
No, you couldn't have made more money than the Twitter hacker - fortenforge
https://fortenf.org/e/security/2020/07/15/twitter-hack.html
======
usmannk
Their whole point on the stock market is this:

> The big issue with all of these is that it’s very difficult to participate
> in the stock market anonymously. The SEC has all sorts of monitoring in
> place to catch more common forms of insider trading and fraud and you can
> guarantee that they would conduct a long, thorough investigation into a
> hypothetical hack-based market fraud. Unlike Bitcoin transactions, wire
> transfers and stock purchases can be reversed after the fact, and the
> exposure and risk go way up when you’re actually working with US dollars.

But this is divorced from reality. In reality you'd be one of thousands of
people holding HTZ calls or TSLA puts in your Robinhood account. You could
make a huge payday and be indistinguishable from the crowd. With the crypto
scam, one person will eventually have to turn this BTC into fiat. With market
manipulation, you've made thousands of retail investors indistinguishable from
yourself rich. Which one sounds like a better idea?

~~~
JumpCrisscross
> _you 'd be one of thousands of people holding HTZ calls or TSLA puts in your
> Robinhood account_

Former options market maker. We regularly got _incredibly_ detailed data
requests from regulators following corporate actions. Everyone who made money
got scrutiny. Anyone who made money who wasn't similarly profitable before is
almost automatically punted to their broker's compliance department, who will
put in several hours of investigative work by default.

One of the most consistent knowledge gaps between professional and amateur
traders, I've found, is the underestimation of how advanced and pervasive
insider trading / market manipulation surveillance is.

~~~
ummonk
I seriously doubt this is possible now that WSB is throwing around options
like crazy.

~~~
remote_phone
Yeah there are a crazy number of people yoloing in crazy options plays right
now. Their job must be much much harder these days if that’s the case.

~~~
edoceo
I think you missed this part:

> Anyone who made money who wasn't similarly profitable before

WSB is one offs and gets investigate. Other market players have historical
data showing they are not one hit wonders. Like someone who hits 5/17 is
different than one who hits 1/21

~~~
remote_phone
Yeah I doubt they get investigated. They would have already talked about it by
now.

~~~
kapnobatairza
Many WSBers have been investigated, myself included.

------
marcinzm
We still don't know if the hackers didn't steal all the DMs to sell on the
dark web. They basically can prove without a shadow of a doubt to anyone that
they were the hackers involved (by sending BTC from the publicized address).
That removes any questions of authenticity for potential DMs and is likely to
increase the price. They or someone else they resell to can then go about the
blackmail aspects of the whole thing.

If they didn't mean the BTC address to be an authenticity stamp after the fact
it seems silly to not have varied it to get around blocks.

edit: They can also use it for blackmail even if there's no incriminating DMs.
By making up fake DMs and then using the authenticity stamp to "prove" they
were authentic. Could cause quiet a bit of chaos if released in the right way
and be worth something to someone.

~~~
dickjocke
I doubt Apple or Bill Gates have very many incriminating Twitter DMs. Kanye is
a non-factor, nobody serious cares what a, respectfully, manic-depressive is
DMing about.

Elon Musk might have some suspect DMs, but honestly I think his crazy Twitter
behavior is priced into TSLA already.

~~~
spike021
I think this assumes that only the obvious accounts were affected (basically
any that sent out the tweet about the scam). It's quite possible many accounts
were accessed more quietly.

~~~
acdha
If they were stealthily looking for dirt, why would they draw so much
attention to the compromise? There’s no way Twitter wouldn’t examine all of
the accessed accounts now and the “this process access” theory is both sketchy
in general (Guccifer 2.0 publicized the idea of putting forgeries into a dump
to make them seem legitimate) and wouldn’t apply in this case since these are
different accounts.

