The Bitcoin scam that hit Twitter could have been way worse

On Thursday afternoon, all hell broke loose on Twitter. Some of the largest and most influential accounts, all accompanied by a blue checkmark, began tweeting out a similar message: send Bitcoin to a designated address and you'll receive twice as much Bitcoin in return. Joe Biden, Barack Obama, Elon Musk, Kanye West, and Jeff Bezos all appeared to be participating. Even companies like Apple, Uber, and Cash App were in on it. To some, it may have appeared as a legitimate, unified charitable effort. To most, it came off as a scam. And while a tweet from one high profile account might mean that the individual got hacked, it became clear as more and more noteworthy accounts joined the Bitcoin chorus that something bigger was happening.

A report from Motherboard suggests that hackers did not break into each individual account. Instead, it seems that a Twitter insider provided the hackers with access to an internal tool available to some Twitter employees. That tool was used to change the email addresses associated with each account, which allowed the hackers to change the passwords while preventing the actual account owners from regaining access.

According to Twitter, the hackers got into the internal tool through a series of social engineering attacks that resulted in employee accounts being compromised, leading to hackers gaining access to the panel that allowed them to hijack dozens of high-profile, verified accounts. The attackers, who spoke to Motherboard, said they paid an employee to provide them access. Either way, Twitter's defenses were breached in a way previously unseen. The attackers used their unprecedented access to carry out an arguably successful Bitcoin scam that netted them a good chunk of change over the course of a couple hours. But it could have been far worse.

"With the correct timing, the right targets, and enough forethought to make the tweets believable this could have had critical effects to democratic processes." - Alexi Drew

"Twitter, and all of us, did get away very easy from this one," says Alexi Drew, a post-doctoral research associate at King's College London. Drew, who recently co-authored a paper highlighting how Twitter could be used to escalate crises, including at an international level, tells Mic that the timing, targets, and motivations of an attack like the one Twitter suffered all play a factor in the potential outcome. In this case, the goal was financial gain and the timing seemed relatively innocuous.

"Imagine if Joe Biden and other leading Democrats or journalists had their accounts taken over on the eve of the US Presidential election in November and all began to tweet about Biden conceding," Drew says. "With the correct timing, the right targets, and enough forethought to make the tweets believable this could have had critical effects to democratic processes." She warns that the United States is "asymmetrically at risk" from an attack that targets trusted accounts because of the country's "reliance on Twitter and other social media platforms for information."

This has played out in a limited capacity before. In 2013, the official Associated Press Twitter account was hacked and tweeted a false news story about a supposed bombing within the White House that left then-President Barack Obama injured. That single tweet sent the stock market into a brief free fall that wiped out more than $136.5 billion in market cap in a matter of minutes.

Jennifer Golbeck, a Professor at the College of Information Studies at the University of Maryland, tells Mic that there are lots of "realistic dystopian scenarios" that keep her up at night that suddenly feel more real after the events of Thursday. She notes that because the Trump administration has attempted to argue that the president's tweets are official statements, a lot of damage could be done if government accounts are compromised.

"It seems very reasonable that the military gets roped in or people die." - Jennifer Golbeck

"A hacker who gets access to his account would essentially have access to making those statements. Imagine they did it more subtly, tweeting in his voice and only from his account, as opposed to many verified accounts like yesterday," she says. "If those tweets are antagonistic to other world leaders or toward groups within the US, it's within the realm of possibility that real action is taken in response." She said that while she doesn't necessarily see the world ending up on the brink of nuclear war as a result of some tweets, "it seems very reasonable that the military gets roped in or people die."

She played out one such scenario, in which the President's account is compromised and sends out an inflammatory tweet, which she provided in the president's style and voice on Twitter:

Hackers get into Trump's account and post a doctored photo or video of a white woman being assaulted by a group of Muslim men. The tweet goes something like this: "This patriotic American woman was attacked near her home in Minneapolis last night by VIOLENT MUSLIM EXTREMISTS who have infiltrated our Great Country! True American Patriots should exercise their 2ND AMENDMENT RIGHTS and show these terrorists we will not live under SEIGE! TAKE BACK AMERICA!"

She says that while the tweet would likely get deleted and Trump would claim to have been hacked, it's likely that many people would not believe him. "Given Trump's lack of diplomatic or political filter, denials and deleted tweets are unlikely to convince many that they weren't actually tweets from Trump himself. 'I was hacked!' is a tired excuse for bad behavior, and Trump has not earned a reputation as a thoughtful or careful tweeter," she says. It's easy to see both his supporters and detractors taking the words seriously, leading to violent actions against Muslims and demonstrations in the streets condemning his words and his supporter's actions.

These types of outcomes don't require everyone to fall for the false tweets. Most people who saw the Bitcoin tweet likely knew they were fake, despite coming from verified accounts. But not everyone did. Clint Watts, a Distinguished Research Fellow at the Foreign Policy Research Institute, tells Mic that it's worth remembering that some people did fall for the scam because they trusted those accounts. "Some people sent Bitcoin. There's always one percent that is going to react to whatever is out there in a dramatic way and fall for something," he says. "They knew to take over verified accounts because they get some more reach. Imagine this happened the day before the day of the election. It could be just catastrophic."

Tyler Moore, Tandy Associate Professor of Cyber Security at the University of Tulsa and editor-in-chief of the Journal of Cybersecurity, tells Mic that even if a hacker were just motivated by profit, like the ones who carried out the attack appear to have been, they could use access to manipulate markets in a far more damaging and wide-reaching way.

"We already know that stock markets react when leaders post disruptive news on Twitter," he notes. "A hacker who shorts a company stock or stock index could spread false information to trigger a price decline and profit handsomely." Someone like Elon Musk, who had his account compromised in the breach, might be a prime target for something like this, as he already has a history of shifting markets with his tweets.

Matters are also made considerably worse when accounts typically relied upon for trustworthy information are not only compromised but also rendered silent. To stop the breach on Thursday, Twitter essentially prevented verified accounts from tweeting until it could cut off the attacker's access to the company's internal tools. While it did stop the tweets from coming, it also stopped trustworthy sources, including verified news organizations, reporters, and other high-profile users from providing reliable information about the event. Drew calls the response "proportionate to the risk and likely the most effective tool they had at hand that was certain to prevent further harm," but notes that it causes a considerable communication problem for the public. "It isn’t impossible to imagine that some communities and individuals would struggle to find alternative sources of information when Twitter is no longer an option," she says.

Actually stopping a future attack like this will likely require Twitter to ramp up its security, which the company claimed to be doing already. Drew says Twitter will likely need to improve the "cyber hygiene" of its employees to ensure they don't fall for a similar attack in the future. "It might help future instances if this administrator tool operated on multiple unique instances that could be remotely tracked and turned off," she says, though notes it may be a technically impractical solution. Watts suggests that the company is likely to add significantly more people on hand to react to a similar attack, particularly in advance of the upcoming election. Another instance where verified accounts are under hacker control for multiple hours, particularly in the midst of a national election, could lead to unthinkable chaos that would take more than just a few tweets to recover from.