July 15 will go down as an infamous day for Twitter, as an unknown attacker managed to take control of a number of accounts on the social media platform before duping unwary users into a Bitcoin giveaway hoax.

The event grabbed media attention, as some of the world’s most notable companies, politicians and business leaders had their accounts compromised before sharing similar messages touting a Bitcoin (BTC) giveaway that required users to send coins to an address before receiving double that amount back.

The likes of Tesla founder Elon Musk, former United States president Barack Obama, 2020 U.S. presidential candidate Joe Biden, Amazon owner Jeff Bezos as well as Microsoft co-founder Bill Gates had their accounts taken over to share similar messages telling users to send $1,000 to an address in order to receive $2,000 in BTC in return.

Tweet

The company Twitter accounts of Apple, Uber and CashApp were also used to share the duplicitous messages. The accounts of Hollywood celebrity couple Kanye West and Kim Kardashian and of rappers Wiz Khalifa and the late XXXTentacion were also victims, among other famous people.

Notable cryptocurrency figures Changpeng “CZ” Zhao, Justin Sun, Charlie Lee, King Cobie and AngeloBTC also had their accounts hacked. Major cryptocurrency exchanges Binance, Coinbase, Bitfinex and Gemini fell victim to the attack along with the Twitter accounts of Bitcoin and Ripple.

Some of these accounts did not directly list the same Bitcoin address as Musk and others but rather prompted users to visit a malicious website in order to be considered for a fake 5,000 BTC giveaway. Users would allegedly receive double the amount of BTC they sent to the given address.

The website has since been taken down, and the domain registration information has now been removed from the Whois domain registration database for privacy reasons. Nevertheless, the name of the registered owner and their physical address was widely published.

The latest search of the BTC address shared by Musk and other compromised Twitter accounts shows that it has received 12.86584703 BTC since the heist began. The attackers also tried to gain control of Cointelegraph’s Twitter account but were unsuccessful.

For some of the unfortunate targets of the hack such as CZ, who is the CEO of Binance, such a large-scale hack of Twitter accounts belonging to high-profile users and the theft of over 12 BTC is “a wake up call for social media platforms.”

An inside job?

There’s evidence that the attacker may have been helped by an existing Twitter employee or developer, as they had access to the administrative panels of the various accounts that were compromised. Twitter confirmed that the attackers had accessed internal employee tools that allowed them to take full control of the various accounts. Other users on Twitter speculated that the attackers changed either the phone numbers or email addresses for verification in order to take control of the accounts.

Vice’s Motherboard reported that screenshots of a hacker using an internal Twitter user administration tool on a number of the accounts in question were being shared among hacking groups. The publication also claimed that hackers confirmed they paid a Twitter employee in order to gain access to the tools needed to carry out the attack.

For example, a screenshot of the admin panel of Binance’s Twitter account was shared and widely published across social media. It’s understood that Twitter then began removing screenshots of user admin panels that were posted by various accounts on the platform — given the sensitive information displayed on these pages.

Twitter then took measures to curb any further damage by locking the affected accounts and removing the nefarious tweets. Following that, the social media platform then limited the functionality of a larger group of verified accounts while it investigated the situation. As a result, users began to experience limited functionality. The Whale Alert Twitter account informed its following that the changes meant that its bot could no longer alert users with automated posts on the platform.

A hidden message

Adding intrigue to the saga is the discovery by users on Reddit of a not-so-hidden message in one of the transaction outputs. The sender of this particular transaction spent $11 in transaction fees to have the following text included in the tx output:

“Just Read All. Transaction Outputs As Text. You Take Risk When Use Bitcoin. For Your Twitter Game. Bitcoin is Traceable. Why Not Monero.”

What is not clear is whether the sender of this message was responsible for the Twitter hack or just another user taking the opportunity to tout the privacy-centric cryptocurrency Monero (XMR).

Crypto on the move

A little over 24 hours after the hack, the attackers began to move some funds to an address that had previously sent Bitcoin to wallets on BitPay and Coinbase. The various Twitter accounts that were compromised had prompted users to send their BTC to one address, but the funds have now been moved to another address.