~~~
p0ckets
I don't think there was a way to hide this from Twitter once it was executed,
since each hacked account got a password reset email. Assuming that you can't
hide it from Twitter, then it's a fine strategy to make sure that everyone,
especially potential customers of the hacked DMs, knows that you hacked these
accounts.

~~~
acdha
How does that fit with the theory I was responding to that they were stealthy
with other accounts? It seems incongruous.

~~~
strombofulous
Some people are reporting that they got similar emails, even if they didn't
tweet anything (example:
[https://twitter.com/BradyHaran/status/1283685874941808640](https://twitter.com/BradyHaran/status/1283685874941808640)).

The hackers may have saved the DMs from lots of accounts and only publicly
used big accounts which don't have any DMs to publicize the hacks

------
Mojah
One point I don't see made often: in order to short or long any market, you
need _initial_ capital too. This whole "ask 1 BTC to get 2 BTC" requires 0
initial upfront costs from the attacker.

It's a win/win situation, they can't lose. They've invested nothing in their
scam to begin with.

~~~
ZachPruckowski
Not just any initial capital, _clean_ US dollars in a brokerage account under
somebody's real name. You can't use BTC or rubles or drug money or whatever.

------
ben174
If this article is accurate, and the hacker did consider alternative ways to
make more money, or legal ways, then this really puts the blame on Twitter. If
their bug bounty wasn't absolutely ridiculously low ($7,700 for oauth account
takeover), then they could have prevented this. Essentially they're putting
the value of security for their entire user base as $7,700. This bounty should
be in excess of $1 million easily.

~~~
sfkdjf9j3j
Would a social engineering attack even qualify for the bounty program?

~~~
abhorrence
Typically social engineering attacks are excluded. However given the large
scale of this attack, there’s an argument to be made that there should be
systems in place to limit the damage one rogue (or manipulated) employee can
do.

~~~
mrfox321
It ultimately depends on how much twitter is responsible for other people
getting scammed. And how much future discounted cash they lose from reduced
engagement from this blip.

------
VBprogrammer
I find it interesting that there were at least 100 people who both had enough
money lying about in BitCoin (or at least, where able to figure out how to buy
bitcoin on short notice) who intersect with the group of people who will fall
for something which has all of the hallmarks of a scam.

~~~
LanceH
I would have avoided the obvious doubling scam and gone for "donate bitcoin to
this charity". Maybe with an explanation of how bitcoin can make it directly
to the country where it is needed immediately.

~~~
meowface
That's actually a pretty good idea. Your idea is the first one I've read out
of hundreds that I think could've possibly been a more optimal strategy.

It's tough to know for sure if it would've made more, though. Given the
limited time window, I think I slightly lean towards exploiting greed vs.
exploiting altruism. If they could somehow keep he tweets up for over 24
hours, I think your idea would likely win, but given they may have thought
they might have about an hour, I think the scam route might've been more
reliable.

~~~
LanceH
Someone else suggested posting different BTC addresses per account and framing
it as a quick charity drive contest. Which is a better version of this, IMO.

As for which one would win, I don't know. I can see the argument of immediacy
with the scam. The charity scam I think would draw in a lot more smaller
donors but I can't see them feeling the need to immediately send.

Personally I would have gone with the bounty, then shamed Twitter for the
(probably) low payout in an effort to promote my brand.

~~~
meowface
>Personally I would have gone with the bounty, then shamed Twitter for the
(probably) low payout in an effort to promote my brand.

The problem is that the attack requires active social engineering to pull off,
so it probably wouldn't have been eligible for a bounty. "I could trick your
employees and gain access to user accounts" isn't really covered.

------
felixarba
Tesla is one of the most heavily shorted stocks, and earning 1 million
honestly wouldn't even be such a big deal considering how many instititutional
and retail investors are swing trading it. Unless you bought some ridiculously
short dated options, in huge amounts and then immediately faked Elon's tweets
and cashed out, you could've made 500k easily no one would even think twice
about it.

~~~
jamiequint
The SEC would think twice about it after it became obvious what was going on.
This stuff gets actively investigated.

