LuaCommon/lualib/mwInit.lua at line 23: bad argument #1 to 'old_ipairs' (table expected, got nil).
  22. Lua error in ...ribunto/includes/engines/LuaCommon/lualib/mwInit.lua at line 23: bad argument #1 to 'old_ipairs' (table expected, got nil).
  23. Lua error in ...ribunto/includes/engines/LuaCommon/lualib/mwInit.lua at line 23: bad argument #1 to 'old_ipairs' (table expected, got nil).; Lua error in ...ribunto/includes/engines/LuaCommon/lualib/mwInit.lua at line 23: bad argument #1 to 'old_ipairs' (table expected, got nil).; Lua error in ...ribunto/includes/engines/LuaCommon/lualib/mwInit.lua at line 23: bad argument #1 to 'old_ipairs' (table expected, got nil).
  24. 24.0 24.1 Lua error in ...ribunto/includes/engines/LuaCommon/lualib/mwInit.lua at line 23: bad argument #1 to 'old_ipairs' (table expected, got nil).
  25. Lua error in ...ribunto/includes/engines/LuaCommon/lualib/mwInit.lua at line 23: bad argument #1 to 'old_ipairs' (table expected, got nil).
  26. Lua error in ...ribunto/includes/engines/LuaCommon/lualib/mwInit.lua at line 23: bad argument #1 to 'old_ipairs' (table expected, got nil).
  27. Lua error in ...ribunto/includes/engines/LuaCommon/lualib/mwInit.lua at line 23: bad argument #1 to 'old_ipairs' (table expected, got nil).
  28. 28.0 28.1 Lua error in ...ribunto/includes/engines/LuaCommon/lualib/mwInit.lua at line 23: bad argument #1 to 'old_ipairs' (table expected, got nil).
  29. Lua error in ...ribunto/includes/engines/LuaCommon/lualib/mwInit.lua at line 23: bad argument #1 to 'old_ipairs' (table expected, got nil).
  30. 30.0 30.1 30.2 Lua error in ...ribunto/includes/engines/LuaCommon/lualib/mwInit.lua at line 23: bad argument #1 to 'old_ipairs' (table expected, got nil).
  31. Lua error in ...ribunto/includes/engines/LuaCommon/lualib/mwInit.lua at line 23: bad argument #1 to 'old_ipairs' (table expected, got nil).
  32. Lua error in ...ribunto/includes/engines/LuaCommon/lualib/mwInit.lua at line 23: bad argument #1 to 'old_ipairs' (table expected, got nil).
  33. Lua error in ...ribunto/includes/engines/LuaCommon/lualib/mwInit.lua at line 23: bad argument #1 to 'old_ipairs' (table expected, got nil).
  34. Lua error in ...ribunto/includes/engines/LuaCommon/lualib/mwInit.lua at line 23: bad argument #1 to 'old_ipairs' (table expected, got nil).
  35. Lua error in ...ribunto/includes/engines/LuaCommon/lualib/mwInit.lua at line 23: bad argument #1 to 'old_ipairs' (table expected, got nil).; Lua error in ...ribunto/includes/engines/LuaCommon/lualib/mwInit.lua at line 23: bad argument #1 to 'old_ipairs' (table expected, got nil).

External links[edit source | edit]

Template:Hacking in the 2020s Template:Twitter navbox Template:Bitcoin