Twitter and the big bitcoin scam: what happened next

If you’re curious what kind of data Twitter stores on you — and what those hackers could have stolen during their big bitcoin scam — you can now find out once again. Twitter has reenabled the ability to download archives of “Your Twitter Data,” nearly two months after shutting off the feature as a precaution against further hacking.

To access it, go to Settings > Account > Your Twitter data and you should see a screen like the one below, where you’ll need to type in your password to start the transfer. If you’re using a phone app, it may shove you over to the mobile website instead.

The investigation of the unprecedented Twitter hack earlier this summer has produced a new suspect: a 16-year-old from Massachusetts, according to a new report from The New York Times. This new suspect would be the youngest of the group of conspirators spanning the US and the UK, a group now totaling four individuals who together planned and then pulled off account takeovers of dozens of high-profile Twitter users to promote a bitcoin scam.

It’s still unclear which members had direct control of internal Twitter systems and how exactly they gained access beyond somehow tricking company employees, but the supposed mastermind of the hack is believed to be 17-year-old Floridian Graham Ivan Clark, who has been charged as an adult with 30 felonies. The others include 19-year-old Mason John Sheppard of the UK and 22-year-old Nima Fazeli of Orlando, Florida.

Last Friday, a 17-year-old Florida high school graduate, Graham Ivan Clark, was arrested and charged as the “mastermind” behind the massive bitcoin scam that ensnared the accounts of Barack Obama, Joe Biden, Bill Gates, Jeff Bezos, Apple, and more — after he allegedly posed as a member of Twitter’s IT department and used Twitter’s own admin tools to break into those accounts.

This morning, I woke up early to hear what he — or his lawyer — had to say about that. It was so easy I didn’t even have to get to a desk. The court had publicly revealed last week it’d hold hearings over Zoom, no password required, so I tuned in with my phone from bed.

On Friday Graham Ivan Clark was charged along with two others for the most serious hack in Twitter’s history, where numerous high-profile accounts including those of Elon Musk, Barack Obama, and Bill Gates were taken over to promote a bitcoin scam. In a new investigation, The New York Times has delved into Clark’s history, which reportedly escalated from small Minecraft scams into a hack so big that some have dubbed it a global security crisis.

Here’s how it all began, as described by the NYT:

Early on July 31st, the FBI, IRS, US Secret Service, and Florida law enforcement placed 17-year-old Graham Clark of Tampa, Florida, under arrest. He’s accused of being the “mastermind” behind the biggest security and privacy breach in Twitter’s history, one that took over the accounts of President Barack Obama, Democratic presidential candidate Joe Biden, Bill Gates, Elon Musk, Kanye West, Apple, and more to perpetrate a huge bitcoin scam on July 15th.

Apparently, he wasn’t alone: shortly after the Tampa arrest was revealed and after we published this story, two more individuals were formally charged by the US Department of Justice: 22-year-old Nima Fazeli in Orlando and 19-year-old Mason Sheppard in the UK. They go by the hacker aliases “Rolex” and “Chaewon,” respectively, according to the DOJ. The FBI says that two individuals in total are in custody. An unidentified minor in California also admitted to federal agents that they’d helped Chaewon sell access to Twitter accounts.

Twitter provided an update about the unprecedented July 15th attack that allowed hackers to tweet from some of the most high-profile accounts on the service, in a blog post and a series of tweets published Thursday evening. Twitter now says that a few employees were targeted in a phone spear phishing attack. While Twitter doesn’t quite say, that presumably means hackers called up Twitter employees while posing as colleagues or members of Twitter’s own security team, and got them to reveal the credentials they use to access internal systems.

Twitter had previously said its own tools were compromised in the attack, but up until this point, the company hadn’t specified how that had happened. “This attack relied on a significant and concerted attempt to mislead certain employees and exploit human vulnerabilities to gain access to our internal systems,” Twitter said in a tweet from its support account. 

