49 votes

Apple, Elon Musk, Kanye West, and other accounts are tweeting a bitcoin scam in giant Twitter hack

37 comments

  1. [26]
    Deimos
    Link
    I don't think it's an exaggeration to say that Twitter should have been completely shut down temporarily in response to this, or at least should disable the ability to tweet until they figure out...

    I don't think it's an exaggeration to say that Twitter should have been completely shut down temporarily in response to this, or at least should disable the ability to tweet until they figure out what's going on.

    These are some massive account compromises with no obvious common link, and it's honestly really suspicious that someone decided to burn this level of access on a (relatively) obvious cryptocurrency scam. They'll probably make a few hundred thousand dollars from this, but access to prominent Twitter accounts (especially if it included the ability to read messages and other similar data) could have been worth millions or even billions.

    If they had compromised Trump's account—which doesn't seem out of the realm of possibility with some of the other ones they did get—they could have caused massive global chaos by tweeting that the US was now at war with China or something similar.

    36 votes
    1. [17]
      CALICO
      Link Parent
      A bitcoin-doubling scheme is pretty basic for 2020. Most crypto-savvy folk have likely been aware of these things for most of bitcoin's lifespan. You're massively limiting your profit for...

      A bitcoin-doubling scheme is pretty basic for 2020. Most crypto-savvy folk have likely been aware of these things for most of bitcoin's lifespan. You're massively limiting your profit for something that can bite you in the ass pretty hard. Cryptocoin-doubling in this day and age is like, Baby's First Scam. That someone was clever enough to obtain access to accounts like this, but dumb enough to waste it like this... I don't understand.

      If I had access to all these accounts—and the desire —I'd have a plan where each account would post something that would tank their associated stocks, and drag the entire market down with it. A modest investment in OTM VIX Calls would yield enough to have me worth seven to eight figures, easy. Take all that profit, re-invest in the now on-sale Calls for relevant stocks to catch the rebound when the news of the hacks is out.
      Nine figures.

      Fuck money, even. One could shape policy, or spur some kind of massive social change with access to voices like that for a day. A doubling scam? What the fuck, brah?

      20 votes
      1. [12]
        Deimos
        (edited )
        Link Parent
        Yeah, "RuneScape" is currently trending on Twitter because of so many people comparing this to the obvious scams people run in that game (and those are aimed at literal children for small amounts...

        Yeah, "RuneScape" is currently trending on Twitter because of so many people comparing this to the obvious scams people run in that game (and those are aimed at literal children for small amounts of fake money).

        It's really bizarre, I hope we get more info about this story.

        11 votes
        1. [9]
          Gaywallet
          Link Parent
          Luckily we may be dealing with a gray hat situation here, where someone decided to expose a vulnerability in a way that both made some money and highlighted a serious problem. It also wouldn't...

          Luckily we may be dealing with a gray hat situation here, where someone decided to expose a vulnerability in a way that both made some money and highlighted a serious problem.

          It also wouldn't surprise me if we hear about this money being donated at some point down the road.

          If you're smart enough to pull off a hack like this, you're smart enough to know how to do some serious damage with it. There was a conscious choice here not to.

          14 votes
          1. [7]
            emdash
            Link Parent
            If this were true though, I would've expected the highlighting of the situation to be the primary message that was broadcast, instead of just a run of the mill bitcoin scam on steroids. Whatever...

            If this were true though, I would've expected the highlighting of the situation to be the primary message that was broadcast, instead of just a run of the mill bitcoin scam on steroids. Whatever is happening, it's fascinating to watch, and shows just how vulnerable even large platforms with thousands of engineers looking over processes with a fine-tooth comb can miss things.

            6 votes
            1. [6]
              zoid
              Link Parent
              I wonder if this happened through sms spoofing. Twitter never shutdown their 40404 number... so if you can spoof someones cell phone number you can tweet from their account. EDIT: Update, they...

              I wonder if this happened through sms spoofing. Twitter never shutdown their 40404 number... so if you can spoof someones cell phone number you can tweet from their account.

              EDIT: Update, they shutdown their SMS features, interesting. I could be wrong, but I wonder if someone else had the same idea that I did.

              3 votes
              1. [5]
                emdash
                Link Parent
                It's plausible, but not confirmed, that whoever this is got access to an internal Twitter tool using for managing account state and privileges—a systems-level attack completely bypassing...

                It's plausible, but not confirmed, that whoever this is got access to an internal Twitter tool using for managing account state and privileges—a systems-level attack completely bypassing individual accounts and their own security protections like MFA. If so, that's a huge security breach, which alone has its own implications. Did someone at Twitter enable this to occur? Who knows.

                5 votes
                1. [4]
                  zoid
                  Link Parent
                  Oof, that's a significant breach if that's the case. Why is such a tool accessible to the internet? If such a tool like this is going to exist it should only be accessible on the local network,...

