Hacker News new | past | comments | ask | show | jobs | submit login
Hackers take over prominent Twitter accounts in simultaneous attack (coindesk.com)
2595 points by megadeth on July 15, 2020 | hide | past | favorite | 1349 comments

All: don't miss that there are multiple pages of comments. The top few subthreads have become so large that they fill out the first page entirely. You have to click 'More' at the bottom to see the rest, including a lot of the newest posts. Or use these links:




Edit: also, there's a related thread tracking the BTC transactions here: https://news.ycombinator.com/item?id=23851542.

In general, look for More links at the bottom of big threads. This is a performance workaround that we're hoping to drop before long, but in the meantime there's a limit of 250 or so comments per page.

Given how huge this hack is, and how little the BTC reward is going to be, I'm tempting to think this is either:

- a test of a new hacking system

- a demonstration to a big client

- a first shot to threat some entity

- a diversion while they get the real loot

And that the BTC messages are just a way to justify it so it looks like a simple scam.

Such a hack is worth way, WAY more than the few BTC it could bring.

It could just be a relatively unsophisticated actor who stumbled upon a serious vulnerability and didn't know enough to market it to, eg, a state actor or whatever.

I remember last year around christmas/new year 2018/2019 a similar hack/leak/doxxing took place, targeting 994 (!!) mostly german politicians, celebrities and influencers. Massive amounts of private information (names, addresses, phone numbers, e-mails, DMs, contacts, online profiles, chat logs, private documents and even intimate details) where leaked. The data was published on a wide spread of public pastebins and etherpads. It took ages to take them down. The attacker had set up a labyrinth of links, files and passwords and even structured the data by topics and political parties.

Attack vector: Sim-Swapping. It was too easy. As soon as he got into one account, he got access to it's contacts and more phone numbers.

The attacker (0rbit) was a 20 year old student living at his parents home. He bragged about his hack to a online friend. This friend knew that 0rbit had been raided by the police years earlier. He betrayed him to the investigators and with the exact date of the raid the they were able looked up the old case and reveal his identity.

Previously on HN: https://news.ycombinator.com/item?id=18823286

Ja in South Africa, sim swapping is still one of the biggest attack vectors, especially for bank-account-hacks.

Anything cellphone related is absolute crap; Security and otherwise.

It was not a hack. It was just a lot of doxxing. There was really nothing impressive about it.

900 successful sim swaps is impressive.

I was helping out a friend to make a presentation/training on IT Sec, and while I was searching for some fancy sim swap rigs photos, I saw this image [1] that lead me to this article [2]: "Detectives smash illegal SIM swap command centre in Ruiru"

and from the article: "Officers found 30,000 SIM cards, 240 iPhones, 150 MI phones, 2 laptops, 2 and other electrical appliances. The gadgets were plugged into a system."

[1]: https://nairobinews.nation.co.ke/wp-content/uploads/2018/08/...

[2]: https://nairobinews.nation.co.ke/news/detectives-smash-illeg...

It doesn't add up 900, only to 390.. but still.. if these guys would focus their ingenuity in something positive, they could have accomplished so much more in life.

There were no Sim-Swaps, at least not from the Student. Later it was revealed that he simply bought the Data & published it. The Hacking did somebody else.

That doesn't make much sense. Why would a student, presumably with little money, buy something that seems likely to command a pretty high price, that he has no use for other than to post anonymously on the internet?

I don't know him, so all i can is guess. All I know is what the News in Germany reported. According to them he just acquired the Data he published. The reasoning behind it is unknown to me, if there was any. In the Media Coverage he doesn't really appeared that smart. Maybe he did it just to brag about it, or he was hoping to extort the people and wanted to prove that he has the material, or it was political because the most victims of him were from the left.

But then why set up a rather simply scam instead of getting the bug bounty from twitter? That wallet is currently sitting at about 150k USD and these are rather hard to pay out. Why not just go for 100k USD bug bounty, completely legal and with fame?

If the hacker regularly does black hat stuff (and perhaps used black hat methods to obtain this access), they risk criminal prosecution by going through the official channel.

Bug bounty programs typically have stringent rules, disqualify many valid reports, and take a long time to pay out. Not surprising to me that they'd cash out in this manner - especially if they got access via a token which expires: they wouldn't have much time to plot on how to monetize the access.

I suspect this was a small operation - a national intelligence organization could have caused orders of magnitude more havoc with this sort of access. Smaller groups don't have the infrastructure to capitalize on such chaos.

> Bug bounty programs typically have stringent rules, disqualify many valid reports, and take a long time to pay out.

When they pay out. Some will even fix the bug, and just tell you "thanks, but it wasn't a security bug"

Happened to me in a minor way with ASCII chat characters running down the search engine results page into other results.

I reported that you could use this to basically block out the serp and they said it wasn't a bug then fixed it.. I was hoping for a t shirt at least..

Now I wished I would've abused it and blogged about it for the resume.

I found a bug (not security bug) in an apparel companies website allowing unlimited reuse of their £10 of vouchers. I reported and got a free t-shirt :)

If you can exploit it to make economic damage, would that count as a security bug?

Taken to logical extreme, that would make any black PR or reputational attack a security vulnerability.

Infosec is certainly a hefty part of business continuity, but business continuity itself is a much wider topic.

I'd say it's a bug, but not a security bug.

Someone bragging about finding Zalgo in a SERP would not impress me when reading resumes.

You can still blog about it.

I agree with their assessment. No sensitive data's confidentiality or integrity was impacted, and no availability impact to users.

Their number one source of revenue (search engine results page) could be defaced.

