Elon Musk, Kanye West, Jeff Bezos, and More Hit by Twitter Hacking Spree

Elon Musk. Barack Obama. Jeff Bezos. Bill Gates. Mike Bloomberg. Apple. Joe Biden. Kanye West.

A tiny amount of names of the major, verified, million-plus-follower Twitter accounts that were compromised on the 15th July 2020, each looking to be promoting a bitcoin scam that to date has already earned the hackers behind it well over $100,000 in only a few short hours. Quickly to respond, Twitter appears to have blocked many, if not all, verified accounts from tweeting.

We were unable to Tweet from our verified client accounts.

It seemed to have started in the early afternoon, Eastern time, when the accounts of major cryptocurrency players were hacked within minutes of one another. Targets included Binance CEO Changpeng Zhao, the exchanges Bitfinex, Gemini, and Coinbase, the news site Coindesk, and many others. All sharing an identical message about “giving back to the community” and a link to a site called Cryptoforhealth. The page no longer opens.

The hackers shortly after moved on to internationally known tech executives, companies, celebrities, and politicians, who posted tweets with a more potentially obvious scam. The tweet remained pretty similar across the hacked accounts. “I am giving back to the community,” a typical victim’s tweet reads. “All Bitcoin sent to the address below will be sent back doubled! If you send $1,000, I will send back $2,000. Only doing this for 30 minutes.”

A lot of non-verified accounts also sent out similar messages, but it's unclear whether those accounts were also compromised, bots or having a laugh.

All the tweets appear to lead back to the same digital wallet, receiving its first incoming transaction at 3:03 pm EDT. It has recorded around 300 transactions since, although several of those are outgoing.

The bitcoin scam used is a bit of a classic, usually involving scammers impersonating celebrity accounts rather going the extra mile to actually hack them. For example, a scammer creates a fake Elon Musk account, say, and promises to pay out a big chunk of bitcoin to anyone who sends a small amount to their digital wallet.

It’s not the first time that Twitter has experienced high-profile account hacks in the past. An employee destroyed Donald Trump’s account for 11 minutes in 2017. And more recently, a continuous amount of hacks reached its limit when a SIM-swapping group that goes by “Chuckling Squad” managed to get into Twitter CEO Jack Dorsey’s account.

This current hack would be very unlikely to be SIM-card trickery; most of the Twitter accounts in question would no doubt have multiple levels of protection put in place. Coindesk specifically stated Wednesday that it had two-factor authentication enabled but was compromised all the same.

It's still unclear (to date) who was behind the attack, but according to threat intelligence firm RiskIQ it appears to be an established group. They've identified over 400 domains which are linked to the hackers, based on structural similarities with the initial site that had been circulated. The implicated domains include URLs that suggest affiliations with Bill Gates, Binance, Elon Musk, Tesla, Space X, and Walmart.

"Looking at our historical data, we see that this infrastructure has been in use for quite a while," says RiskIQ threat researcher Yonathan Klijnsma. "That tells us this group has been copying brands and using their cryptocurrency schemes for a while, but compromising verified twitter accounts was a new attack vector for them."

There has been talks that the hacks might be related to a third-party app or service that has access to Twitter’s API. But multiple scam tweets appear to have been sent by the “Twitter web app,” which is to say, using Twitter in a browser. Although that source info can be faked, it seems unlikely at this scale. All of which suggests that the hackers may have full access to these accounts, in which case they would also be able to read all of their private direct messages— exposure that in many cases should be even more concerning than the cryptocurrency scam.

“We are aware of a security incident impacting accounts on Twitter,” the official Twitter Support account tweeted Wednesday. “We are investigating and taking steps to fix it. We will update everyone shortly.” At 6:18 pm EDT, it followed up that "you may be unable to Tweet or reset your password while we review and address this incident." The limitations appear to only affect verified accounts, many of which were restored in the hours after Twitter imposed the restrictions. At around 9:30pm ET, Twitter CEO Jack Dorsey tweeted that "we all feel terrible this happened," with a promise of a detailed explanation in the future.

The official Twitter Support account gave a more detailed explanation of the company's findings so far. "We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools," the Twitter thread states. "We know they used this access to take control of many highly-visible (including verified) accounts and Tweet on their behalf. We’re looking into what other malicious activity they may have conducted or information they may have accessed and will share more here as we have it."

It's currently unclear whether that information could potentially include direct messages sent to or from the affected accounts.

Twitter also said that while most verified accounts have had service restored by now, compromised accounts will be remain locked, and will be restored "to the original account owner only when we are certain we can do so securely." Twitter further said it would take steps to limit access to internal tools.

The official Twitter explanation lines up with reports on social media and at Motherboard that indicated the hackers would have had access to internal Twitter tools, instead of hacking individual accounts.

A spokesperson for Bill Gates’ private office said in a statement, “We can confirm that this tweet was not sent by Bill Gates. This appears to be part of a larger issue that Twitter is facing. Twitter is aware and working to restore the account.”

We would say that until Twitter comes out with a full explanation and acknowledges everything is secure, no Twitter user—especially those verified and with large followings—should feel at ease.

We always tell our clients to use two-factor authentication (and you should!), but based on what we now know, that that wouldn't have protected you in the first place!