Years before the July 15th attack on Twitter that let hackers compromise some of the social network’s most high-profile accounts to tweet Bitcoin scams, Twitter contractors apparently were able to use Twitter’s internal tools to spy on some celebrities, including Beyoncé, according to a report from Bloomberg chronicling longtime security concerns at the company.

The tools in question typically allow certain Twitter staffers to do things like reset accounts or respond to content violations, but they could apparently also be used to spy on or hack an account, according to Bloomberg. “The controls were so porous that at one point in 2017 and 2018 some contractors made a kind of game out of creating bogus help-desk inquiries that allowed them to peek into celebrity accounts, including Beyonce’s, to track the stars’ personal data including their approximate locations gleaned from their devices’ IP addresses,” Bloomberg reported. And snooping on user accounts was apparently rampant enough that Twitter’s full-time security team in the US “struggled to keep track of the intrusions,” Bloomberg said.

Twitter believes the perpetrators of last week’s unprecedented attack on the company accessed the direct message (DM) inbox of an elected official in the Netherlands, the company said Wednesday evening. The revelation comes as part of the company’s ongoing investigation into last Thursday’s attack that allowed attackers to hijack the accounts of some of the service’s most high-profile users, including politicians Barack Obama and Joe Biden, to tweet a bitcoin scam.

Although Twitter didn’t name the Dutch official, local media reported last week that far-right, anti-Islam politician Geert Wilders, had his account hacked, retweeting a number of conspiracy theories and replacing Wilders’ profile photo with a caricature of a Black man and Moroccan flag. A hacker interviewed on Dutch radio also claimed to have access to Wilders’ DMs at the time.

The cryptocurrency exchange Coinbase said that it stopped around 1,100 customers from sending bitcoin to hackers who gained access to high-profile Twitter accounts last week. 

Last Wednesday, over 100 Twitter accounts, some belonging to major companies like Apple and high-profile people like Vice President Joe Biden and Bill Gates, were hacked as part of a massive coordinated bitcoin scam. According to Twitter, the hackers were able to convince some of the company’s employees to use internal systems and tools to access the accounts and help the hackers defraud users into sending them bitcoin.

On Friday evening, Twitter issued its first full blog post about what happened after the biggest security lapse in the company’s history, one that led to attackers getting hold of some of the highest profile Twitter accounts in the world — including Democratic presidential candidate Joe Biden, President Barack Obama, Tesla CEO Elon Musk, Microsoft co-founder Bill Gates, Kanye West, Michael Bloomberg, and more.

The bad news: Twitter has now revealed that the attackers may indeed have downloaded the private direct messages (DMs) of up to 8 individuals while conducting their Bitcoin scam, and were able to see “personal information” including phone numbers and email addresses for every account they targeted.

Reporters are starting to piece together the behind-the-scenes events of the unprecedented Twitter attack on Wednesday almost as fast as the official investigators themselves. And the clearest idea of what may have happened two days ago — when roughly 130 accounts were compromised using internal company tools — comes courtesy of The New York Times this afternoon.

Reporters Nathaniel Popper and Kate Conger tell the stories of four individuals involved in the hack and how exactly it spiraled out of control and resulted in the takeovers of some of the platforms most high-profile and sensitive accounts.

It’s been such a newsy week that we’re ending it with two columns — enough to last you the whole weekend. First, we have what we hope is the ultimate Twitter hack FAQ, in response to this week’s catastrophic security breach. Yesterday’s issue was the most-read in Interface history, and we wanted to make sure you had all the latest developments.

Second, I’m excited to share a conversation I had this week with Facebook’s chief diversity officer, Maxine Williams, on the occasion of the company releasing its annual diversity report. I wanted to know why progress on the issue has been so hard to come by, what it means that she reports to Sheryl Sandberg now, and much more. Williams is a dynamo; I hope you’ll enjoy our chat.

In yesterday’s massive attack on Twitter, some of the highest-profile accounts on the service, including President Barack Obama, Joe Biden, Elon Musk, and Bill Gates had their accounts hijacked to peddle bitcoin scams. Notably, however, Donald Trump, perhaps the most famous Twitter user of all, was untouched by the attack, and it could be because Twitter has implemented extra protections for his account.

