A single famous person having their social media account hacked would be a minor blip on any news day. But the coordinated hack of some of the most prominent and well-followed accounts all at once speaks to something larger and better-organized than a single lone wolf hacker. Yesterday, the Twitter accounts of Elon Musk, Kanye West, Bill Gates, Barack Obama and Joe Biden were but a few of those that fell victims to a strange Bitcoin scam. Together, the hacked accounts have hundreds of millions of followers.
On Wednesday afternoon around 4pm eastern time, a slew of famous people with verified Twitter accounts, and a few verified corporate accounts, tweeted similar messages asking their followers to send them Bitcoin and promising to send them back the same amount doubled as a show of faith for the infamous cryptocurrency.
"I am giving back to the community," the tweet from Biden's account read. "All Bitcoin sent to the address below will be sent back doubled! If you send $1,000, I will send back $2,000. Only doing this for 30 minutes." The message was followed by a Bitcoin wallet address, which appeared as a string of seemingly random characters.
Obviously, this was a scam, and not the work of the former vice president. Still, many people fell for it. The messages from the other accounts were similar, though the precise wording differed.
The coordination alarmed cybersecurity researchers, though they saw the damage as minor given the circumstances. (Indeed, such a hack could have been used to disseminate disinformation; instead, the hackers merely wanted money.) Likewise, the nature of the events hints that individual accounts' passwords were probably not leaked, but rather that Twitter's internal systems may have been breached. Here is everything that we know so far.
Who exactly was hacked?
It remains unclear how many accounts were hacked. All we know is what's been published in the media, which is based on what people saw before the tweets were deleted. Twitter also took the unprecedented move of preventing verified accounts (also known as "blue checks" for the presence of the checkmark confirming identity) from tweeting once it was aware of the hack. At publication time, many accounts who were victims of the hack have yet to tweet, suggesting that their accounts are still locked.
Twitter confirmed today that many accounts are still on lockdown, but that doesn't mean the company has "evidence" that those accounts were compromised.
"So far, we believe only a small subset of these locked accounts were compromised, but are still investigating and will inform those who were affected," Twitter said in an update.
Salon reached out to Twitter to get an exact number of accounts that were part of the hack and a spokesperson directed Salon to updates on the Twitter Support channel, adding that the investigation "remains ongoing."
As we mentioned before, we know based on other reports that Barack Obama, Joe Biden, Elon Musk, Bill Gates, and Kanye West's accounts were compromised, as well as the Twitter accounts of Kim Kardashian, Michael Bloomberg, Apple, Jeff Bezos, and Uber.
On Thursday, White House press secretary Kayleigh McEnany told reporters that President Donald Trump's Twitter account had not been affected.
What did the hackers want?
It appears to have been an attempt at a virtual heist. All of the fraudulent tweets asked for payments to be sent to a specific Bitcoin address, promising to return double of the amount received. Bitcoin addresses are not HTML links; they are more akin to bank routing numbers, in that they are a series of characters that allows Bitcoin users to find and transfer money to each other.
Bitcoin addresses come in three formats: P2PKH, P2SH, and bech32. Bech32 addresses begin with "bc1," which is what the addresses that have been screenshot show.
According to Tom Robinson, the co-founder & chief scientist of Elliptic Forensics, cryptocurrency compliance firm, the hackers collected funds with three coin addresses. The funds were then sent to 12 new addresses, where they are currently sitting. Elliptic Forensics estimates that a little over 400 payments were made due to the hack, leaving the hackers withs a total value of $121,000.
While this is certainly a lot of money, security experts seem to agree that this hack could have been a lot worse. "This is massive," cybersecurity expert Rachel Tobac, the CEO of SocialProof Security, told the Washington Post. "This is most likely the largest attack I've ever seen. We are extremely lucky that these attackers are monetarily motivated and not sowing mass chaos all over the world."
So, were famous people's accounts hacked or was Twitter hacked?
Good question. Twitter said on Twitter they have no reason to believe that the hackers had access to passwords. Instead, it appears to be more likely that the internal controls at Twitter itself were hacked, which is slightly more unnerving. "Internally, we've taken significant steps to limit access to internal systems and tools while our investigation is ongoing," Twitter tweeted.
According to a report by Vice's Motherboard, insider sources say the hacked accounts were taken over using an internal tool at Twitter.
From the Motherboard report:
"We used a rep that literally done all the work for us," one of the sources told Motherboard. The second source added they paid the Twitter insider. Motherboard granted the sources anonymity to speak candidly about a security incident. A Twitter spokesperson told Motherboard that the company is still investigating whether the employee hijacked the accounts themselves or gave hackers access to the tool.
As Motherboard notes, this is a stark reminder of what can happen when tech employees have access and control over data.
It's likely the hackers chose to steal money via Bitcoin instead of Paypal (or a similar service) because payments can't be blocked or disrupted.
"All of those types of traditional payment services, the company or the payment service can block people from making payments to those accounts," Robinson told Salon. "Nobody can block a Bitcoin transaction and that's why I imagine they used the cryptocurrency like Bitcoin."
Payments can also be harder to trace when made with Bitcoin.
"There are techniques you can use to try and hide your tracks.," Robinson said. He noted that he thinks law enforcement will still eventually be able to link transactions to an identity.
What is Twitter doing about this?
Obviously, there are concerns around how secure Twitter is at the moment. Twitter recently stated: "We're working to help people regain access to their accounts ASAP if they were proactively locked. This may take additional time since we're taking extra steps to confirm that we're granting access to the rightful owner."
There haven't been any updates about what measures have been implemented internally, with the exception of Wednesday's update about taking "significant steps" to limit access to internal systems and tools during the investigation. Twitter is directing people to @TwitterSupport for updates.
According to NPR, the FBI has opened an investigation into the hack as of Thursday. "At this time, the accounts appear to have been compromised in order to perpetuate cryptocurrency fraud," the bureau's San Francisco division said in a statement. "We advise the public not to fall victim to this scam by sending cryptocurrency or money in relation to this incident."