Sergey Nivens - Fotolia

Cryptocurrency scammers attack Twitter in insider breach

Apparent insider breach at Twitter saw so-called “blue tick” accounts of business people, politicians and celebrities hijacked to promote a Bitcoin scam

High-profile Twitter accounts including those of tech billionaires Jeff Bezos, Bill Gates and Elon Musk, politicians Joe Biden and Barack Obama, rapper Kanye West and reality star Kim Kardashian are among many “blue tick” verified accounts hacked in a major breach of the social media platform’s systems, and hijacked to promote a cryptocurrency scam.

Messages posted to the compromised accounts promised people they’d receive double their money back if they paid into a Bitcoin wallet, which rapidly swelled to a total dollar value of over $100,000 as the scam entrapped its victims.

Although the malicious tweets were swiftly removed, Twitter took several hours to bring the situation under control, at one point suspending the ability of every verified account on its books to use the platform.

As of approximately 4am UK time on 16 July, Twitter appeared to have restored normal access to its service. In a series of tweets, a spokesperson said the accounts had likely been compromised through what is known as an insider breach.

“We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools,” it said.

This appeared to confirm claims made by sources with alleged links to the hack, who said they had paid an insider at Twitter for access to an internal administration tool, as per Vice’s Motherboard.

Screenshots posted widely of this tool appear to show its legitimate use is to allow Twitter to take control of accounts, alter their details, and even suspend them, presumably as a moderation feature to combat abuse on the platform.

Malicious activity

Twitter said: “We know they used this access to take control of many highly visible (including verified) accounts and Tweet on their behalf. We’re looking into what other malicious activity they may have conducted or information they may have accessed and will share more here as we have it.

“Once we became aware of the incident, we immediately locked down the affected accounts and removed Tweets posted by the attackers.

“We also limited functionality for a much larger group of accounts, like all verified accounts (even those with no evidence of being compromised), while we continue to fully investigate this.

“This was disruptive, but it was an important step to reduce risk. Most functionality has been restored but we may take further actions and will update you if we do,” said the spokesperson.

“We have locked accounts that were compromised and will restore access to the original account owner only when we are certain we can do so securely.

“Internally, we’ve taken significant steps to limit access to internal systems and tools while our investigation is ongoing. More updates to come as our investigation continues,” said Twitter.

Read more about insider threat

  • Dealing with the human element in security is tough, but critical. This primer describes the types of insider threats and how to use a risk matrix to assess and rank them by importance.
  • During these challenging times, organisations can't overlook the risk of insider threats as employees worry about layoffs, newly adopted remote working technology and more.
  • Insider threat programs may backfire if employees feel they are intrusive and violate privacy, Forrester Research warns. Making sure these programmes don't go too far should fall to HR.

The scam deployed by the hackers is a relatively commonplace one; cryptocurrencies such as Bitcoin are frequently used by cyber criminals at least in part because they use encryption to secure the transaction process, which is conducted through anonymous hash codes over a peer-to-peer network.

However, the breach does raise questions for Twitter over the wider security and public safety implications – particularly in light of US president Donald Trump’s use and abuse of the platform.

In an open letter to Twitter head Jack Dorsey, US senator Josh Hawley, a Republican who represents the state of Missouri in Washington DC, wrote: “I am concerned that this event may represent not merely a coordinated set of separate hacking incidents but rather a successful attack on the security of Twitter itself.

“As you know, millions of your users rely on your service not just to tweet publicly but also to communicate privately through your direct message service. A successful attack on your system’s servers represents a threat to all of your users’ privacy and data security.”

California congressman John Garamendi, a Democrat, expressed similar concerns, writing on Twitter: “I don’t have any Bitcoin to offer you but I do have grave concerns about what today’s hack of Twitter means for the safety of our elections and other critical infrastructure from hostile actors. Now more than ever we have to strengthen our nation’s cyber security.”

Read more on Hackers and cybercrime prevention