                  Oof, that's a significant breach if that's the case. Why is such a tool accessible to the internet?

                  If such a tool like this is going to exist it should only be accessible on the local network, unless that's already the case and someone gained access to Twitters LAN but I find that highly unlikely.

                  3 votes
                  1. [2]
                    Deimos
                    Link Parent
                    I think it's definitely possible that it was restricted like that and then they relaxed it because of everyone needing to work from home. Probably along with someone saying, "We really shouldn't...

                    I think it's definitely possible that it was restricted like that and then they relaxed it because of everyone needing to work from home. Probably along with someone saying, "We really shouldn't be doing this, but I guess it's necessary for now. We'll have to improve this soon."

                    13 votes
                    1. Amarok
                      Link Parent
                      I'd take that bet. It's exactly the kind of /shrug situation that provides the excuse to sidestep good practice.

                      I'd take that bet. It's exactly the kind of /shrug situation that provides the excuse to sidestep good practice.

                      3 votes
                  2. Amarok
                    Link Parent
                    Tools like this are inevitable in any large system - they are epic timesavers, and time is money. It'd take an iron will to avoid ever making these sorts of administrative actions easy. The safe...

                    Tools like this are inevitable in any large system - they are epic timesavers, and time is money. It'd take an iron will to avoid ever making these sorts of administrative actions easy. The safe bet is to lock it to one and only one machine and put a camera on that sucker.

                    All it takes is one bad firewall rule, one lazy user not following procedure, one newbie installing a wifi access point wrong, one manager who wants to save time, cut corners, or pull rank, one skilled social engineer, one disgruntled employee, one bad certificate, one overlooked account, one unchanged default setting, or insufficient oversight of security.

                    Security is the hardest task there is within the information technology sphere. Good security is a gargantuan pain in the ass. It's tedious, it's inconvenient, it's expensive, it's a permanently ongoing problem and a constant resource drain.

                    It's been my experience that most businesses aren't willing to meet those expenses all the time.

                    6 votes
          2. Amarok
            Link Parent
            This does raise the questions... How long has this risk existed? Has it been exploited before, without anyone noticing? What steps will be taken to prevent it from ever happening again?

            This does raise the questions...

            1. How long has this risk existed?
            2. Has it been exploited before, without anyone noticing?
            3. What steps will be taken to prevent it from ever happening again?
            4 votes
        2. whbboyd
          Link Parent
          The obvious conclusion seems pretty, ehem, obvious: whoever found the vulnerability was neither smart nor well-versed in fraud or confidence scamming. We'll see if Twitter publishes a postmortem....

          The obvious conclusion seems pretty, ehem, obvious: whoever found the vulnerability was neither smart nor well-versed in fraud or confidence scamming.

          We'll see if Twitter publishes a postmortem. I suspect management will engage in panicky scapegoating that will make it unlikely, unfortunately. I'm sure we'll find out what happened eventually when whatever law enforcement agencies get involved publish their findings, but that will take a long time.

          2 votes
        3. rmgr
          Link Parent
          As soon as I saw this I was like "Shit I used to do this in Runescape a decade ago"

          As soon as I saw this I was like "Shit I used to do this in Runescape a decade ago"

          2 votes
      2. [3]
        stu2b50
        Link Parent
        Then you'd have to deal with an SEC investigation. More money, more risk. This is easy and low risk.

        Then you'd have to deal with an SEC investigation. More money, more risk. This is easy and low risk.

        5 votes
        1. [2]
          CALICO
          Link Parent
          Here's the thing with VIX plays though: they're incredibly liquid, and it would take very little to massively profit. Neither my initial investment, nor the timing of it would be aberrant enough...

          Here's the thing with VIX plays though: they're incredibly liquid, and it would take very little to massively profit. Neither my initial investment, nor the timing of it would be aberrant enough to put the spotlight on me. Not unless I was dumb enough to buy Calls like, the moment immediately before tweeting. Half of r/wallstreetbets would profit along with me, and some would likely make more on it.

          The real trick would be properly hiding my digital trail on posting through their twitter accounts. That I don't know how to do, not to a level sufficient enough to withstand the effort of a nation state.

          4 votes
          1. zoid
            Link Parent
            Speaking entirely hypothetically you'd want someone from another country managing the tweets. At the very least you'd want to use a laptop running tails from a public wireless AP.

            Speaking entirely hypothetically you'd want someone from another country managing the tweets. At the very least you'd want to use a laptop running tails from a public wireless AP.

            1 vote
      3. Turtle
        (edited )
        Link Parent
        Maybe they want to negotiate a bug bounty with Twitter and this is how they're exposing it? I imagine an exploit this big could be worth tens of millions of dollars if its obscure enough.

