Twitter Hack Likely More Than Just Cryptocurrency Fraud, Experts Say

July 16, 2020 Updated: July 16, 2020

Cybersecurity experts say the July 15 breach that enabled hackers to access Twitter’s internal system, resulting in the hijacking of a number of high-profile accounts, was likely more than just the cryptocurrency fraud it appeared to be. It also opened up a barrage of concerns about Twitter’s own tools.

The massive breach, which allowed one or more intruders to post on behalf of some prominent Twitter users—only generated just over $117,000 in bounty as of July 16. The FBI is now currently leading an inquiry into the Twitter hacking, unnamed sources familiar with the situation told Reuters.

The attack began in the afternoon on July 15 when prominent cryptocurrency accounts posted similar messages calling on people to deposit bitcoin into an account with a promise that the senders would receive twice their money back. The breach then quickly expanded to major accounts in business and politics, including Elon Musk, Bill Gates, Barack Obama, and Kanye West.

“It was clearly to show their clientele what they could do,” Rob Behnke, CEO at Halborn, a cybersecurity firm working with emerging technologies, told The Epoch Times, referring to the hackers.

“Now this group will be able to charge a lot more money to their black market clientele since they’ll be able to claim credit for the attack,” he said. “Bitcoin is nothing compared to the amount of global press they got.”

Behnke, like other experts, said the breach exposed two of Twitter’s major vulnerabilities: humans and backdoors.

Sophisticated hackers usually have more defined objectives that they use for social media hacks, such as large-scale financial disruption, political activism, and state-sponsored threats or large-scale electronic disruption, according to Charity Wright, a cyberthreat intelligence adviser at IntSights with 15 years of experience with the U.S. Army and the National Security Agency.

“They gained so much control over Twitter and only used it for a petty crypto scam,” Wright told The Epoch Times.

Some alleged witnesses have since come forward with screenshots of conversations from the alleged criminal (called “Kirk”) behind the operation. While the screenshots reveal that the individual prefers English, Wright said a quick analysis of the syntax “reveals that the user speaks very colloquial, somewhat broken English.” She said it indicated the person was “young, uneducated, or is not a native English speaker.”

Ray Walsh, digital privacy expert at ProPrivacy.com, said that while it’s possible the hackers did simply want to steal Bitcoin, it more likely they were “testing a new attack method that gave them access to Twitter’s back end and multiple high profile Twitter accounts.”

“The end game might even have been to prove it can be done, to then provide similar access to hackers for a price on the dark web,” Walsh told The Epoch Times. “Alternatively, it is possible that the hackers covered up their real motives … that they were really stealing data from the compromised accounts—perhaps from sensitive direct messages that might prove useful for extortion or for information-leaking purposes later on.”

Within an hour, Twitter blocked verified users from changing their passwords or posting messages in an attempt to stop the scam from spreading. The platform restored the functionality roughly two hours later as it continued to investigate the attacks.

“Most likely this was a financial scam, but potentially a ‘smokescreen’ for something more sinister,” Eliza May Austin, CEO and co-founder of th4ts3cur1ty.company, told The Epoch Times.

“Taking over social media accounts of famous people or politicians could lead to all sorts of misinformation. … It’s possible that this was ‘testing the tools’ to see if high-profile accounts can be compromised en mass,” Austin added.

Some experts said the apparent failure of the hackers to do more damage with the power they had indicates they were unlikely to be professionals.

“These are amateur actors,” Mike Hamilton, former chief information security officer (CISO) for the City of Seattle and current CISO of CI Security, a Seattle-based cybersecurity firm, told The Epoch Times.

“Wasting this access and potentially the knowledge of a valuable vulnerability is a real indicator that the perpetrators are not deep thinkers.”

Hamilton said the tactics the hackers used to monetize the access was “basically a version of a Nigerian Prince scam.” The hackers, he said, were likely African actors.

Others, however, say the hacking wasn’t a regular account compromise. Dhananjay Sampath, co-founder and CEO at Armorblox, said the hackers had very specific targets that focused on key employees with access to the admin console, which allows employees to tweet from any account.

“Twitter’s employees having access to this admin console and not having security controls that prevents this is a broader conversation of security culture within the organization,” Sampath told The Epoch Times.

Password protections won’t do much when employees can be willing participants, or be compromised via “social engineering” operations and old-school blackmail schemes, said Dr. Robert Bunker, instructor at the Safe Communities Institute, USC Sol Price School of Public Policy.

Twitter has had security incidents in the past, but the latest attacks were by far the most brazen and far-reaching.

Joe Vezzani, CEO and founder of LunarCRUSH, a social listening platform for cryptocurrencies, said the biggest takeaway from the hack “would be for our large digital media companies to iterate and rework their admin controls and who has access to ‘God Mode’ at their companies.”

Ivan Pentchoukov contributed to this report. 

Follow Bowen on Twitter: @BowenXiao_