One of the wildest stories of the year was the day some of the most-followed Twitter accounts on the planet posted cryptocurrency scams because of a massive unprecedented hack.
Elon Musk was the first hacked account most people noticed. “I’m feeling generous because of COVID-19,” a now-deleted 4:17PM ET tweet said. “I’ll double any BTC payment sent to my BTC address for the next hour. Good luck, and stay safe out there!” The tweet also included an address where people could send bitcoin. But because Twitter scammers regularly use Musk’s name and image to post cryptocurrency scams, it was hard to tell if the tweet was just Musk mocking them.
It quickly became clear that, yes, Musk was hacked, and it wasn’t just him. The company accounts of Coinbase, Gemini, and Binance had posted suspicious tweets shortly before Musk did. Then a deluge of tweets appeared: Apple, Barack Obama, Bill Gates, Floyd Mayweather, Jeff Bezos, Joe Biden, Kanye West, Michael Bloomberg, Uber, Warren Buffett, Wiz Khalifa, and others all posted tweets like Musk’s in short order. Some accounts posted multiple tweets while under the hackers’ control.
Presumably, many of these accounts are protected by things like two-factor authentication and strong passwords that would make them very hard to break into. The fact that they were all posting the scam suggested that the attackers had access to some kind of internal Twitter tool to bypass that security — and Twitter confirmed that was the case later that evening.
Notably, President Donald Trump’s account wasn’t co-opted to post the scheme. Since we live in a world where Trump can move markets and make international headlines with one 280-character missive on Twitter, it’s likely a good thing that his account wasn’t taken over. While we don’t know if the hackers even attempted to tweet as Trump, his account reportedly has extra protections that may have prevented an intrusion.
The chaos was funny, in its way. For a little while, it appeared that Twitter had stopped verified accounts from posting new tweets. That meant The Verge and the majority of our staff weren’t able to tweet, so we briefly relied on former Verge staffer Casey Newton’s unverified wrestling-focused Twitter account (which currently has 207 followers) to share updates about the attack. Other unverified accounts filled our timelines with jokes about a world free of blue checkmarks:
About two weeks after the hack, it became clear that this was the work of a teenager. Three people were charged for the attack on July 31st, including a 17-year-old from Florida who authorities claimed was the “mastermind” of the operation. A 16-year-old from Massachusetts was served a search warrant by federal agents in September to investigate their potential involvement; this person “appears to have played an equal, if not more significant, role” than the 17-year-old, according to The New York Times.
Those involved were able to steal over $118,000 worth of bitcoin by duping people into sending the cryptocurrency to the addresses included in the scam tweets, according to a report by New York’s Department of Financial Services. Because of the way bitcoin is designed, the transactions aren’t reversible, so there’s no way to return that money to the people it was stolen from.
Their attack didn’t use “any of the high-tech or sophisticated techniques often used in cyberattacks–no malware, no exploits, and no backdoors,” the report said. Instead, the hackers accessed internal Twitter tools by tricking Twitter employees into giving them login credentials.
Twitter says it has strengthened its internal security and invested in new tools and training for employees and contractors. But months later, it’s still hard to fathom how a group of motivated hackers brought one of the most influential social networks on the planet to its knees.
Thank goodness it was apparently just a bunch of bitcoin-obsessed hackers behind the attack and that they didn’t use their unprecedented access to, say, start a war. In some ways, given Musk’s Twitter run-ins with the Securities and Exchange Commission and an unsuccessful defamation suit, it’s fitting that they chose his account to tell us what they were doing.