Last night on Wednesday, a dozen or so major Twitter accounts were hacked for an organized Bitcoin scam that scammed unsuspecting people out of tens of thousands of dollars in Bitcoin. The event began at around 4PM Eastern time and lasted for about two hours, during which compromised accounts with millions of followers Tweeted various “feeling generous” scam posts. This is when followers are encouraged to submit an amount of money to a specified user with the promise they would receive double the amount back. Spoiler alert, nobody gets money back.
Messages like the above were sent from the hacked accounts of Jeff Bezos, Elon Musk, Kanye West, Cash App, Apple, Wiz Khalifa, Warren Buffet, Joe Biden, Mike Bloomberg, Barack Obama, MrBeast, Floyd Mayweather, and XXXTentacion and more. Even crypto accounts of Gemini, Coinbase, Binance, and Coindesk were all Here are some of the Tweets, all of which seem to direct to a singular or organized group of Bitcoin accounts with the premise that they’d receive double the money that they sent.
All these compromised accounts were Twitter verified, and between them, they shared tens of millions of followers. Twitter acknowledged the attack less than two hours after it began and offered the following statement.
To temporarily stop the scammer’s Tweets, Twitter temporarily disabled all verified accounts from sending Tweets.
We are aware of a security incident impacting accounts on Twitter. We are investigating and taking steps to fix it. We will update everyone shortly.
— Twitter Support (@TwitterSupport) July 15, 2020
Twitter CEO Jack Dorsey promises that it will offer a report of what happened once the Twitter team has a better understanding of what exactly it is that happened.
Tough day for us at Twitter. We all feel terrible this happened.
— jack (@jack) July 16, 2020
We’re diagnosing and will share everything we can when we have a more complete understanding of exactly what happened.
💙 to our teammates working hard to make this right.
Recently, Twitter came out with a statement, Twitter said that its internal systems were compromised by the hackers, confirming theories that the attack could not have been conducted without access to the company’s own tools and employee privileges.
“We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools,” the first tweet in a multi-tweet explainer thread reads. “We know they used this access to take control of many highly-visible (including verified) accounts and Tweets on their behalf.”
It seems as if Twitter is acknowledging here that numerous people appear to have been involved in the hacks, not just one individual, and also that numerous employees were compromised, too.
Twitter does not elaborate on what tools the attackers accessed or how exactly the attack was carried out, but Motherboard reported earlier today that various underground hacking circles have been sharing screenshots of an internal company admin tool allegedly used to conduct the account takeovers, potentially by resetting account email accounts and then recovering passwords.
In an update to its investigation on the hack, Motherboard now says it’s talked to hackers who say they paid a Twitter employee to change the email addresses of popular accounts using the internal tool so that they could then take control of them.
we have new details about today's Twitter hack. Spoke to one of the people involved in hack, they say a Twitter employee gave access. Sent screenshot of tool being used to hijack @binance https://t.co/2emeiH7gs1
— Jason Koebler (@jason_koebler) July 16, 2020
Folks at Motherboard also shared some of the screenshots of the internal tool allegedly at the center of the hacks, including one here in which Motherboard redacted sensitive account info. Twitter is reportedly suspending accounts that share the screenshots and manually removing them for violating its rules.
(A screenshot of the internal Twitter admin tool allegedly at the center of Wednesday’s unprecedented attacks that has been circulating among hacker communities, according to Motherboard. Image via: Motherboard)
The company says it’s currently investigating “what other malicious activity they may have conducted or information they may have accessed and will share more here as we have it.” It’s theoretically possible that attackers may have had access to private direct messages, for instance. Those responsible for the attack appeared to use the account takeovers as a way to promote a bitcoin scam, one that resulted in people sending nearly $120,000 worth of the cryptocurrency to the digital wallet address listed in nearly all of the tweets, blockchain records show.
Twitter says that once it became aware of the unfolding situation, it “immediately locked down the affected accounts and removed Tweets posted by the attackers.” It also took the unprecedented step of disabling the ability for verified accounts to send new tweets.
“This was disruptive, but it was an important step to reduce risk. Most functionality has been restored but we may take further actions and will update you if we do,” the update reads. “We have locked accounts that were compromised and will restore access to the original account owner only when we are certain we can do so securely.”
Twitter also says that it’s taken steps internally to “limit access to internal systems and tools while our investigation is ongoing.”