Crypto scams have hit many unsuspecting victims but this time around the hackers went mega. A hacker who is suspected to be behind a major hack targeting Twitter accounts on July 15 managed to access a Twitter ‘admin’ tool on the company’s network. The tool enabled the cybercriminal to hijack high-profile Twitter accounts to spread a huge crypto scam.
A reliable source with direct knowledge of the incident said that the hackers executed their plan with precision. Some of the most prominent users on Twitter were attacked including leading cryptocurrency sites. It also entangled several celebrity accounts including Jeff Bezos, Bill Gates, Joe Biden, and Elon Musk.
Earlier reports emerged about the details of the Twitter admin tool. Many of these high-profile twitter accounts were concurrently hacked by the attackers. They then used the accounts that have millions of followers to spread a crypto scam. Apple was also among the accounts that were compromised in the widely targeted hack.
The Crypto Scam
The hacking incident remained mysterious hours after it had taken place. The affected accounts posted a message that was promoting the address of a bitcoin wallet with the allegation that the amount of any payments made to the address would be doubled instantly and sent back. That is a known crypto scam technique.
In the hours following the initial scam posts, Barack Obama, Kim Kardashian West, Wendy’s, Uber, CashApp, Warren Buffett, YouTuber MrBeast, Jeff Bezos, Bill Gates, and Mike Bloomberg also posted the same crypto scam. Twitter did not immediately respond on the matter and how it happened although a spokesperson said that they had already launched investigations.
Later on, Twitter confirmed in a series of tweets that the cyber attack was caused by:
“a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.”
Most accounts should be able to Tweet again. As we continue working on a fix, this functionality may come and go. We're working to get things back to normal as quickly as possible.
— Twitter Support (@TwitterSupport) July 16, 2020
The Suspected Hacker
An individual involved actively in the underground hacking scene told reporters that a hacker by the name ‘Kirk’ was a major beneficiary. The ‘Kirk’ hacker, probably not their real name, managed to acquire more than $100,000 within a few hours by gaining access to an internal Twitter tool. They must have used the tool to control several popular Twitter accounts.
The hacker also used the tool to reset the associated email addresses of the affected accounts to ensure that it became challenging for the owners to regain control of their accounts. Then, the hacker pushed a crypto scam that allegedly promised to double whatever amount the unsuspecting victims sent.
The inside source said that Kirk had started the attacks by selling access to vanity Twitter accounts. He sold usernames that are simple, short, and recognizable. It is a big business if it is not still illegal. A stolen social media handle or username can go for something between a few hundred to thousands of dollars.
Interestingly, Kirk is believed to have contacted a ‘trusted’ member on OGUsers which is a forum popular with traders of hacked social media handles. On that occasion, Kirk wanted the trusted member to help in the sale of the stolen vanity usernames.
In multiple screenshots of a Discord chat that was shared with reporters, Kirk said:
“Send me @’s and BTC. And I’ll get ur shit done.”
He was speaking while referring to Twitter usernames and crypto and he promised to hijack the Twitter accounts. But later in the day, Kirk started hacking everything that he could lay his hands on.
The Exploited Internal Tool
Reports indicate that Kirk probably had access to an internal tool on Twitter’s network that enabled them to effectively take over the control of user accounts. A screenshot shared with reporters shows the admin tool that was compromised. For now, Twitter is removing the tweets and suspending all the users that share the screenshot of the tool.
The alleged internal Twitter account tool
This tool seems to enable users to control access to a user’s account. It is an exclusive tool available only for twitter employees. The employees can even change the email associated with the account and suspend the user if they want to.
The source never said exactly how Kirk managed to access Twitter’s internal tools. However, they hypothesized that Twitter’s employee’s corporate account was hijacked. Using a hijacked employee account, Kirk could easily make their way into the company’s internal network. The person also mentioned that it was unlikely that a Twitter employee was involved in the hacking spree.
Kirk targeted @binance first as part of their hacking campaign and then moved swiftly to popular crypto accounts. That person also said that Kirk made more money within an hour than selling usernames. Twitter briefly suspended some account actions to regain control of the platform.
The social media platform even prevented the verified users from tweeting in a major effort to remove the account hijacks. Twitter later tweeted that it was working relentlessly aiming to get things back to normalcy as quickly as possible.
Huge Amounts Lost In The Crypto Scam
The coordinated Twitter hack impacted almost all crypto exchanges and famous founders and celebrities. Each of the affected accounts promoted COVID-related crypto giveaway scam where the followers were encouraged to send bitcoin to a designated Bitcoin address. They were told that their funds would be doubled by the account’s owner. According to the hacker’s blockchain, the victims sent over $7.8 million within hours.
Satnam Narang, a longtime social media scam expert, and researcher at Tenable had his take on this matter. The affected accounts said that they ‘partnered with’ CryptoForHealth Company. Interestingly, the domain for that site was registered on July 15.
The site alleges that to help with the tough times due to the pandemic; it has partnered with many crypto exchanges to acquire a “5000 Bitcoin (BTC) giveaway” which is a major sign of an advanced free fraud. All the compromised accounts used the same Bitcoin address published on the CryptoForHealth site which means that it was a coordinated attack.
Users were urged to send between 0.1 BTC to 20 BTC to a designated Bitcoin address to see their money doubled. This scam has been in existence for many years with scammers impersonating crypto figures and celebrities. In this case, the scammers managed to compromise the legitimate accounts to launch their crypto scam.
Since all these tweets came from verified accounts, many users placed their trust in the CryptoForHealth site and the supplied Bitcoin address. It was a fast-moving target and Twitter was at some point overwhelmed by the activities and they had to take drastic measures.
Users are advised to avoid participating in the purported giveaway campaigns and opportunities that allege to double funds since they are mostly guaranteed to be a crypto scam. Ping Identity CCIO Richard Bird said that the crypto Twitter hack is quite worrying. He speculated the main cause:
“The Twitter hack pumping a Bitcoin link is extremely troubling given the early reports that some of the accounts in question had multi-factor authentication (MFA) in use. MFA is exploitable, but predominantly through social engineering methods. That seems unlikely in this case, making a full disclosure from Twitter on the methods used by the bad actors all the more important.”
This latest Twitter hack shows how criminals are exploiting the highly trafficked social media channels to launch crypto scams. Richard Bird said:
“Disinformation and exploitation of supposedly trusted social media channels only amplifies the anxieties and concerns that consumers and citizens are already dealing with in this country and others.”