Blockchain analytics company Whitestream has identified three different transactions from the address to these mainstream cryptocurrency exchanges. One involved a transfer of 1.2 BTC in May, while the latter two transactions were made two days before this ongoing Twitter debacle.

Cointelegraph has also reported that Binance, Coinbase and BitGo may have information that could identify those behind the hacking incident. Cointelegraph reached out to Binance’s CZ to find out if Twitter had divulged any details of how hackers gained control of the company’s account as well as his personal profile. CZ confirmed that there had been no information from Twitter regarding who had been responsible for the attack.

Looking at the incident from an ideological perspective, CZ believes that the breach does not necessarily reflect badly on Bitcoin and proves that the cryptocurrency is inherently valuable. On the flip side, CZ says it’s hard to argue against the idea that the hack has reflected poorly on Twitter and its internal security system, which should lead to improvements:

“We believe this is a good wake up call for all social media platforms to revamp their security practices given the increased adoption of cryptocurrencies. Social media platforms are no longer just a place to share a selfie, it can and will be used for financial transactions and even crime. Stronger security needs to be built into these platforms.”

CZ highlighted the reality that many social media platforms don’t even offer two-factor authentication options. This was the case with Twitter until recently, but even the introduction of 2FA was made redundant by other security options that bypass its efficacy:

“Twitter added the 2FA feature not long ago, but its implementation is flawed and leaves the ability for an attacker who brute-force attacks your account to lock the original owner out of the account. It even resets 2FA and email address, which defeats the purpose of 2FA. I tweeted about this less than a month and half ago.” 

If it was a hack on Twitter’s back-end administration system itself, CZ suggested that Twitter and other social media platforms need to “quickly move to a zero-trust security architecture where even internal employees can’t make these types of account take-overs.”

CZ believes that this hack shines a spotlight on what he described as an “inherent flaw built into the centralized web,” which has unfortunately involved Bitcoin as the method of stealing funds. However, the Binance CEO believes that there is a positive to come out of the high-profile event, as attention will now be set on fixing the issue: “This is something we, the crypto industry players, have been asking for a long time, and it will finally get real attention.”

A reminder to practice good cybersecurity measures

Cybersecurity company Kaspersky also weighed in on the series of events that have transpired in a correspondence with Cointelegraph. Kaspersky’s threat research and security intelligence communications officer, Blair Dunbar, said that the company was only able to draw conclusions on the facts that have been publicly confirmed:

“Twitter wrote that several of its employees were victims of the attack. This suggests that the criminals attempted to gain access to the platform’s infrastructure through their accounts. In addition, the fact that the criminals were able to immediately gain access to such a large number of accounts suggests that something internal in the system was compromised.”

According to Dunbar, the motive behind the attack seems to have been financial gain, which points to a criminal group. The company believes that a nation state would have used the access to collect “private information, such as DMs from persons of interest” rather than taking control of high-profile company accounts such as Uber, Apple and the various exchange accounts that were compromised.

While the situation was a negative one for both Bitcoin and Twitter in terms of public perception, Dunbar believes that it does not necessarily mean that the cryptocurrency is only used as a vehicle for hackers. “Any criminal can abuse cryptocurrency for their own malicious purposes, but that does not mean that the cryptocurrency itself is to blame.” Furthermore, he thinks that Twitter will bounce back from the incident: “As for Twitter, they will need to work to regain users’ trust. That said, they seem to be taking the breach seriously.”

According to Dunbar, the situation is a stark reminder that users of social media platforms and online tools should be aware of the threat of hacks and nefarious organizations, and practice good safety measures. But most importantly, users “should be skeptical even if this information comes from a supposedly trustful source.”

Likewise, CZ offered a reminder that the public should do its due diligence when it comes to any online giveaways, donations and projects: “This is also an educational opportunity for the mass population and an important step for people to learn how not to fall for online scams, even if your favorite idol asks you to donate or transfer funds.”