Twitter saw a hack on an unprecedented scale on Wednesday when scammers targeted multiple high-profile accounts, sending a volley of tweets extorting Bitcoin from the 346 million followers of Barack Obama, Apple, Uber, Joe Biden, Elon Musk, and 20 others.
The tweets promised users that the account holders would double the donations they sent to the Bitcoin addresses provided—a classic scam. The hackers walked away with around $120,000, but, more importantly, they left some key lessons for social media platforms and the crypto industry in their wake.
Twitter has serious, new security questions to address
The scale of the attack has drawn scrutiny of Twitter’s security measures, ahead of the US election.
“These accounts could be used for far more nefarious and destabilizing applications,” Alexi Drew of the Centre for Science and Security Studies at King’s College London told Decrypt. “This kind of access could undermine elections, damage responses to health or climate emergencies through compromising critical communications links with the public, and in a worst-case scenario lead to a conflict between state actors.”
Twitter said that the hack was the result of a “social engineering campaign,” which targeted employees and allowed hackers to gain access to its internal systems. But tech publication Motherboard claimed its sources said the hackers had help from inside the company.
“The fact that so many different users have been compromised at the same time implies that this is a problem with Twitter’s platform itself,” said BBC cybersecurity specialist Joe Tidy.
Criticism has rained down on Twitter, and other social media platforms. Republican Senator Josh Hawley wrote to Twitter imploring founder Jack Dorsey to cooperate with federal officials in investigating the attack. One option is decentralizing Twitter to remove its “single point of failure” that enabled the hack, but the social media platform is already exploring this possibility.
People are now more savvy to social media scams
The scam was surprisingly ineffective. The hacker, or hackers, garnered only some $118,000 (12 Bitcoin) in three hours, which is relatively small considering the massive reach of the accounts targeted.
Twitter is not a new venue for scammers—although past scams would simply set up phony accounts and pretend to be a well-known figure giving away free crypto. But taking over real users accounts is moving up a gear.
In the crypto industry, hacks have been relatively commonplace. In May, Bitcoin worth $40 million was drained from Binance, one of the largest exchanges.
Considering the size of the attack, the work involved in organizing it, and its likely cost (especially if an insider was involved), the gains were minimal. The hackers may have hoped to attract many more people, and their lack of success suggests that social media users are cottoning on to scammers techniques, and less likely to be fooled.
“Arguably, people have grown more accustomed to these sorts of scams due to recent high profile incidents like this,” Social media industry consultant Matt Navarra told Decrypt.
But that’s unlikely to stop the scammers, who will simply evolve new methods, he added.
Bitcoin can’t shake its scam reputation
Notably, the media coverage has often blamed Bitcoin for the scam, rather than Twitter.
Twitter’s stock has suffered but not inordinately, and is down just 3% percent. Considering the reach of the accounts targeted, a relatively small number of users (376) lost funds. But for Bitcoin, it’s yet more bad publicity, linking the cryptocurrency once more with hackers and scams.
“It’s a shame that people are now associating Bitcoin with this Twitter hack as Bitcoin itself has never been hacked and wasn’t the problem in this scenario,” said Danny Scott, CEO at CoinCorner, adding, “The problem was a centralized service (Twitter) which I feel helps emphasize the benefits of Bitcoin’s decentralized nature and how an attack like this could not occur on Bitcoin.”
Tom Emmer, Congressman for Minnesota’s 6th District, and co-chair of the Congressional Blockchain Caucus agreed “Bitcoin isn’t the problem. Centralized control is,” he tweeted.
On the flip side, thousands are now googling Bitcoin, but any new interest is yet to be reflected in the cryptocurrency’s price—which dropped earlier today.
Bitcoin is still the hackers’ cryptocurrency of choice
The hackers left messages engraved into their blockchain transactions, in the form of personalized Bitcoin addresses. One message noted that it was riskier to use Bitcoin, than some more private cryptocurrencies such as Monero.
“You take risk when use (sic) Bitcoin for your Twitter game. Bitcoin is traceable. Why not Monero?” the messages read.
And yet the hackers opted to use Bitcoin, despite being aware of the risks involved.
For context, Monero is a private cryptocurrency which can mask wallet and transaction data, making it easier for the hackers to operate covertly. However, it’s more difficult to buy and less well known than Bitcoin.
While Bitcoin isn’t anonymous, all transactions are public. In most cases, the flow of funds can be tracked, via Bitcoin’s public blockchain, and the hackers’ attempts to cash in their Bitcoin may be thwarted. Around the world, all eyes will now be on these Bitcoin addresses.
An industry standard is needed
The cryptocurrency industry is facing questions just as serious as those preoccupying Twitter; some would like more clarity about the best way of dealing with situations like these in the future.
Coinbase, Gemini, CoinCorner, and other cryptocurrency exchanges reacted to the scams by reportedly blocking users from giving money to the wallet addresses. This would seem to be an effective measure, as Chainalysis reported that no funds have been cashed out at exchanges as yet.
But perhaps there are better ways to deal with the situation. Could miners have blocked the transactions? Should high profile Twitter users have better means to warn their followers, or could we better identify and protect more gullible users? The biggest victim ($40k) seems to be a Japanese wallet, based on the wallet’s previous transactions with Japanese exchanges.
Right now, perhaps the best advice comes from crypto evangelist Andreas Antonopoulos in the video he recorded to warn users that his account had been hacked, and that’s: “Don’t trust, verify.”