Exactly, it's easier to sell your bug to 'mafia boy 2020' for crypto meme tokens on some shady fraduster network than it is to fit inside the scope of the bounty offer. "This exploit is out of bounds you receive nothing thanks for your time"

Or "This exploit is a duplicate report that we've known about for two years and still haven't gotten around to fixing."

No to mention in this case you’re likely giving up disclosure for under $10k before taxes

or just tell you "what bug? lol that never happened..."

Great way to alienate the hacking community. That would work only a small number of times before word spread not to bother even trying that company's disclosure program.

That's how we got here. This is the word

But is it a fact, or just rumor?

It is fairly well known that certain large companies are really stingy.

I'm not into this but once discovered a kind of security related bug (could reveal details about the composition of a password typed into a new Windows 8 password field, admittedly low value as you had to have the user type in the password and leave) and later found a more interesting issue in the way an official powershell module works with Azure Information Security that makes it possible to sneak a file through unencrypted.

On the first I got a nice thank you mail and on the last I struggled so hard to report it that I gave up.

Well, the question was why someone wouldn't use the company's disclosure program, so that's the point.

Have you ever tried to participate in a bug bounty program? I've tried a couple and the experience has been consistently disappointing, but maybe there are some better ones.

There is actually a post on Twitter from a bounty hunter who got awarded $7000 dollars or so from Twitter for ATO, and he puts that in relation now to what the adversaries are getting by exploiting things.

The point is that bounty value of critical ATO kind of vulnerabilities tend to be okay-ish, but relatively low compared to what black hats could get.

Personally, I think this was an opportunistic actor, not a persistent one with a strategic goal.

> a national intelligence organization could have caused orders of magnitude more havoc with this sort of access

It doesn't need much fantasy to cause more havoc. It was speculated in another thread, but maybe the hackers held back since the manhunt is going to be far less for a 'harmless' Bitcoin scam rather than i.e. crashing $TSLA or declaring a war.

Exactly, this was the bug bounty

100k USD? Twitter's payouts aren't that impressive, <10k for account takeovers: https://hackerone.com/twitter

The income tax on that bounty would halve its value compared to Bitcoin, if they have a way to cash out that isn’t reported.

Also for example, if they’re a US student, they could lose access to benefits and loans as a result of reporting the income.

They might have expected to get more than 150k USD from the scam.

Maybe if it was the first time the scam appeared, but this is old hat now. This was possibly thrown together quickly to make the most of an explot before the API changed. Prior to this there is no reason to assume they were not very careful with access and this was not the main money making part of the job.

they got btc, not usd.

Yea they got a lot of btc

> Why not just go for 100k USD bug bounty, completely legal and with fame?

Not everyone believes that the existence of Twitter, in its current state as an amplification medium for the ever increasing polarisation in this world, is actually a force of good.

Helping them out with a security report might be the last thing on their mind.

True, though I’d take amplified polarization any day over what Facebook and YouTube have done for years steering vulnerable people to conspiracy content.

We can argue about which is worse, but let's agree they're all bad :)

Reporting that social engineering would allow to take over the admin panel might not lead to any pay out at all.

Hackerone has non-technical people screening your exploits. They will often mark them as out of scope.

Companies will routinely downgrade the severity of your exploit so they can pay you less.

I've had enough repeated bad interactions through Hackerone that I will go full disclosure on any company that offers it as the only disclosure channel.

(If Hackerone wants to fix that: enable easy, on-platform disclosure unconditionally after 30 days. Right now, the platform is just used to pressure people into delaying disclosure or not disclosing at all.)

I would bet the attacker(s) is/are reading this thread, curious about this community's reaction on the attack and having a good laugh.

I would've guessed they would've raised more, maybe they thought so too.

How much do you think Trump's DMs are worth? Kanye's? Elon's?

Maybe Trump was protected, his tweets can certainly move markets. And while it's possible to track investments in smaller stocks, someone buying futures or ETFs on large indices to profit from that would likely be able to stay anonymous. There are way too many trades in S&P500 on a given day to find the one that sticks out.

Then that begs the following questions...

Are Twitter protecting "even higher" profile accounts? Why do they put more effort into protecting these "even higher" profile accounts? And how do they protect these accounts? And if that really is the case, and this product feature is outed during this election campaign year, then Twitter deserve a court summons.

I seriously doubt Trump's account would, or should have that much more protection than other high profile, verified accounts.

You're probably getting downvoted because of the tone you used, but I think there's a good point hidden underneath.

Trump's account is probably specially marked for two- or even three-person lock, to prevent "rogue account termination" as has already happened. So the questions quickly turn to odd angles: how many other high-profile, politically (and/or economically) influencal accounts are equally protected? What criteria are used to assign the account this level of protection? Should this kind of account lock mechanism be more widely available? If yes, to whom?

I personally suspect that Twitter will eventually have to follow Google's route for high-profile accounts and identity management in general.[0] If people are using Twitter as their personal press office, the company has no choice but to accommodate.

0: https://landing.google.com/advancedprotection/

That was the point really. Was trying to post objectively, tbh. Didn't realise it might be seen as snarky, or anything of the like. I really did wonder what it might mean, if Trump's Twitter account was subject to extra protection.

If that's proven to be the case, that in itself is quite a big issue. Biden, as a leading political rival absolutely should have a right to similar protections if they exist.

Indeed, as a democracy, anyone should have access to the same level of protection. Or at the very least, all verified accounts.