~~~
SilasX
They're going to heavily investigate everyone that made a half million on a
super high volume, widely shorted stock in a time of extreme volatility? To
the point of finding a smoking gun that connects them to the hackers? I'm
happy to be proven wrong about this but it seems implausible unless they were
sloppy.

~~~
AndrewBissell
> They're going to heavily investigate everyone that made a half million on a
> super high volume, widely shorted stock in a time of extreme volatility?

These arguments all seem to be operating on the assumption that there would be
a large number of day/swing traders who would exit their positions with
perfect timing, but this is unlikely because they wouldn't have the knowledge
that the price move was ephemeral and driven by a false rumor. The number of
people who made a half million off it would be a lot smaller than you think.

~~~
mypalmike
Anyone with out-of-the-money options which suddenly became in-the-money would
tend to sell.

------
ehsankia
> They managed to run off with a little over $100,000 before Twitter got the
> situation under control.

Not quite, I believe most major exchanges banning the address probably did a
lot more to control the situation. Twitter took way way too long to react and
their best course of action was just blocking all tweets from verified
users...

~~~
toephu2
They made off with $117k in their bitcoin wallet, which is not connected to
any exchanges:
[https://www.blockchain.com/btc/address/bc1qxy2kgdygjrsqtzq2n...](https://www.blockchain.com/btc/address/bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh)

~~~
hajimemash
It is since a decent chunk'o people be on that convenient Coinbase Wallet-aaS
and if CB be like "hold up this a scam hunny" all that sweet koin finna stop
rollin' in

------
ALittleLight
The point about how you couldn't make money on the stock market is that the
SEC has tools to catch insider trading? You could as easily say you couldn't
hack Twitter because the FBI has tools to catch hackers.

Many people, hundreds if not thousands, have long positions on Hertz. They may
be able to find something suspicious, but not anything that could
differentiate you from "I read on wallstreetbets that buying these Hertz calls
was a good idea." Especially if you seed your account with a few similar bets
first.

~~~
Sebb767
Yes, but for that you first need a lot of money (especially if you're buying
other positions as 'cover') and a lot of preparation time (as going deep into
puts just before the hack is extremely suspicious).

And then you're still in hell, because instead of having a total damage amount
of 120k$ plus some vague twitter downtime you now have cost investors millions
of dollars and are in the highly illegal territory of stock market
manipulation, instead of a rather simple scam with modest damage.

Also, saying "I've read that on WSB" is nice, but the FBI is still going to
take your equipment for a nice inspection. No fun, I can tell you that.

------
ttul
I would not target stocks - that requires too much capital. Rather target
currencies. A retail investor can leverage currency transactions 100 to 1 --
and such speculators are numerous. Also, Forex runs 24x7.

What if the US Federal Reserve had tweeted out a link to fake economic data
suggesting an enormous fall in the USD was around the corner? Algorithmic
trading could shift the USD by $0.01, which when multiplied 100x could have a
pretty large impact on your USD/EUR play.

------
adrr
With my experience at running technology and security at a large fintech. It
would relatively easy to purchase stock anonymously with a stolen identify.
KYC(Know your customer) checks that online financial firms use to verify
identity revolve around credit report data that can easily be bought or
hacked. Think of all the online companies that offer access to your credit
report.

Any foreign actor could get a brokerage account with relative ease compared to
hacking a major social network. For the SEC to investigate, they would have to
go through multiple companies to find the account. First would be the
exchanges to search for suspicious trades. Next the clearing brokerage firms
which online fintechs use to do the trades and then lastly the the fintech
that stolen account was created on. Much longer to investigate than it takes
for the money to settle from the trade and to get money out of the account.

Also there is a good change that you wouldn't trip any of the online FI's
monitoring. If the money went out to the same account it came in on, that
isn't that suspicious and happens all the time. The cash transfers would
generate SAR(suspicious activity report) but still that would take a while for
government to process and investigate.

Authentication of a person is broken in the US and needs to be fixed. We can't
rely on credit report data and SSN.

------
lordnacho
I think they could have made more with just better ad copy. Send 1 get back 2
just stinks so much like a scam, most people wouldn't do it. What if you just
asked for a donation in some good cause, and frame it as a contest between
Elon and the other billionaires?

Also use different addresses per account. Should be really easy.

