The Twitter accounts of major companies and individuals have been compromised in one of the most widespread and confounding hacks the platform has ever seen, all in service of promoting a bitcoin scam that appears to be earning its creator quite a bit of money.
We don’t know how it’s happened or even to what extent Twitter’s own systems may have been compromised. The hack appears to have subsided, but new scam tweets were posting to verified accounts on a regular basis starting shortly after 4PM ET and lasting more than two hours. Twitter acknowledged the situation after more than an hour of silence, writing on its support account at 5:45PM ET, “We are aware of a security incident impacting accounts on Twitter. We are investigating and taking steps to fix it. We will update everyone shortly.”
We are aware of a security incident impacting accounts on Twitter. We are investigating and taking steps to fix it. We will update everyone shortly.
— Twitter Support (@TwitterSupport) July 15, 2020
The company also took the unprecedented measure of preventing verified accounts from tweeting at all starting sometime around 6PM ET. This would seem to be the first time Twitter has ever done this in the company’s history. Twitter updated its stance on limiting tweets at 7:18PM ET, writing, “We’re continuing to limit the ability to Tweet, reset your password, and some other account functionalities while we look into this. Thanks for your patience.” At 8:41PM ET, Twitter said “most” verified accounts should be able to tweet, adding, “As we continue working on a fix, this functionality may come and go.”
We’re continuing to limit the ability to Tweet, reset your password, and some other account functionalities while we look into this. Thanks for your patience.
— Twitter Support (@TwitterSupport) July 15, 2020
Most accounts should be able to Tweet again. As we continue working on a fix, this functionality may come and go. We’re working to get things back to normal as quickly as possible.
— Twitter Support (@TwitterSupport) July 16, 2020
The chaos began when Tesla CEO Elon Musk’s Twitter account was seemingly compromised by a hacker intent on using it to run a bitcoin scam. Microsoft co-founder Bill Gates’ account was also seemingly accessed by the same scammer, who posted a similar message with an identical bitcoin wallet address. Both accounts continued to post new tweets promoting the scam almost as fast as they were deleted, and Musk’s account in particular was still be under the control of the hacker as late as 5:56PM ET.
A spokesperson for Gates tells Recode’s Teddy Schleifer, “We can confirm that this tweet was not sent by Bill Gates. This appears to be part of a larger issue that Twitter is facing. Twitter is aware and working to restore the account.”
NEW — statement from a spokesperson for Bill Gates.
“We can confirm that this tweet was not sent by Bill Gates. This appears to be part of a larger issue that Twitter is facing. Twitter is aware and working to restore the account.” pic.twitter.com/v37Jvs76Jl
— Teddy Schleifer (@teddyschleifer) July 15, 2020
Shortly after the initial wave of tweets from Gates and Musk’s accounts, the accounts of Apple, Uber, former President Barack Obama, Amazon CEO Jeff Bezos, Democratic presidential candidate Joe Biden, hip-hop mogul Kanye West, and former New York City mayor and billionaire Mike Bloomberg, among others, were also compromised and began promoting the scam.
It’s unclear how widespread the operation is, but it appears to have affected numerous major companies and extremely high-profile individuals. That suggests someone, or a group, has either found a severe security loophole in Twitter’s login or account recovery process or those of third-party app — or that the perpetrator has somehow gained access to a Twitter employee’s admin privileges. According to Motherboard, numerous underground hacking circles have been sharing screenshots of an internal Twitter administration tool allegedly used to take over the high-profile verified accounts. Twitter is now removing images of the screenshot from its platform and in some cases suspending users who continue to share it. The company has not shared any details as to how the hacks were carried out.
The origin of the scam can be traced to the moment when Musk’s account issued a mysterious tweet at 4:17PM ET reading, “I‘m feeling generous because of Covid-19. I’ll double any BTC payment sent to my BTC address for the next hour. Good luck, and stay safe out there!” The tweet also contained a bitcoin address, presumably one associated with the hacker’s crypto wallet.
The tweet was then deleted and replaced by another one more plainly laying out the fake promotion. “Feeling grateful doubling all payments sent to my BTC address! You send $1,000, I send back $2,000! Only doing this for the next 30 minutes,” it read before also getting deleted. The tweet posted to Gates’ account echoed the Musk tweets, with an identical BTC address attached. It was also deleted shortly after posting, only for a similar message to take its place a few minutes later.
Hacked accounts were almost all posting the same bitcoin wallet address
Square’s Cash App appears to be one of the other company accounts compromised. However, it’s not clear if the culprit is the same or if this is some form of a coordinated scam on behalf of a group, as the tweet contained a different BTC address than the ones posted to the other accounts.
In addition to the Cash App, popular crypto Twitter accounts, including those of Cameron and Tyler Winklevoss’ Gemini cryptocurrency exchange and widely used wallet app Coinbase, were also compromised. Cameron Winklevoss claims the Gemini account was protected by two-factor authentication and used a strong password, and the company is now investigating how it was hit.
ALL MAJOR CRYPTO TWITTER ACCOUNTS HAVE BEEN COMPROMISED.
2FA / strong password was used for @Gemini account. We are investigating and hope to have more information shortly. https://t.co/X3C0uJzc6C
— Cameron Winklevoss (@winklevoss) July 15, 2020
Some people apparently fell for the scam and sent money to the associated BTC address, as records of the transactions are public due to the nature of the blockchain-based cryptocurrency. So far, the scammer have amassed nearly $120,000, although it seems as if the account owner is indeed sending money back out as the daily final balance has fluctuated up and down throughout the afternoon.
It’s an actual wallet address and there are transactions happening. It’s unclear if these transactions are legit. Scammers often seed their own scams to give them the appearance of authenticity. https://t.co/GUHEDaKNxu pic.twitter.com/xfhl3817xr
— Ryan Mac (@RMac18) July 15, 2020
Musk has long been the target of bitcoin scammers on Twitter, many of whom create fake accounts designed to look like the entrepreneur and respond to his tweets promoting the scams so that they appear legitimate. Twitter even went so far as to start locking some accounts that change their name to “Elon Musk,” and the company singled out cryptocurrency scammers in spring 2018 as a source of known manipulation and deception that it was aiming to root out through bans and other moderation strategies.
Update June 15th, 7:33PM ET: Added new details regarding the Twitter hack and the company’s response.
Update June 15th, 8:53PM ET: Added that Twitter restored verified accounts’ tweeting ability.