That page looks nothing like the kind of security measures you're talking about. It's for people who care about good opsec, who carry around hardware keys, and think 2FA isn't just a good idea, it's a necessity. But what you really need is someone to stop the takeover of high-profile accounts run by people who pick the worst possible passwords: https://www.theverge.com/tldr/2018/10/11/17964848/kanye-west...

Right, good point. I'm relying on my memory here, but when the advanced protection program was first launched, I recall that one of the benefits of it for journalists and high-risk individuals was that changing recovery options (email address, phone number) would have always required a manual review and a confirmation round by someone at Google.

I do think that Google should subject passwords for accounts in the program to HIBP checks. By this point every major browser provides at least some kind of password manager functionality. It'll probably never be the same quality as a stand-alone, fully focused password manager product, but it must be an improvement over forcing to memorise passwords.

Pros: no taxes

Cons: trying to deal with 103k in bitcoin

The market cap for Bitcoin is about $170 billion; 103k in Bitcoin would be a blip in the scheme of things.

Someone moved $1 billion nearly a year ago and I don’t believe we know who made it: https://arstechnica.com/tech-policy/2019/09/someone-moved-1-...

Finding a buyer is not the problem, the problem is the buyer finding you.

Sell $200 worth a pop on LocalBitcoin.

very time consuming and risky in its own (robbery, state eventually finding out one way or another etc)

Lots of little transactions, too. Easy to hide in the noise, at least at first, but when you start throwing out tons and tons of small transactions they can start with the pattern recognition.

Still easily traceable.

Some men aren’t looking for anything logical.

Occam's razor says this is almost certainly the case. It isn't like the hacker knew that it would generate such little bitcoin being sent their way until after it failed.

Especially if the hacker is not from the US it seems much easier to do the bitcoin hack than try to contact a company thousands of miles away that you know one at.

Twitter investigation suggest that this is a coordinated social engineering attack [0]. The idea that the hackers are some non state actors and not from the US seem unlikely. [0] https://twitter.com/TwitterSupport/status/128359184646423347...

It is of note that they're claiming a social engineering attack on an internal employee; not a wide spread social engineering attack on each individual account.

Possibly blackmail?

Social engineering attack seems to loose and gain popularity as companies spend more and then less resources against it. I would not claim state actor unless there is more proof.

The measures needed to prevent social engineering goes directly against the social oil that improve cooperation between employees and department. Verification slows down operations, require additional work on top of what is likely an already stressed work environment, and require training. The more a company feel safe, and the more time has past since last attack, the more people will lower their guard. People also tend to focus on past attacks, so while they might have been suspicious against a request to transfer money (the current most common social engineering attack), someone asking for "restoring access" might simply be seen as an innocent and common internal support request without triggering a request for identification.

I would expect that twitter will change their policy and training in order to address this, and in 10 years it will be removed in order to save time and improve response speed between departments, and churn rate will have replaced anyone with memory and training of this event. Then a new attack occurs, maybe with a slightly different target, and we repeat the cycle.

Why do employees even have access to tools that allow them to take over accounts? What use case does having this functionality provide?

Unless they're saying that there's certain people who have raw DB access...

> Why do employees even have access to tools that allow them to take over accounts?

It’s commonly done for customer service purposes at many companies and is heavily audit trailed and access controlled (if the company is doing it right).

Guess they didn't do it right here…

I’ve seen nothing so far to indicate they didn’t have heavy audit logging and access control. They just had an employee who knowingly or unknowingly violated company policy.

Imagine that the hackers are also on HN looking at the aftermath discussions to plan their next move.

If past cases are any indication they're just super proud it works and at some point will want to tell someone to get validation. That's when they'll get caught.

The theory that I think is most probable is that someone got access to the hack, either by purchase or stumbling upon it, they tested it out and had a "holy shit this actually works" moment.

After this they became paranoid of the bug being fixed within hours and tried to monetise it in the quickest, easiest and safest way possible.

I believe it was found to be social eng upon an employee see


Social engineering could be very easy from within the US, e.g. if you're the neighbour of a Twitter rep working from home and can talk them into handing you their phone for a few minutes. From outside the US it's much harder, esp since an accent could make social engineering via phone less effective.

If Twitter uses the same 2FA internally as they do for customers it'd be pretty easy to take over a support account if you know of the location of an employee.

While possible, this scenario requires such a massive disconnect between the attacker's skill, connections, and luck versus their understanding of economic and geopolitical context that I would consider it among the least likely.

Such as the Max Headroom incident?

It's not uncommon for hackers to have these weird imbalances in skill and understanding.

Sounds like the 2005 hack of the Danger Sidekick (early smartphone device). I think the fellow went by the 'nym "ethics".

Dude couldn't exploit it for much, despite being able to takeover/access any account, and everything was in the cloud.

I used to have a Sidekick, I could type out texts so fast with that thing. Weren't there a few big celebrities who had their Sidekicks hacked back then?

Yes, Paris Hilton was one. I can't seem to find too much about this ethics fellow, even though I thought there was a DoJ investigation.

Ah, here's a writeup!


What would a state actor do with this? Read celebrities' DMs?

Imagine if every celebrity you knew in New York suddenly started tweeting about some kind of massive rioting.

Imagine if every verified account related to finance started tweeting “cash out your accounts NOW.”

You could easily, easily cause some pretty massive panic.

TWTR is a largeish company. I have no evidence but presume it is overwhelmingly likely that their scale a) makes getting inside the head of every employee is impossible and b) fosters the right conditions for a healthy number of little agenda-ized splinter cells with various passionate motivations and whatnot.

