Last Week’s Big Twitter Hack Was Years in the Making

MOSHED-2020-7-16-12-27-6
20 July 2020

Brenna Smith is an open source researcher and contributor for the investigative web site Bellingcat, where she publishes a weekly newsletter about cryptocurrencies, called CryptOsint. 

The great Twitter hack of 2020 (or at least so far) was a shock to everyone, most especially the social media company itself. But, it shouldn’t have been. There was a trail of signs for months leading up to the event spanning multiple social networks and other publicly available sources.

Let’s flash back to the beginning of June. Sitting on my couch mindlessly scrolling Twitter, I came across a post about a fake SpaceX Youtube account holding a livestream while also peddling an Elon Musk crypto-giveaway. 

elonmuskscam2-5
A screenshot from @The4rchangel
Source: Twitter

It was so obviously a scam it felt laughable. An account with 55,000 subscribers, some sort of anime character as its icon, and an “about page” written in Korean was claiming to be SpaceX? 

“Who would ever fall for that?” I thought. 

Hundreds of people, apparently.

By the time I checked back an hour later, the scammers had upped their game. The account now featured SpaceX’s logo, the appearance of a legitimate “about page,” and more than 36,000 viewers on the live stream. Ultimately, $200,000 was stolen.

They had managed to hijack a somewhat popular, but relatively dormant, Kpop fan account and turn it into a believable SpaceX dupe. And even if you may disagree if it was convincing or not, the efficacy is hard to dispute when the loot reached six figures.

As surprising as this hack seemed, hijacking a real account is the next natural step to running a fake celebrity account.

Floored, and slightly impressed, I spent the next couple of weeks learning as much as I could about cryptoscams. I discovered that scammers have evolved significantly since the days of sextortion emails (which are still very much a thing).

Essentially since Bitcoin’s inception, cybercriminals and scammers have capitalized on the currency to funnel proceeds from emails scams, fake websites and propositions on chat forums. 

Then, they began leveraging major social media platforms and impersonating celebrities. Mainstream social media platforms and celebrities provide two critical ingredients to a lucrative hack: a large audience and a semblance of credibility.

As with the fake SpaceX account in June, scammers also became fond of hijacking well-followed but unguarded accounts to further trick people into thinking they were legitimate celebrities. Hijacking verified accounts became a popular scam technique around February 2018. Often the only distinction between them and the legitimate account was an added number or letter to the username.

Cryptoscammers’ favorite targets are usually well-known tech entrepreneurs, such as Elon Musk. According to data from user reports to BitcoinWhosWho, there have already been 225 reported instances of Elon Musk scams across Twitter, Facebook, and Youtube in 2020. Other common targets are Vitalik Buterin, Bill Gates and Jeff Bezos.

MyCrypto security specialist Harry Denley found that 333 Twitter users were pedaling cryptoscams in 2019. They perpetrated their ploys using random bot accounts, hijacked verified accounts, burner accounts tweeting doctored images and accounts directing users to private profiles with website links in the bio. 

Now, I know what you’re thinking: These numbers aren’t massive. Why should Twitter have paid attention or known there was a problem? 

Well, for one thing, I’m relying on data from user reports. That is only a window into all the cryptoscams perpetrated on Twitter. But more importantly, Twitter wasn’t just fielding scams on its own social media platform. Often, users will share and post scams happening on YouTube or Facebook on Twitter to warn others, which is how I personally come across most scams.

for-oped
Via @robleathern
Source: Twitter

So in many ways, Twitter was in the perfect position to keep track of and combat these scams because it had access to a fuller picture beyond just its platform.

Fast forward to last Thursday, when allegedly a rag-tag team of 20-something hackers took down Twitter one verified account at a time. As surprising as this hack seemed, hijacking a real account is the next natural step to running a fake celebrity account. 

Cryptoscammers were making massive amounts of money using passable fake accounts. So what would happen if they got a hold of the real ones? (A roughly $180,000 in the case of last week’s events, which many argue was a paltry outcome considering the scale of the attack.) 

To be clear, I do not think Twitter could have predicted its Slack would be infiltrated and lead to the hijacking. What it could have predicted was the appetite for cryptoscams on its platform is not only growing but becoming more sophisticated.

The bread crumbs were there. All Twitter needed to do was follow them. But unfortunately, the hackers got to them first, allowing other social media platforms to run free, albeit probably not for long.

coindesk-twitter-hack-2560x854-03a