~~~
recursivecaveat
I think the hacker has to be some insider who knew their window was closing
quickly, because the ad copy does seem incredibly lazy. Like if you had Musk
'crowdfund' the next Tesla, while Biden announces that the USD will be pegged
to Monero if he's elected, and Apple takes 'deposits' for the next iPhone, it
seems like you could have done much better. Maybe we're overestimating the
relative value of the big-name accounts though.

~~~
ss2003
I like that idea, Bidden tweets he's thinking of some pro-crypto policies if
elected, donate to his election campaign now if you want this to happen!

------
clarkmoody
You have total control of 15 Twitter accounts of your choosing for 90 minutes.
What do you do?

This Twitter hack could have changed history, could have made some group of
insiders fabulously wealthy, could have started a war, etc. Yet they "waste"
it on an obvious scam.

My competing hypotheses:

\- The hacker got way in over his head and panicked (the wasted opportunity
branch)

\- The hacker siphoned the DMs from the hacked accounts (and others that did
not tweet out the scam), and this is just the beginning

\- There are larger forces at work, and this was a demo for a larger client
and is part of a longer play

~~~
dudul
Can we stop with this idiotic "Could have started WW3" comment? I can't
believe the amount of "blue checks" who've been repeating that since last
night.

How do you start a war on Twitter? Let's say the hacker impersonates Trump and
tweet "Missiles heading your way Kim!!", then what? First of all, every
develop nation in the world has ways to detect missile launches. Second, there
would just be a phone call between embassy asking "Whut??" and the situation
would be solved in 15 minutes.

People need to stop pretending that Twitter is the real world.

~~~
Uehreka
If, in 2014, President Obama had tweeted something like "I've had it with Kim!
Sending the missiles now!" no one would've believed it, as it would've been
quite out-of-character and also he didn't go around announcing policies,
executive orders and other business using Twitter.

With Trump though, it gets more complicated. He _has_ antagonized and name-
called the leader of NK on Twitter. He _has_ announced policies on Twitter
that even his cabinet weren't aware of beforehand. If he posted the above
tweet (sub out "Kim" for "Little Rocket man") and you were Kim Jong-un, what
would you do?

Sure, he's never announced a military attack on Twitter before (I think...
although I'm not 100% sure) but given the other things he's done and his
general nature, could you be 100% sure it's fake? And if it's not fake, then
the rational thing would be to counterattack with whatever capability you have
without waiting for confirmation from someone else.

And then, if you're one of the US Joint Chiefs: You see the tweet, you know
that it's false, but you consider it from Kim's perspective (see the last
paragraph) and have to game out the chance that Kim will see this as a
credible attack and launch his rockets, in which case you'd want to launch
ours immediately.

It's totally possible that they could get Kim on some sort of "Red Phone Line"
and convince him that it's fake before he launches, and that might even be the
most likely outcome. But if the hacker timed this right (to some time where
the president was asleep or harder than usual to contact) I feel like there is
a nontrivial chance it could result in at least one nuclear warhead getting
launched.

~~~
fireattack
I think the point is while it will indeed cause serious trouble in real world,
it still not enough to "start WW3".

------
tyingq
I think I could have rotated/edited the BTC addresses faster by editing or
deleting/resending tweets and taking over new accounts in a random pattern.
The money stopped flowing in pretty quick when the popular exchanges blocked
sending to the destination address.

------
vmception
Hey guys, so articles like this are no better than long winded hackernews
comments. Which we all debate the semantics of and unceremoniously decide are
wrong. So lets treat this article that way:

You absolutely could make money in the stock market instead and it has
happened before buy trading the indices. The "problems" with individual
companies don't exist when trading indices like the SPX or VIX.