Besides public state and company size, Twitter is also new media. And all media is information warfare. (Hmm, that sounds a bit strong, especially considering the toxicity that is the platform itself; I mean the term generically speaking.)

Weren't there cases of foreign spies discovered in Twitter ranks, or was that some other company?

Yes, it was Twitter, and and the spies were working on behalf of Saudi Arabia: <a href=“https://www.washingtonpost.com/national-security/former-twit... Twitter employees charged with spying for Saudi Arabia by digging into the accounts of kingdom critics</a>

It was twitter. But that's largely moot -- there are almost certainly spy-espionage types in a lot of large tech companies. Mostly for siphoning off tech secrets, but I'm sure having someone with root access to some $SYSTEM is useful for political purposes too.

If I were a state actor, I would compromise the accounts of personalities that POTUS follows towards the end of Hannity on a day meaningful to my state.

Most of the adults are asleep and there are any number of things you could write to trigger some sort of shitstorm from POTUS.

Are you really asking that? Trump announces most of his policies live on twitter, can easily announce something that would have a huge influence on the stock market. Multiple examples of companies, Elon Musk, etc doing major announcements on twitter.

Yeah, this hack is a wakeup call. It could have been so much worse. Next time it probably will be.

Quite true. Maybe some unscrupulous 19 year old with average understanding of tech, who happened to have access to the right tools at the right time.

Yeah, like altering a POST variable.

Never attribute to malice what is easily explained by incompetence.

Hanlon's Razor BOIIII

The result of the 'mistake' is extremely specific. But you're right. You can never rule that out.

mafia boy 2.0

Someone got mugged with their phone unlocked and the mugger had a friend who was into bitcoin.

Too diverse and high-profile to be a physical attack by small fry.

"...from the accounts of Gemini, Binance, KuCoin, Coinbase, Litecoin's Charlie Lee, Tron's Justin Sun, Bitcoin, Bitfinex, Ripple, Cash App, Elon Musk, Uber, Apple, Kanye West, Jeff Bezos, Michael Bloomberg, Warren Buffett, Barack Obama and CoinDesk."

Apple was interesting because they have 3.8m followers and zero tweets. Maybe they've never tweeted. But today they did.

Someone in this thread said their tweets don't show up in their timeline because they usually promote their tweets.

My guess is that a Twitter insider sold access.

I bet the reason Trump didn't get hacked was because he is special-cased in the Twitter system to avoid insider vandalism which protected his account from this insider attack.

I believe you are right, a rogue Twitter employee had previously[1] deleted Trump's account. So there must have been some special protection to prevent it from happening again.


I find it interesting that this kind of protection isn't the default.

It probably involves one or two humans reviewing anything suspicious.

Agreed, it could be as simple as someone at Twitter calling someone in the White House every time someone logs into the account. (The White House has a ton of staff, I met some of their IT people at a conference back in the day.)

Get admin access from unlocked phones, make a bitcoin wallet, use admin access to send tweets with double-your-bitcoin tweet. Start thinking up accounts you think would work well for it and start going through them one by one.

I’m guessing DMs were the real loot. The public display with the BTC diversion validates any DMs that were stolen. Otherwise blackmail targets could deny them.

These are publicly managed Twitter accounts, they probably don't have any DMs of substance.

I'll bet that Bill Gates doesn't have much on his Twitter, but I'll also bet Elon Musk has some crazy DMs.

Then again, the market for crazy is pretty saturated these days. Hard to see how to monetize it, at least in Musk's case.


They potentially had access to any account they wanted. You don't know that they weren't snarfing DMs on interesting accounts while having the celeb accounts panhandle for bitcoin after.

Is Musks account really publicly managed? He probably has an agency helping him but I doubt he'd use another account for DMs.

You'd be surprised. Some celebrities might engage in salacious activities via DM but even the most boring corporation can have lots of customer information in support chats.

I think that's the case. No prominent Republicans were targeted. See: Watergate, Wikileaks DNC emails. Same shit.

Or they were but it was kept secret. Twitter hasn't published a list, we only know of the BTC tweets. Maybe they actually were after other accounts' DMs and the tweets are just diversion to make it seem like an undirected attack.

Unless we hear from account holders that their credentials weren't stolen, there's no reason to believe that only those were hacked that sent tweets.

Except that is all the evidence we have to go on for this conversation. Verified fake tweets have been sent from prominent democrats, and not from any prominent republicans.

Of course you're right that we don't know is if this is political, or just a distraction from whatever their real goal is / was. But the optics are clear here, and there is no reason to muddy the waters.

If DMs were the real loot, they wouldn’t have exposed the hack by tweeting on the account.

If DMs were the real loot, the tweets were a "proof of work" (to show the accounts had really been owned).

You can prove you have 'blackmail materials' just by proving you own the bitcoin wallet.

They needed to reset credentials so this could've never been a stealth attack. By making it public, any later leak of DMs is much more likely to be accepted as authentic. Without that, most people would've doubted the authenticity of leaked material.

Precisely. And who's to say which leaked DMs are real and which ones are faked? If you're interested in this kind of stuff, I recommend the book Active Measures.

Perhaps it is a form of proof that they actually have access to the accounts and thus the DMs. Just posting claimed DMs that can be deleted and denied has a lower probability of being believed.

Data theft like that is normally silently dumped after the breach occurs and anyone knows what happened.

This looks more like data injection somewhere. Perhaps an old API exploit. You used to be able to send an SMS to tweet, for example.

Kill 2 birds with one stone? Once you stole the data why not double-dip and make extra money by pulling a scam?

What does "DM" mean in that context?

