Twitter Hacked – How It Went Down

Updates related to the Twitter hack have been added at the end of this Article

We all know Twitter was compromised and it led to a roller-coaster ride on twitter resulting in a scam of 12.86812455 BTC ($117,392).This post will focus on how the events unfolded, who might be behind the hack and also a list of accounts which got hacked in their reported sequence.

When Twitter Hack Started

I was busy inside Utopia trying out the Utopia Alternate Miner which was just launched by @1984, while I got a message from a Utopia user inside a channel that twitter handles of Binance and their CEO got hacked. Two accounts related to binance is nothing big while doable. However, curiosity took me to twitter where I saw the tweet left by hackers, I was sure it will get interesting but I never expected this magnitude. The account hacks kept happening for 2 hours before Twitter jumped in.

Twitter Scam Hacker Message

The initial tweets were

We have partnered with CryptoForHealth and are giving back 5000 BTC.

See for more : cryptoforhealth.com

The website cryptforhealth.com was later suspended by the hoster and cloudflare, which led the hackers to modify their message a few times, something to give it a personal touch

I am feeling generous because of Covid-19.

I’ll double any BTC payment sent to my BTC address for the next hour. Good luck, and stay safe out there!

Elon Musk tweet had this message

Due to Covid-19, we are giving back over $10,000,000 in Bitcoin!

All payments sent to our address below will be sent back doubled.

bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh

This is only going on for the next 30 minutes! Enjoy!

Uber made this tweet

I have decided to give back to my community.

All Bitcoin sent to my address below will be sent back doubled. I am only doing a maximum of $50,000,000.

bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh

Enjoy!

Barack Obama tweet was unique too

The hack went on for about 2 hours, while new verified and non-verified accounts kept making compromised tweets. Kim Kardeshian Tweet even had a different wallet address. I will share all the hacked accounts tweets in the article.

Unfolding of Twitter Hack Events

Binance Twitter was the first to get compromised. However, the influx of BTC was very little on the scammer wallet address(0.4 BTC after few minutes). These tweets didn’t raise many alarms as people initially thought that it’s something to do with ‘Binance’.

Many smaller twitter accounts were being compromised aswell, mostly those which were related to cryptocurrency. Tron Foundation official account was next to follow. Tron handle takeover seemed a play of 3rd party API which was common in both exchanges

The pattern has been formed by now, “Exchange Handle” followed by “CEO Handle”. Same tweet appears from Justin Sun handle. Various other official accounts like Coinbase, Coindesk, Gemini etc were compromised and they made the similar tweets

Crypto industry is being targeted and they miss out Lee ?. Charlie Lee, creator of LTC twitter was compromised aswell. By now scammer wallet had accumulated 0.6 BTC.

Bitcoin account takeover was nothing new but now things were getting serious. Bitcoin handle tweeted the same, indicating that this hack is not localized to just some API exploitation. Bitfinex handle was compromised too.

Ripple Twitter handle was compromised aswell but I wouldn’t care much what happens with a centralized permissioned blockchain

Things got interesting (read bad) when Elon Musk account was compromised and scammers wallet jumped from 0.9 BTC – 6 BTC

Elon Musk has a cult like following, but it is unfortunate that people fall for such things but they do , I have always mentioned in various crypto related articles that “It’s a scam if it’s too good to be true” but many do not understand and just go for it , thinking there is free money. Followed by Elon Musk , Bill Gates twitter was compromised and it tweeted the same. By now 9 bitcoins have been sent to the wallet.

Scammer website stopped responding as Cloudflare and hosting terminated access to the website thus scammers started sharing wallet address directly in the tweets. This happened right after Elon Musk tweet, once old tweet with website was deleted for the newer tweet as visible above.

Uber account was hacked and tweeted the wallet address and after this tweet was made the scammer wallet had around 10.5 BTC

Cyber community was certain that this is not an exploitation of a 3rd party API but something bigger, something which was might show the weak point at twitter’s end : #TwitterHacked

Hackers started moving their Bitcoin to various addresses, the most prominent address was : 1Ai52Uw6usjhpcDrwSmkUvjuqLpcznUuyF, which received 50% of the total scam btc transactions.

Various political entities including Barack Obama, Joe Biden and Warren Buffet twitter handles were also hacked resulting in similar tweets.

Apple and @jack handle were the last among the big names before twitter managed to stop more tweets on verified accounts, by this time tweets on smaller non verified accounts were still visible. 12.86 BTC were sent to scammer wallet by now

Twitter Response on Hack

Twitter was constantly deleting cryptocurrency scam tweets and after a lapse of 2 hours, twitter seemed to gain control of the situation by disabling most of usage and reset capabilities of verified accounts and restricting staff access to the Twitter Administration Dashboard.

If you read the twitter thread mentioned above, it is updated as they provide any information. I will mention here only what’s relevant

• Verified accounts might loss the ability to tweet as twitter conducts their investigation
• Social Engineering was carried out to access internal systems and tools thus compromising Twitter itself
• Twitter is currently not certain what other information was accessed by the hackers, that includes DM or Backup data
• Internally twitter has limited access which implies that they are still not able to pinpoint the exact node which was exploited
• Passwords were probably not accessed

Where the Crypto Went

Bitcoin is anonymous but still traceable to a certain degree and that’s what happened with all the transactions, there have been various transactions before and after the start of the hack, and wallet and their transactions can be tracked down. Merkle Science has a short post explaining the the where the bulk of crypto assets went.