This has already happened before, Associated Press' hacked twitter account
sent out something alarming sending the indices in a brief frenzy. Like long
enough for trading to react before correcting.

~~~
meowface
Sure, that is true, if you make a bunch of extra assumptions (resides in an
applicable country; has a lot of fiat capital already; has a history of
trading; has all the necessary financial knowledge and capabilities), and if
you don't factor in the probabilities of getting caught.

On paper, the stock strategy could make more money. In practice, I think it's
extremely unlikely it would be the optimal strategy here, or even a decent
strategy. The maximum potential reward would be higher, but the expected value
would be lower. (Perhaps it'd be negative, even, depending on the probability
assigned to imprisonment and asset seizure.)

I think the attackers chose pretty much the best possible strategy if their
sole goal was maximizing profit and minimizing risk of getting caught. Someone
else suggested maybe setting up a fake call for charity donations, which might
have worked even better, but overall I think they picked the smartest plan.

------
surround
No, the hacker isn’t going to have a hard time cashing out their Bitcoins. All
they have to do is pass the coins through a few Bitcoin tumblers before
exchanging it for cash.

[https://en.wikipedia.org/wiki/Cryptocurrency_tumbler](https://en.wikipedia.org/wiki/Cryptocurrency_tumbler)

~~~
hnick
A $100k windfall income would have to be explained to tax authorities in most
places won't it?

Taking it as hard cash sounds risky or laborious. Taking it to a bank account
will trigger red flags. A story will have to be told that makes sense and
holds up.

Converting it slowly over years is an option, but I'd put that in the 'hard'
category especially if you keep doing this and sending the balance up.

------
falcolas
Perhaps they couldn't have made more money, but they could have devastated the
global market with a few well placed rumors from "verified" tweets. That
frightens me more.

~~~
dhosek
Or started WWIII by provoking North Korea into a first strike with a tweet
from Trump.

~~~
netsharc
Despite NK's paranoia, I think even they are clever enough to see if Trump's
bark/tweet would have a bite. I don't think they would strike before being
certain about an attack.

------
y-c-o-m-b
One thing to consider: the $100k gained in this attack is completely random.
The attacker(s) had no way of knowing they would get that much. It could just
as easily have been $5k or less. People are framing it like the attacker knew
they'd be getting that much coin.

~~~
TwoBit
I think the hacker(s) expected more than 100K.

------
quotemstr
The blackmail option isn't mutually exclusive with the BTC scam. Maybe the
attackers slurped up all the DMs and will use or sell them later.

~~~
paconbork
Heck, you could even sign a message saying you own the DMs with the private
key that corresponds to the address that all the hacked accounts posted if you
wanted to sell them / use them for blackmail

------
toephu2
So how is this person going to cash their BTC since all the transactions from
the now most famous bitcoin wallet address in the world are traceable?

~~~
deviation
He/She might have a fair amount of luck throwing the BTC through
scrambler/tumblers. These are services offered to mask your BTC address as
other legit customers, making it much more difficult to track.

That being said... There is technology out there the FBI is hopping in bed
with that is used to track this exact thing.

I think if they tumbled it an insane amount, they might get away with about
90% of the principal.

------
synaesthesisx
The SEC fails to catch or even detect the vast majority of market manipulation
and insider trading. A volatile stock like Tesla has so much volume that a
large amount of contracts (calls/puts) wouldn't even look unusual.

They most certainly could have gotten away with some form of manipulation
using Elon's (or someone else's) account and gotten away with it.

~~~
SilasX
Because most attacks aren’t this high profile. In cases like this, they’ll be
a little more determined.

------
rootsudo
I disagree, with the stock market manipulation.

The idea isn't to be anonymous per se, it is to blend in with the crowd. You
join a few communities, you can easily, easily pull the Casino Royale short
position/puts.