(Went to wikipedia, but their suggestions like Death Metal and Dance marathon are probably not it ;) https://en.wikipedia.org/wiki/DM )

Direct messages - so private messages to and from

Interesting theory, but then why would they include Apple? Among others in the list, they’re almost guaranteed to be of no value and only increase the risk.

Interesting theory, but this widespread hack pretty much gives most people plausible deniability in my opinion.

Blackmail targets could still deny them.

What was done was a guaranteed method of getting the method/exploit fixed in record time. If the perpetrator wanted to demonstrate, they would have targeted someone inconsequential that would not have put the problem on twitters radar. They blew their whole wad, likely on purpose, and there is nothing else planned.

Yeah, the idea that this is an initial step in something bigger doesn't make sense.

If they wanted to exfiltrate data, they already did that previously.

They very loudly burned their access, this seems a lot more like someone trying to monetize their access quickly before their access token expires - squeezing out the last few drops before they can no longer get into the system.

I don't know the number of accounts affected, but there seem to be many, and there are multiple unique messages. Richer accounts offered to "double" BTC up to greater amounts than poorer accounts, some messages refer to "fans" and others refer to the bitcoin community.

Someone (or someones) had to configure a message for each victim, they had to write the script to send all the tweets simultaneously, they probably had to test the script, they had to execute it. To me, that says they had enough time to think about what they were doing and weren't racing a very short expiration clock.

If I were at twitter I might try to investigate by looking for accounts that they might have used to test their script. If you could look for something like multiple accounts tweeting the same thing within 1 minute, in the past couple weeks, you could turn up some candidates for test accounts. You could further refine that by checking the messages sent, follower counts, etc. Maybe the hacker will leave behind clues on the script test account.

It was only a couple dozen accounts right? They could have just had a bunch of browser windows up and hit send all at the same time. This is a very low-effort scam, all they really had to do was tweet their wallet address.

No, was watching the tweet stream for this address. It was sent out on hundrends or thousands of accounts. Dozens of high profile accounts sounds correct.

> If you could look for something like multiple accounts tweeting the same thing within 1 minute, in the past couple weeks, you could turn up some candidates for test accounts

I think this would turn up alot more results than you bargained for.

I think it could be easy enough to pare down programmatically. You'd have to search by adding things like:

* 5+ accounts tweeting exactly the same message

* Not using the mobile app

* Fewer than 10 followers

* Fewer than 10 following

* Liked fewer than 10 tweets

* Retweeted fewer than 10 tweets

* Accounts created within 24 hours of each other

* Account creation metadata is similar

* Account less than 1 month old

You could probably come up with more criteria to help narrow the scope and play with the numbers. I would bet that you probably come up with hundreds to low thousands of accounts fitting those criteria at most. You could spend an hour scrolling through them looking for something suspicious - and I don't think it would take too long to put this kind of thing together if you had database access.

Or someone bragged about their super awesome access to Twitter on some IRC or Discord channel, posted proofs which unintentionally leaked the session tokens / exploit to others and the whole bunch of kids went crazy due to fear of missing out on the event of the century. Basically like all these seemingly normal people that suddenly turn into looters when all hell breaks loose.

and they all happen use the same BTC address?

They used multiple wallets. They also posted a bunch of useless/ridiculous comments and memes, not sure why would anyone do that if the attack was carefully planned and automated.

And by burning their access they could make sure nobody else is able to use that exploit to exfiltrate data

Very loudly indeed. Think message sent or stocks shorted.

Unless they already did their exfil.

Yep. If they did exfil, it would make sense to do before they tweeted. I expect we'll see solicitations offering to sell a copy of DMs from the affected accounts - even if the hacker didn't exfil, the public doesn't know that and opportunistic scammers may try to pose as the hacker to get BTC.

Interestingly, by tweeting a bitcoin address, the hacker could authenticate themselves to 'potential buyers' by accurately describing future transfers of bitcoin from the tweeted address.

> accurately describing future transfers of bitcoin from the tweeted address.

No need to do this, just sign a short piece of text with the private key.

Nope. They're actually getting away with quite a big loot!

The number of unconfirmed transactions has catapulted from ~9k to about ~50k right now, which means there's large amount of activity.

It will take a while for the dust to settle.

You can watch them here https://www.blockchain.com/btc/unconfirmed-transactions

chart https://www.blockchain.com/charts/mempool-count

A better graph of the current transactions sitting unconfirmed: https://jochen-hoenicke.de/queue/#0,24h

Note: I'm not saying that these are all from the hack, I'm saying that the activity on the Bitcoin blockchain has significantly spiked, and the hack was still ongoing at the time of writing this.

I'm a little unclear, is the following correct?.

So basically rando's are sending famous people bitcoin because the famous people tweeted "send us $$ and we'll send you double back"?

And somehow the rando's haven't heard of the hack. Is this what's happening? Like are random people seriously sending them bitcoin? Or is it some weird form of money laundering?

Although since that's very weird behavior even if there was no hack, I suppose I'm not too surprised that those people sending the coin haven't heard of the hack.

I find myself confused by this as well, surely people who are sufficiently technically sophisticated to own bitcoin won’t fall for “I’ll send you bitcoin if you send me yours first”?

I assume the victims aren't technically-sophisticated bitcoin owners. I had previously told a family member that I had a little bit of cryptocurrency, and then a few months ago they messaged me asking how to buy some bitcoin. I prodded them a bit, and it turned out that they had seen a scam somewhat like today's. I was able to stop them and explain the scam. Presumably if they hadn't asked me, they might have figured out how to buy some on their own and then sent it to the scammer.