Who Was Behind The Twitter Hack

There are many speculations about who might be the person behind the hack. KrebsOnSecurity, skilled in investigative cyber investigations did an article highlighting who the hacker behind the twitter hack might be but I am not convinced and here is why :

• The article mentioned that @shinji tweeted the screenshot of the admin panel and shared archive links of the twitter handle while in both the links the tweet mentioned is not available. Secondly Lucky225 also tweeted that @shinji took the account, without mentioning how he came to know about that
• @Shinji handle linked ‘dead’ and ‘j0e’ instagram handles in his bio, which is a common tactic used in leaving people astray with invalid information. If j0e & dead Instagram accounts would have referred anything back to @Shinji twitter handle that could have been taken as something concrete.
• The article develops on the assumption that @Shinji is infact owner of J0e & dead Instagram accounts which I have already mentioned is invalid. PlugWalkJoe association can not be made for reasons already stated above. PlugWalkJoe was also nicknamed ChucklingSquad. KrebsOnSecurity further stated about PlugWalkJoe

PlugWalkJoe in real life is a 21-year-old from Liverpool, U.K. named Joseph James Connor. The source said PlugWalkJoe is in Spain where he was attending a university until earlier this year. He added that PlugWalkJoe has been unable to return home on account of travel restrictions due to the COVID-19 pandemic.

• The link between the swimming pool on PlugWalkJoe Instagram and to some video which the source has is irrelevant when the first tweet can not be established and facts are being force fed.
• Time will tell how things turn out to be and who is the actual person behind this hack

Many users on telegram and twitter have been claiming that @bobochain / @bobobitcoin might also be the hacker because he shared the image of the twitter dashboard in his telegram channel is not correct because he shared the image after 1 hour down the hack, so its not sure what the actual source of those images was. However, bobobitcoin telegram channels were deleted before the twitter hack stopped.

Internet Opinion about Twitter Hack

Nothing is confirmed uptil now on how exactly things went down , but there are lots of rumours and many credible news sites have mentioned that it might not be a social engineering in it’s true sense, According to Vice – Hackers just paid twitter employees to give them access to their internal administration dashboard. You might be wondering how sophisticated and professional looking twitter administration dashboard would be. Be the judge of that !!!

NetworkChuck Take On Twitter Hack

A great take on how Twitter hack went down and what majority is saying might not be accurate. Marcus Hutchins also gives his input on how things might have happened with logical explanation. Check out the video as it is also very informative and teaches how Social Engineering is the biggest vulnerability, as I have said the same since forever.

Dr-Hack’s Opinion

I can not have an opinion, I will just lay down the facts and it’s up-to the readers to decide. The dashboard shared looks horrible and it would be a shame to believe that Twitter is having something like this. The source of the images showing the dashboard is also UNKNWON. The article above doesn’t mention how the hackers were contacted and how their story can be validated. Yes Twitter employees were led into giving out their credentials which allowed the hackers to change emails on accounts and doing an account takeover.

As visible in the images in the tweet below Coinbase and Gemini had the same email reset info once they were compromised.

Scammers Website – Who Owns CryptoForHealth.com

It would be poor investigative writing if we miss out the details available to us from the domain cryptoforhealth.com.

The domain was registered on the same day when the hack went down and it was not using any Privacy guard thus it was showing all details. Name shown on the domain is Anthony Elias with email [email protected]. Midway the scam the details were removed and privacy guard was applied, which might indicate a hasty move, or an intentional play to misguide everyone. The address and number given are invalid.

Conclusion

It was undoubtedly one of biggest Cryptocurrency scam pulled over twitter and one of biggest hack seen by twitter. If the dashboard is anything but true it would raise lots of questions related to the level of control Twitter has over the users and how easily they can influence the activity of users. Twitter will have to answer lots of questions in coming future. The way the hacker moved the bitcoin to various wallets and left the privacy guard off after registering the domain , this all indicates hasty movements but someone who is pulling off such a big hack would sure be smart enough to cover his tracks. It is possible that the hack was a stroke of luck with no time to prepare thus resulting in some mistakes. Follow @Hackology

This article will be updated with relevant and credible information as received

Twitter Hack Updates [25 July 2020]

• 130 total accounts targeted by attackers
• 45 accounts had Tweets sent by attackers
• 36 accounts had the DM inbox accessed
• 8 accounts had an archive of “Your Twitter Data” downloaded, none of these are Verified

As of now, we know that hackers accessed tools only available to Twitter internal support teams to target 130 Twitter accounts. For 45 of those accounts, the attackers were able to initiate a password reset, login to the account, and send Tweets.

For up to 8 of the Twitter accounts involved, the attackers took the additional step of downloading the account’s information through “Your Twitter Data” tool. Such accounts are being contacted by Twitter.

As per Twitter, that for up to 36 of the 130 targeted accounts, the attackers accessed the DM inbox, including 1 elected official in the Netherlands. To date, there is no indication that any other former or current elected official had their DMs accessed.