Say that production is halted, that you discovered faulty accounting,
immediate recall, etc. Tesla would've plummeted.

And that's if you want to blend in with the crowd of volume and people holding
puts, which, are not that expensive, especially if you push out a few weeks.

\--

With bitcoin, it is not anonymous. You will have a pain to cashout 100k+ of
bitcoin. The address is now literally blacklisted, the coins will be forever
tracked, exchanges blocked and whenever there's movement, ironically, twitter
threads will appear similar, if not akin to bitmex margin calls.

Any localbitcoin dealer worth their salt, would flag it because even if it's
in escrow, it is most likely that small amount would blacklist their own
account, especially since most traders are cheap and will send from
exchange>localbitcoin escrow.

~~~
notyourday
> The idea isn't to be anonymous per se, it is to blend in with the crowd. You
> join a few communities, you can easily, easily pull the Casino Royale short
> position/puts.

This significantly underestimates effectiveness of market surveillance tools.

~~~
b1ur
Even so, I think that there's enough random idiots making random trades on the
market that you could get away with it. You could anonymously post something
that sounds vaguely credible on reddit's WSB board and use that as your
justification if the SEC asks. If you do a good job, you've just convinced 100
people to be your patsies (and made them a handsome sum in the meantime)

~~~
notyourday
That is predicated on dumb money not trading in patterns that are visible to
market surveillance. We know for it not to be the case.

First of all, market surveillance is going to score trades based on
profitability and on the expected value of outcomes. If the actor in question
does not have a habit of trading options in certain patterns, he will be
sticking out of the sea of other bets, significantly reducing the number of
actors he can hide in. This will flag money movement. This will flag strange
account funding. This will flag strange volume. This will flag strange time
the order was placed in compared to the usual trades of this individual.

> If you do a good job, you've just convinced 100 people to be your patsies
> (and made them a handsome sum in the meantime)

This will probably not increase but decrease randomness.

The trick of avoiding being picked up on a market surveillance is not to hide
among others who do what one does rather it is to hide a specific action one
performs among a pattern of one's typical actions. That is why a hacker who
does not normally trade options will most likely get nailed should he win
based on a hack.

------
victoriasun
TIL I'm the only person on HN who thinks that making 100k in 15 minutes is a
pretty great feat.

~~~
ALittleLight
The transfer happened in fifteen minutes. Unknown how long it took to
engineer.

Regardless, you compare things to their alternatives. Here the alternatives
are: make much more money, make less money, don't commit crime. The first and
last alternative each have logical reasons to recommend them, the middle one
doesn't.

------
ayqod
SEC have no time for that. Don't forget old days:

The Securities and Exchange Commission is drawing Republican criticism
following reports that senior agency staff used government-issued computers to
surf pornographic websites, according to the Associated Press.

An internal memo obtained by the AP said the SEC's inspector general has
investigated 33 employees for looking at porn in the past five years, and 31
of those probes occurred since the financial turmoil began. This conduct
violates governmentwide ethics rules, the memo stated.

------
sakopov
This identical scam has been running in full force on YouTube ever since
Bitcoin's halving event. I wonder how much this contributed to the lack of
success of the Twitter scam.

------
Avicebron
It could have been a demonstration of power, maybe a state actor was testing
their team, and they decided to Runescape meme on Twitter to show they could
make a bigger play later.

------
tutfbhuf
I think there might have been other options with different risk odds, but at
the end we talk about 100k for a massive hack with international attention. In
review of that it's just a very small amount and not worth the risk. There are
other ways to steal 100k without getting the attention of the whole world,
especially if you're a "smart" hacker.

------
azangru
I am just surprised that these tweets actually worked.