My Uber driver in Sydney told me he was converting all his money into crypto because he thought the FIAT system was gonna crash. He was not technical. Lots of semi tech literate crypto people out there.

That's like the Kennedy-shoe-shine-boy thing. Kid on the street starts asking Papa Kennedy about some hot stocks he heard of and Kennedy realizes everything is wayyy too overheated and pulls out. Market implodes a little while later, and Joe is able to buy up whatever he wants.

Very similar alright. I felt so conflicted listening to him because I knew nothing I would say would change his mind so I just kept quiet. He was a pensioner trying to save to leave something for his progeny. Kind of heart breaking.

receiving bitcoin on a wallet advertised on hacked accounts does not seem like a very effective mode of money laundering, imho

It's reverse money laundering! Take legit money and dirty it by faking a scheme where it was stolen due to a scam.

Money smudging? :-)

Zoom out and you see that this is normal every ~14 days.

Also number of transactions is in no way related to amount of money being transferred.

Question (I'm not an expert): can unconfirmed transactions be withdrawn? If so, what's the timeline?

There are 2 stages in sending bitcoin:

1) You submit transaction to the mempool. It may take a couple of minutes for a miner that "liked" your transaction to include it in a block. While in this stage, the receiver technically does not have anything yet, thus impossible to use them in any way.

2) The transaction get put inside a block. Generally, most vendors would say the transaction is "unconfirmed", although technically it is now in the ledger. There is a small chance that due to inconsistencies and network latency the block gets orphaned and the replacing block does not include the transaction. If you are a vendor and start shipping products immediately after your money is put into the ledger, you open yourself to a range of possible attacks. For this reason most wait two or three more blocks, just to be sure.

To answer your question: After a block gets created and the scammer receives his crypto, albeit still in an unconfirmed (read as "young") block, they can start using it however they decide to. Small chance that their actions get reverted exists tho.

You took a lot of effort to be wrong man.

Unconfirmed transactions cannot be withdrawn. Transaction that already is in at least one block is confirmed by definition - the act of being included in a block results in a confirmation.

Unconfirmed transactions can be "cancelled" by double spending the coins in the unconfirmed transaction.

You could issue a double spend transaction that goes to another wallet you control with a higher fee and the network will probably apply that one first.

Yes. Some wallets allow you to use "Replace by Fee" protocol, which allows you to do that.

So we're likely talking some 50-100 million of dollars being stolen? Insane.

It's only at 12 bitcoin ($120k) right now. (serious question) why do you think it could be as high as $50 to $100 mm? Is there a way to see the total including unconfirmed transactions?

I think longtom read this as 9k-50k BTC rather than as 9k-50k transactions.

No. No one is saying that.

I'm not saying that these are all from the hack, I'm saying that the activity on the Bitcoin blockchain has significantly spiked, and it looks like a very large number of transactions have yet to be confirmed. So any amount so far is just the beginning - more is sitting in the mempool ready to be confirmed.

Hang on... is it “stolen”? If you trick some people into giving their money to you, it’s unethical, but you didn’t force them to hand you their money against their will.

I would say “taken” is fair; but “stolen” isn’t exactly right.

Plus there is no way it will be that much.

If I dress myself like a valet and you hand me your car keys in front of a hotel, am I stealing the car when I drive off?

Well in this case people intended their money to go one place, but they got tricked and it ended up in another. I'd call that stealing.

Whether it got technically stolen from the charity or whatever they meant it to go to or from the original owner, that's debatable.

For example, historically the UK had "Theft By Deception" a type of theft in which the requirement is that you deceive people, intentionally, in order to permanently deprive them of something of value rather than just taking it.

This was replaced by modern Fraud crimes this century. The new crimes reduce what prosecutors need to show somewhat. With "Theft by deception" there can be a problem if the prosecutor struggles to show that the defendant actually permanently deprived the victim of something of value, especially if the victim realised there was a problem in time to use some sort of "claw back" mechanism. With Fraud the prosecutor can show that the defendant intended to gain even if ultimately that didn't work, so long as the deception actually happened the crime was not merely attempted.

All these Tweets are Fraud by False Representation under that replacement law, because the tweet deliberately pretends to be from somebody (e.g. Apple or Bill Gates) when it's actually from the perpetrator of the crime and it's clear that they intended to gain from getting Bitcoin sent to this account even if a prosecutor can't prove how much they actually made.

Well in a way it is, the point of the verification check box is authenticity that twitter is supposed to guarantee, this breaks that trust

Yep, theft by fraud is still theft.

If I ask you to give me a loan and I say I'll pay it back with 100% interest in a few days, and then I run away with your loan and never pay it back, then yes, it's stealing.

That's all that's happening here, except in units of BTC and not USD...

The username is pleasingly appropriate for the comment.

Twitter's API is being updated within the next day. This is likely hackers abusing a known exploit in the current API before the changeover.

1) https://twitter.com/TwitterDev/status/1283068902331817990?s=...

Keeping in mind the attackers will not be able to perform this stunt again though the same attack vector, It could also simply be that the attackers overestimated how much they would make from this attack.

I doubt that. For one, they wouldn't be reusing the crypto messages from the past which have been seen by everyone on twitter a thousand times. I ignore based on tweet rather than looking at who tweeted it most of the time. So they at least would write new messages if they were after money.

There are so many ways to make money that even a dumb person could find something better than posting crypto ads without compromising on opsec.

Yeah, but Twitter will surely:

a) fix the bug if it‘s in their APIs

b) roll out a framework to be able to respond quickly in the future. Like a regex on their edge servers.

That scam existed before. Youtube had this issue already.