        Maybe they want to negotiate a bug bounty with Twitter and this is how they're exposing it? I imagine an exploit this big could be worth tens of millions of dollars if its obscure enough.

        2 votes
    2. [2]
      arp242
      (edited )
      Link Parent
      It's interesting to see that Obama and Biden were affected, but Trump wasn't. I don't know if we should read anything in to this, but it seems to me that even for such a Bitcoin scam, Trump's...

      If they had compromised Trump's account—which doesn't seem out of the realm of possibility with some of the other ones they did get—they could have caused massive global chaos by tweeting that the US was now at war with China or something similar.

      It's interesting to see that Obama and Biden were affected, but Trump wasn't. I don't know if we should read anything in to this, but it seems to me that even for such a Bitcoin scam, Trump's account would be far more high-profile (and more effective, considering the gullibility of some of his supporters) than Biden's or Obama's.

      There would also be far more sneaky ways to cause chaos than "US is now at war with China"; I would guess that the first thing China would do is verify this through diplomatic channels, and that the US would scramble to deny this (possibly even before China has a chance to ask "what's up?"). At least, one would hope that's what would happen...

      If I wanted to cause chaos, I would do stuff like encourage the Boogaloo people from some strategically chosen accounts, or try to exploit the protests/unrest relating to BLM. That would probably be far more effective. Once the first shots are fired it'll be hard to go back on that, and it won't matter too much that the origin were fake tweets.

      Hell, they could have influenced elections with this. Consider what could have happened if they had waited until November?

      7 votes
      1. Omnicrola
        Link Parent
        I think you're right, however as others have pointed out, the damage seems very out of proportion to the severity of the security breach involved. It's like being gifted enough uranium to make a...

        I don't know if we should read anything in to this, but it seems to me that even for such a Bitcoin scam, Trump's account would be far more high-profile (and more effective, considering the gullibility of some of his supporters) than Biden's or Obama's.

        I think you're right, however as others have pointed out, the damage seems very out of proportion to the severity of the security breach involved. It's like being gifted enough uranium to make a nuke, then instead using it to make some glow-in-the-dark glassware and ship it to famous people. It seems like an attention grab rather than a truly malicious attack.

        With that in mind, doing this to Trump would be to invite the irrational anger of Trump. Assuming that the breach has a specific goal in mind, pissing off a bunch of companies and specific famous people will ellicit a certain level of response that can be anticipated to an extent. Pissing off an irrational President with an ego the size of the moon and as fragile as sugar glass is a waaay riskier and unpredictable proposition.

        6 votes
    3. [3]
      daturkel
      Link Parent
      That's an interesting point, it does seem like a relatively bad scheme considering the access they had. That being said, I'm shocked it's made so much already (over $100k USD)—I would've thought...

      That's an interesting point, it does seem like a relatively bad scheme considering the access they had. That being said, I'm shocked it's made so much already (over $100k USD)—I would've thought it would make....nothing.

      I wish the compromised accounts had linked to different BTC addresses so that we could see which accounts were the most effective at scamming their followers.

      6 votes
      1. [2]
        Greg
        Link Parent
        If it weren't an across-the-board hack, I'd find it weirdly believable that Elon Musk would choose to give away a bunch of real money in something disguised as the world's most obvious scam.

        I wish the compromised accounts had linked to different BTC addresses so that we could see which accounts were the most effective at scamming their followers.

        If it weren't an across-the-board hack, I'd find it weirdly believable that Elon Musk would choose to give away a bunch of real money in something disguised as the world's most obvious scam.

        7 votes
        1. arp242
          Link Parent
          A friend of mine sent a screenshot of just the Elon Musk tweet when I woke up this morning, and for a minute I thought it was real. Just weird crazy genius things. "Why will no one accept our...

          A friend of mine sent a screenshot of just the Elon Musk tweet when I woke up this morning, and for a minute I thought it was real. Just weird crazy genius things.

          "Why will no one accept our massive yachts?!"

          Jeff Bezos claiming he'll "give back to the community"? Now that's a dead giveaway it's a scam 🙃

          4 votes
    4. [2]
      Deimos
      Link Parent
      It looks like they're doing something, at least: lots of discussion on Twitter about all/most verified accounts (the ones with the blue checkmark) being blocked from tweeting. @stuck_in_the_matrix...

      It looks like they're doing something, at least: lots of discussion on Twitter about all/most verified accounts (the ones with the blue checkmark) being blocked from tweeting.

      @stuck_in_the_matrix (who does a lot of work with reddit/Twitter data) just tweeted this graph showing how much the volume of tweets from verified accounts dropped: https://twitter.com/jasonbaumgartne/status/1283533173704531970

      1 vote
      1. HoolaBoola
        Link Parent
        At least Lil Nas X and Nascar created side accounts that they post stuff from and retweet on their main account. Probably lots more

        At least Lil Nas X and Nascar created side accounts that they post stuff from and retweet on their main account. Probably lots more

    5. HoolaBoola
      Link Parent
      Given the fact that the hackers could have used this for way more nefarious intents, could it even be possible they're just trying to prove a point?