It would have made total sense if the hijacked accounts suggested doubling
others' donations to certain charities, as we have seen played out in the
beginning of June. In fact, the first time I saw those tweets, with their
"giving back" theme, I misread them as meaning exactly that, doubling
donations to charities. But instead they were proposing to immediately send
the money back, doubled. Asking people for money first is hardly a believable
"giving back" offer; it should have raised so many eyebrows and red flags.
Especially coming from Biden's account — I might almost believe it coming from
Elon, but for Biden that would be completely out of character; he wouldn't
have the imagination.

------
duaoebg
I wonder if people are paying more in a patron or only fans way. Supporting it
as an attack on their least favorite blue check mark.

Also, I wonder if more of the value of the blackmail could captured with an
auction mechanic; as in donate to X for public release or donate to Y to keep
it private at a certain time the account with the most money wins. This
mechanic could be manipulated behind the scenes for even more money.

------
rasz
>Elon: Limited early run 50 Cybertrucks and 50 Roadsters giveaway. Send 0.05
BTC to qualify ...

>Gates: Coronavirus vaccine found. Secure yours by sending 0.01 BTC. Dont
forget about your family ...

>nvidia: Limited early run 50 RTX 3080 and 50 RTX 3090 giveaway. Send 0.01 BTC
to qualify ...

and so on and on

There was so much more targeting/personalization they could do beyond old
tired 'double your ISK scam'.

------
easton_s
I got 5k for an OAuth bypass on one of Google APIs. The leaked data was much
less harmful then being able to post on any twitter account.

------
ve55
Disagree strongly. The main reason is one needs to understand how much
leverage you can gain by successfully playing very risky far-out-of-the-money
call/put options, but also that the volume on stocks (and derivatives) like
$TLSA is insane, and millions are being traded in it every single minute.

$TSLA OTM call/put options with the right tweet could easily make someone
millions, and the liquidity and open volume is crazy enough on them that it'd
be very hard to be found out. If that isn't good enough, you could post rumors
and tweets beforehand to cause many others to also buy in, and there would be
no way to reasonably separate who was behind it and who just joined in on it.

For example:

1) Tweet as Elon musk "Very good TSLA news coming up"

2) many more people buy calls, including yourself

3) Tweet as Elon musk "TSLA earning are going to beat by so much"

4) sell your calls for puts

5) Tweet very negative/offensive/terrible content

------
dumbfoundded
I'm guessing they could've inflated the price of bitcoin as well. Like have
some major fund managers say they were moving into Bitcoin in a big way.

------
wmil
I think I could have. Just straight up sell the hack as a service. For 1 btc
you can make any blue check say whatever you want.

4chan would go wild.

------
aripickar
I disagree with some of the things that this article is saying since there are
ways to fundamentally do the same scam, but not make it so incredibly obvious
that it's a scam. Or, the user could cause disruption in other markets that
are not obvious.

1\. Change the order of who they targeted. The hacker started by attacking
Elon Musk and a few other high profile celebrities. But, later in the hack,
they tweeted from Mr. Beasts profile, a Youtuber who is known for giving away
large sums of money. If they had started with Mr Beast, then there would be a
lot less skepticism and a lot more confusion, since it would have been a lot
more likely to not actually be a scam in users minds.

2\. Target poorly regulated markets. Theres a decent amount of Liquidity on
the betting market for the US presidential election on betfair. Have Biden
tweet something out about him dropping out due to heart problems, have the
Reuters/AP tweet a breaking news article confirming it, bada bing bada boom
millions of dollars coming your way. Its not like the only liquid markets are
well regulated. It looks like a hack thats designed to scare people for
political points, but you can make money off it.

------
vchak1
Why not combine the methods? Use the BTC stuff to fund the stock stuff, and
have different twitter accounts do different things. Biden's for BTC, and
Musk's for stock market manipulation. Plus steal the DM's for sale on the dark
web.

------
Exuma
Condescending headlines are so stupid. Right...

------
varbhat
Actually, earning money by cheating is bad.

~~~
AbraKdabra
> and it must not be

Why not?

~~~
varbhat
Money can be goal but not the prime goal. Prime goal must be their interests.