I think they have proven that it works with thousands of YouTube videos with the same scam and basically the same operating mode (impersonating famous people). They have made quite a lot of money.

So they are probably on at least their second attack vector by now.

I mean, who knows, based on the massive number of imposter YouTube stream BTC giveaway scams, this might be a whole sub-industry in India by now. Similar to fake virus scams etc.

Or it could be attack on Twitter itself. Jack's policies are not loved by few folks in WH. Just speculating


Twitter's stock was down by some major percentage because of this incident. It could be a way to earn bigger and "legal" money by having prior knowledge about this incident.

Wow that's brilliant. I didn't think of that. If someone had a non trivial amount in stock shorts, they could stand to make an exorbitant amount of money.

Quite possibly this isn't a hack and someone got a Twitter admin's account, then got access to the admin panel and "all" accounts without having to hack much of anything.

If there is such a level of privilege in Twitter's stack, that says a great deal about their technology. Insiders must not be able to act as users except in prescribed ways requiring two-person control, logged and 100% audited. Glass-breaking privilege escalation should set off every pager in the company.

Sorry, but would you mind expanding slightly on how you would implement such a system?

In my understanding once you remove all the layers of abstraction as some point it's a bunch of databases and data stores. Someone has to manage them. Why wouldn't a breach of those users be able to do whatever they want?

And a higher level, someone is writing the code to implement such a stringent access system. Why wouldn't a breach of those users (or a rogue employee) be able to accomplish bad things?

Glad you asked. "There is a database and some guy is the DBA" is a very outdated architecture that can get you passing grades as an undergraduate and that's about all its good for. You should not take as a given that the right to modify datastores falls ultimately upon some individual. It is possible to permanently discard this ability, and organizations should strive for that.

I'm guessing you work/have recently worked at a big tech company (FANG or one of the ~5 other companies of comparable size) and are seriously overestimating how common their best practices are. Unless by "passing grades as an undergraduate" you mean "bonuses and promotions at a majority of the companies that handle your data every day"

G did not really get serious about infrastructure security until after the China hack (and more-so after NSA/Snowden) and didn't really get serious about insider risk until after "gcreep". Still, I don't understand the reluctance of the industry at large to learn the lessons of other people's failures. Why does each company need to separately discover that insider risk cannot be prevented by recruiting, it has to be prevented in code and hardware?

Building a large-scale information system is like building a nuclear power station. There are a million ways to screw it up and only a few recognized right ways. If you ignore the best practices, it will eventually destroy your company and harm your users. Twitter have nuked themselves here. How can they come back from this? It sure looks like an insider risk mitigation system would have been money well spent.

I think you're a bit starry eyed about Google.

I had a fairly high level of Gmail and Gaia administrator access for a while when I worked there, including the post Snowden era. Resetting the password on an account would indeed trigger an audit event, and I'd be asked what was going on. I could provide any plausible sounding reason and that was sufficient, it wasn't really investigated. And that was the right level of oversight because as far as I know nobody with that kind of access ever abused it by making up a plausible sounding reason.

Stopping bad insiders is really hard. Attempting to do it makes most organisations totally dysfunctional. There is one very famous kind of company that combats bad insiders regularly and with huge quantities of systems - a bank. Investment banks in particular. Whenever you read about 'rogue traders' they inevitably had to do a lot of stuff to disable all the various security systems trying to catch rogue traders.

Institutionally distrusting your own employees can lead to seriously messed up IT systems. It's one of the reasons that bank employees are notoriously unable to access so many ordinary external websites, or services like Slack. It's how you can get "administrators" that can't read the logs of the service they supposedly administer. Encrypted messaging services in particular are poison to an org that's trying to stop employees exfiltrating valuable data. Google can just about do a good job of it because it has an essentially unlimited budget, which it spends on rolling its own tools for absolutely everything and integrating it all into one uber-architecture. From an economics perspective this makes no sense - comparative advantage etc - and thus basically no other company can do it that way. They have to buy or deploy open source tools that use a wide array of threat models and security systems but 95% of them will assume a trusted admin. Then try and hack things on top to restrict what rogue admins can do. It's deeply unpleasant.

Having been in several situations - As Gaia admin, working for big budget low competence IT for a "major" company, and as a shoestring SRE on a household name that's still held together by duct tape in some corners - it weird what is obvious, what is possible, and what level of escalation would be required for what kind of attack. It would have be possible and even trivial for me to impersonate a user at any of the three. At Google, I would have left indelible tracks that would have gotten me fired, see Gcreep (whom, oddly enough, I replaced - I was the next SRE hire at Google Kirkland after he'd been sacked). At the largeco, the tracks would have been indecipherable; nobody would have been able to notice. The logging wasn't there. The ability to analyze what logs they had wasn't there. As a shoestring engineer, I'm pretty sure I would have clear knowledge of who did what if something were discovered, but I would have a significant problem finding it unless something were obviously wrong. I know I can't stop a rogue admin; my team is small enough and needs to react fast enough that we can't spare time for access controls or break-glass, even if they were handed to us on a silver platter.

I'm quite concerned about what that means and what this means, and I'm watching this intently. Probably for nothing; I know this is in the realm of risk we're unprepared for, and can't prepare for. Darned if I don't worry anyway.

Because it is expensive?

Yes, that might be a bad trade in the long run, but history has shown us times and times again that people are bad at evaluating those risks.

Thats not what I meant, sorry. How do you implement such a system? So theres a team to manage the datastores, but that changes nothing that on some level someone somewhere has root passwords and/or filesystem access and/or ability to modify the fleet.