      Given the fact that the hackers could have used this for way more nefarious intents, could it even be possible they're just trying to prove a point?

      1 vote
  2. [4]
    pvik
    (edited )
    Link
    Damn, those are some big names! Looks like the BTC walllet has received about 5.8BTC so far [1] [2] edit: Seems to have accumulated a little more than 12BTC now

    Elon Musk ... Bill gates ...

    the accounts of Apple, Uber, Amazon CEO Jeff Bezos, Democratic presidential candidate Joe Biden, hip-hop mogul Kanye West, and former New York City mayor and billionaire Mike Bloomberg, among others, have also been compromised and are promoting the scam.

    Damn, those are some big names!

    Looks like the BTC walllet has received about 5.8BTC so far [1] [2]

    edit: Seems to have accumulated a little more than 12BTC now

    8 votes
    1. AugustusFerdinand
      (edited )
      Link Parent
      For those that don't follow the usable currency conversion rate, at present it is 12.56503500 BTC making it $115,946.25 USD since 2020-07-15 15:20. Edit: Looks like the final total is $118,430.29 USD.

      For those that don't follow the usable currency conversion rate, at present it is 12.56503500 BTC making it $115,946.25 USD since 2020-07-15 15:20.

      Edit: Looks like the final total is $118,430.29 USD.

      7 votes
    2. [2]
      synergy-unsterile
      Link Parent
      That's the scam BTC address right? It's showing up as a link back to this topic.

      [1]

      That's the scam BTC address right? It's showing up as a link back to this topic.

      4 votes
      1. pvik
        Link Parent
        Sorry, wanted to link to the bitref page for that BTC address. Fixed the link now! Also, looks like there has been 12 BTC in there now. Damn!

        Sorry, wanted to link to the bitref page for that BTC address.

        Fixed the link now!

        Also, looks like there has been 12 BTC in there now. Damn!

        4 votes
  3. [4]
    emdash
    Link
    So this is what it took for Twitter to finally block Trump from tweeting? 😆 Honestly though, this is a wild ride. I can't wait to see the post-mortem on how this was executed and what service was...

    The company also took the unprecedented measure of preventing verified accounts from tweeting at all starting sometime around 6PM ET

    So this is what it took for Twitter to finally block Trump from tweeting? 😆

    Honestly though, this is a wild ride. I can't wait to see the post-mortem on how this was executed and what service was used to break Twitter's security model, whether it was SMS, 2FA, someone internal to Twitter, etc.

    7 votes
    1. [2]
      rmgr
      Link Parent
      The_Gibson on Mastodon (an infosec dude I follow who doesn't seem to share misinformation too often) apparently has it on good authority that it was an internal user with access to the control...

      The_Gibson on Mastodon (an infosec dude I follow who doesn't seem to share misinformation too often) apparently has it on good authority that it was an internal user with access to the control panel for twitter who didn't have 2FA enabled.

      Link

      5 votes
      1. arp242
        Link Parent
        Seems to match the latest update from the TwitterSupport account:

        Seems to match the latest update from the TwitterSupport account:

        Internally, we’ve taken significant steps to limit access to internal systems and tools while our investigation is ongoing. More updates to come as our investigation continues.

    2. arp242
      Link Parent
      Twitter released a new API today (or was about to release it? Not entirely clear to me what the exact timeline is here), my money is on that being related.

      Twitter released a new API today (or was about to release it? Not entirely clear to me what the exact timeline is here), my money is on that being related.

  4. Flashynuff
    Link
    One possible explanation: https://mobile.twitter.com/thezedwards/status/1283545436041572355 There's been some exploits coming out the past few weeks around Microsoft Azure subdomains. A twitter...

    One possible explanation: https://mobile.twitter.com/thezedwards/status/1283545436041572355

    There's been some exploits coming out the past few weeks around Microsoft Azure subdomains. A twitter subdomain got an updated SSL cert yesterday that points to Azure...

    3 votes
  5. MetArtScroll
    Link
    As noted in this earlier comment here, the attackers most probably gained access to an internal Twitter tool. Sometimes, it is really tempting to create a tool available to “those who know the...

    As noted in this earlier comment here, the attackers most probably gained access to an internal Twitter tool.

    Sometimes, it is really tempting to create a tool available to “those who know the link” with which one could perform admin tasks without the “fuss” of authenticating, using a verified/vetted device, etc. Just as some other corporations suffered leaks of sensitive data as the data were stored in unencrypted files on publicly accessible hostings—it was just necessary to know the link.

    Security via obscurity is rarely a good idea.

    3 votes