------
rmason
They didn't mention the most nefarious thing you could do - spring an October
surprise and throw a presidential election in the U.S.

I'm basing this on the fact that both the Trump and Biden campaign staffers
are probably sending a lot of DM's. Releasing the most embarrassing
information at the right time could prove pivotal.

~~~
paxys
That is very unlikely. There's no serious internal communication happening
over Twitter DMs.

------
chucksmash
I don't see how one can say "the SEC is good at investigating stock market
shenanigans, therefore you couldn't possibly profit that way, end of story."
That was a pretty common take in the other thread as well.

This is not insider trading. When an insider tips off an associate,
investigators have full information on the pool of insiders. "Who knew about
this ahead of time?" is a strong filter. Assuming the attacker had perfect
opsec and the attack itself doesn't leave evidence that exposes them, they
live in a much larger and murkier pool.

Additionally, the attacker might have known of this vector months ahead of
time. This gives them time to lay groundwork, find accomplices, and prepare.

Quick thought experiment:

There is a bar I used to go to pretty often. It was cash only. Aside from cell
tower pings, possible Google Maps location history, and N days worth of
security footage, there is nothing tying me to that bar. I've known one of the
bartenders there for five years now. We grew up in the same town. We're not
Facebook friends, we don't talk on the phone, but we've now known each other
in this context for quite a while. If you had a perfect "back home" social
graph, we're probably ~3-4 degrees of separation. Linking us to one another
locally starting from his perspective would involve very invasive
investigation (i.e. putting names to faces for everybody on the N days of
security footage that bar has archived, a subpeona for bulk subscriber data of
people who have been to that bar, etc).

If I try to involve him in my market manipulation scheme, there's the risk he
turns me in outright or that he rips me off and keeps the money for himself.
Basically, the criminal conspiracy version of counterparty risk. Set that risk
aside for a moment. Assume that he's on board with the plan. Also assume that
I, as the attacker, leave no digital evidence pointing back to me.

Think about how egregious his trading behavior would have to be to bring
enough scrutiny upon himself that the SEC has people reviewing this bar's
security footage, building profiles of the randos who have been to that bar,
all that. I don't claim that "tipping off the bartender" is the world's most
original securities crime, but unearthing that connection is a much more
involved process than the cases of "spouse/sibling/college roommate/tennis
partner of CEO bought OTM options a week before acquisition was announced."

X people make, say, 1-10 million dollars off of a zany bet on stocks. Imagine
how obvious your trade would have to be such that Y years from now, one of
those new millionaires moves back to East Bumblef and makes a money-losing
real estate transaction with another East Bumblefian (say, moi), and the SEC
jumps over a hedge like "ah-HA! We've been watching your accounts this whole
time, that other East Bumblefian knows how computers work and lived in an
apartment four blocks from your old workplace in 2015, nobody could possibly
negotiate this poor of a land deal, checkmate!"

------
bmmayer1
Step 1: buy TSLA puts Step 2: @elonmusk: "I'm retiring effective immediately.
Don't believe what you read in the news tomorrow." Step 3: Profit

~~~
hocuspocus
What makes you think the market wouldn't react positively to such news?

~~~
ehsankia
Yeah, I honestly don't have a sense in which direction the stock would go with
such an announcement.

~~~
tekromancr
I am not even sure it would move much in either direction. Some traders would
think it's good, some bad. Everyone's bets would cancel each other out and the
delta in either direction would be small.

My guess is it would trend downward since my evaluation of $tsla is that it is
a personality driven bubble; but my evaluation isn't everyone else's.

------
blatchcorn
No one really knows and it can't be proven one way or the other, so this isn't
worth debating

~~~
tlb
(Also true of 99% of all the topics people debate)

As far as this topic goes: you could prove the argument false by doing a
better hack and making a lot more money. Or we could gain confidence in it as
years pass and hacks happen but no one makes a lot more money.