In a deeply-reported article on the attack, The New York Times writes that Trump’s Twitter account has extra protection after “past incidents,” citing two anonymous sources — a senior White House official and a Twitter employee. The New York Times didn’t specify what those past incidents were, but they could refer to the November 2nd, 2017 incident where a rogue employee deactivated Trump’s account on his last day at the company. Trump’s account returned to Twitter 11 minutes later.

The Twitter accounts of major companies and individuals were compromised on Wednesday in one of the most widespread and confounding breaches the platform has ever seen, all in service of promoting a bitcoin scam that earned its creators nearly $120,000.

Multiple law enforcement investigations, including one from the Federal Bureau of Investigation, are now actively probing the situation over far a deeper concern: that the exploited vulnerability in Twitter’s systems — a result it seems of mid-level employees having powerful access to site-wide admin tools that can fall into the wrong hands — has exposed serious security risks for the platform’s most powerful users. Lawmakers are hounding Twitter for more transparency around the incident, and it seems likely the attack will have longstanding consequences not just for Twitter’s own internal tools and security, but for the broaden cybersecurity industry and every high-profile Twitter user on the platform, too.

The US Federal Bureau of Investigation has opened an investigation into Wednesday’s unprecedented Twitter attack that resulted in numerous takeovers of high-profile accounts belonging to politicians, business leaders, and corporations, according to a report from The Wall Street Journal.

The FBI is concerned that the coordinated attack and the vulnerabilities it exposed in Twitter’s systems may pose serious security risks, due to the widespread compromising of sensitive accounts, including those of President Barack Obama and Democratic presidential candidate Joe Biden. President Donald Trump’s account was not affected, White House press secretary Kayleigh McEnany tells the WSJ, but it’s unclear if Trump’s account has special protections. Twitter tells The Verge it is in communication with the FBI regarding its investigation and intends to fully cooperate.

Twitter says it has “no evidence” user passwords were accessed as part of yesterday’s massive attack targeting the company’s internal tools, but it is still working to restore access to locked accounts. The updates were shared as part of a series of tweets posted Thursday afternoon.

Yesterday, attackers hijacked the accounts of some of the most-followed people on Twitter, including President Barack Obama, Vice President Joe Biden, Elon Musk, Bill Gates, and Kanye West, to post bitcoin scams. The company made the decision to lock many accounts last night as a precaution to reduce further damage from the attacks, and it provided more detail about why accounts were locked in this afternoon’s tweets.

Lawmakers on both sides of the aisle are demanding more details on Twitter’s massive hacking attack yesterday. Sen. Ed Markey (D-MA) said in a statement Thursday that “Twitter must fully disclose what happened and what it is doing to ensure this never happens again.” 

On Wednesday, Twitter accounts belonging to major companies like Apple and Uber and high-profile individuals like Vice President Joe Biden, President Barack Obama, Elon Musk, and Bill Gates were all compromised as part of a coordinated bitcoin scam. According to Twitter, the accounts were compromised by hackers who “successfully targeted” employees who had access to internal systems and tools that provided access to these accounts. The specifics are still unknown, but Twitter said late Wednesday evening that it was still investigating the details of the attack.

Twitter has shed some light on the unprecedented attack on Wednesday that resulted in numerous takeovers of high-profile accounts including those of President Barack Obama, Democratic candidate Joe Biden, and Tesla CEO Elon Musk. In a series of tweets posted this evening under its support channel, Twitter said that its internal systems were compromised by the hackers, confirming theories that the attack could not have been conducted without access to the company’s own tools and employee privileges.

“We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools,” the first tweet in a multi-tweet explainer thread reads. “We know they used this access to take control of many highly-visible (including verified) accounts and Tweet on their behalf.”

You can’t say you didn’t see it coming.

Whatever Twitter eventually comes to say about the events of July 15th, 2020, when it suffered the most catastrophic security breach in company history, it must be said that the events were set in motion years ago.