What Happened At Twitter

September 28, 2020

If you don’t already know by now, Twitter was hacked in a massive way on Wednesday, July 15. Accounts such as Bill Gates, Elon Musk, Kanye West, and Apple were hacked and sent irrational Tweets about a Bitcoin scam. Basically, they all said something along the lines of, “Whatever dollar amount you send me in BTC, I’ll double it and send it back.”

Naturally, it’s a fishy message and we would all hope no one would have fallen for it. However as I get older and older, I realize that all adults aren’t as smart as I thought they were when I was a kid.

So, accounts were hacked and Tweets were sent, but what else happened? That, no one really knows. But here’s what we do know.

What Happened

Just past noon, a Twitter account called Binance tweeted that in an effort to give back to the community, it wanted to partner with CryptoForHealth and give back 5000 bitcoin to the community, along with a link for people to donate.

Shortly after that Tweet was sent, other accounts such as Joe Biden, Barack Obama, Elon Musk, Bill Gates, and Warren Buffet all Tweeted something along the same lines. As crazy as it may seem, the bitcoin account received $117,000 since the time the Tweets were sent.

As for what else the hackers did, people seem to be on different pages.

Twitter said, “We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.” They followed that up with, “We know they used this access to take control of highly-visible (including verified) accounts and Tweet on their behalf. We’re looking into what other malicious activity they may have conducted or information they may have accessed and will share more here as we have it.”

Vice reportedly talked to two of the hackers who said that they were given access to the Twitter’s admin panels through the account log-in of Twitter employees. They then, supposedly, used that admin tool to reset the emails associated with the accounts and continued with a password reset until they were logged-in and could Tweet.

TechCrunch reported some of the same admin tool access, but said it was legitimately hacked, and no Twitter employees were involved.

Who Was Behind it?

Lucky225, an owner of one of the accounts that were hacked said, the hackers were either intercepting SMS with a password reset, or they’re bypassing it somehow. Lucky said the account had One Time Password Two-Factor Authentication turned on, but for some reason the hackers were able to bypass it. 

If the social engineering of the Twitter employees is true, they could have used their access to change the password reset email, deactivate the 2FA, and then send the password reset email. 

Lucky said the account never Tweeted the Bitcoin scam, so he doesn’t believe it was a part of the same attack, even though it happened a few minutes before everyone else was hacked. However, Twitter issued a statement on Thursday, July 16 saying approximately 130 accounts were breached and only a small number of those accounts were hackers able to send Tweets. So, Lucky’s account could have been one of the 130 accounts.

A Twitter account, @shinji, was Tweeting out pictures of the admin tools with the caption, “follow @6”, which is the account that was taken from Lucky225. 

There are strong indications that the people behind the Twitter attacker are notorious for “SIM swapping”, a form of crime that’s gaining in popularity where hackers bribe employees at social media and phone companies into giving them access to different accounts. 

People who participate in SIM swapping are obsessed with gaining control over OG social media accounts. These accounts have short usernames, usually with one to five characters and represent a sort of stature and allure in the tech world. Therefore, they’re attractive to SIM swappers because of the high price they can be resold for in the underground markets.

A few days leading up to the attack, people in the SIM swapping community were posting jobs that they were able to change the email address tied to any Twitter account. Seems fishy if you ask me…

Other sources seem to have talked to other hackers who go by the screen name, “lol”, “why so anxious”, and “Kirk”. Kirk is seemingly the one who pulled the strings on the attack and used “lol” and “why so anxious” as middle men to help sell the OG accounts they took over. “why so anxious” says that once Kirk started attacking higher profile accounts, they and “lol” both decided to pull the plug and stop helping Kirk.

Kirk is said to have received ~ $180,000 in BTC to the wallet used for the scam and since the attack has not responded to “lol” or “why so anxious” on their Discord chat.

What Does This Mean?

It’s too early to tell what exactly was the goal of this scam. It doesn’t seem a few hundred thousand dollars is worth the risk they took and with the accounts they had access to, they could have done much more damage.

A question that has yet to be answered is whether or not all of the private direct messages from the 130 accounts were compromised or not. Twitter seemed to have thought about that possibility because shortly after the attack, they disabled the ability for any account to download active user data which is still disabled as of this writing (July 18).

This story has a plethora of unanswered questions and this is just the beginning of cyber attacks on social media accounts. The past few weeks America has been in conversation about whether or not it should ban Tik Tok and this attack reveals a big hole in either cyber security, or the power that employees have at large social media companies.