We all know access controls and multiple operators are good, yeah. But at the heart of it is still a bunch of linux machines that have to be managed and deployed to. Which as far as I know has no mechanism for check with operator x before running command from operator 0.

I know nothing about twitter's architecture but it could be:

- at-rest encryption of the datastores with the content encryption key protected by a HSM. A KMS (key management system) would be the interface to retrieve the key, with access control enabled. An even better solution would be to have the HSM cipher/decipher the data directly, thus the encryption key would never leave the HSM (or the encryption key is also ciphered by the HSM). But performance-wise it is not realistic.

- in-transit encryption from the client to the datastore. No end-to-end encryption more likely thus allowing admins who have access to encryption termination hosts (reverse proxy, twitter backend app, datastore,etc) to read (and maybe alter) the data by doing memory dumps

- access control for datastore operations: allowing only the twitter backend and some privileged users to read/write in the datastores, etc.

Doing end-to-end encryption from the client to the datastore with a key per client is possible but it would make the solution very complex to operate and not performant.

Your comment got me thinking: what does Twitter's infrastructure look like. This is from 2017, so I'm sure it's changed since then, but I found it interesting: https://blog.twitter.com/engineering/en_us/topics/infrastruc...

AWS KMS has a great whitepaper explaining how they do it here: https://d0.awsstatic.com/whitepapers/KMS-Cryptographic-Detai...

The tl;dr is that they use hardware security modules (HSMs) with quorum-based access controls. Any administrative actions such as deploying software or changing the list of authorized operators requires a quorum of operators to sign a command for that action using their respective private keys.

While this system was designed specifically around protecting customers' private keys, you could imagine a similar system around large databases.

> someone somewhere has root passwords

Not necessary

> or filesystem access

Also no

> or ability to modify the fleet.

Not that either. It feel like the conversation around these things is stuck in the far past. Large-scale organizations can and have driven the number of people with root passwords to zero. "Filesystem access" shouldn't be as easy as you're implying and it also shouldn't be of any use, since everything in the files ought to be separately encrypted with keys that can only be unwrapped by authorized systems.

Even the last thing you said about Linux systems starting processes ... even a minor application of imagination can lead you to think of an init daemon that can enforce the pedigree of every process on the machine.

I don't think this is going anywhere. You just keep dodging the question while acting elitist about a topic it is becoming clear you don't actually know much about..

The software has to get there somehow. The images have to get created somehow. The databases need to stay running somehow. At the end of the day they are machines that need to be managed. Just because you don't have people SSH'ing in and SFTP'ing files around changes nothing about that. And I'm not talking about doing that anyway, or any of the other things you keep telling me I don't understand are bad practice (you're wrong).

Hand waving and mumbling 'old tech, newb' doesn't help in the slightest. I've been writing software with a small side of infrastructure management for 10+ years. Not all of us work at FAANG and magically know how things work on that scale.

Thanks anyway.

> Not that either. It feel like the conversation around these things is stuck in the far past. Large-scale organizations can and have driven the number of people with root passwords to zero. "Filesystem access" shouldn't be as easy as you're implying and it also shouldn't be of any use, since everything in the files ought to be separately encrypted with keys that can only be unwrapped by authorized systems.

OK, what about the people who have physical access?

> even a minor application of imagination can lead you to think of an init daemon that can enforce the pedigree of every process on the machine.

Who watches the init daemon?

> OK, what about the people who have physical access?

What about them? Nothing about physical presence should lead to userdata access, nor the ability to act as users, if the application-layer security is squared away. In any case, physical security is by far the easiest of these topics to handle. Keeping people out of buildings is a human undertaking with 1000s of years of solid doctrine.

> Who watches the init daemon?

Another important question! If you don't know what's running on your box, you really don't have a security story at all.


Okay... but there is a database, right? And this database is managed in some fashion?

Presumably this database runs on some machine? And this machine was logged into in order to install and setup the database?

One can trade data navigability and a performance hit for opacity of content.

Encrypted rows of data are meaningless to an "admin" that can query to its heart's content but will never be able to decrypt the result set. On the other hand, the layers on top (such as the web-tier that emits the plaintext) may have the keys to decrypt, but lack the privs to run around in the database; from that level, they must pass along the user's credentials to obtain user specific content.

Since people don't search by content on Twitter (afaik) and only 'meta-data' indexes are used (such as hash-tags, follower, following, date) this is entirely doable for something like Twitter.

There is also 'Homomorphic Encryption', but I'm not sure the tech there has reached acceptable performance levels.

Why any of that stuff? Do you think there's some guy who goes around installing spanserver on thousands of machines in GCP?

> requiring two-person control, logged and 100% audited

That would be good from a security perspective, but it would cost additional training, require more support staff, increase response time between request and resolve, make the system more complex and possible fragile, and take development resources away from profit centers.

Most companies has likely, at best, the same security at their internal support center as their accounting department, and given how common CEO fraud is, it mean social engineering will likely continue to be a major attack vector for a long time.

this assumes two things: that there is a security model that would prevent this attack that they should have implemented, and that alarms _weren't_ set off. Both of those are weak assumptions.

I don't think parent was assuming those measures are implemented. They were saying that they should be implemented and if they are not, it betrays seriously poor security posture at Twitter.

Based off the NYT article on the stunt this morning, I believe you are correct. It was a social engineering hack. https://www.nytimes.com/2020/07/15/technology/twitter-hack-b...

After one incident of insider account tampering their entire response was "we must protect Donald Trump's account."

If you do that to a head of state its very visible and leads to major changes.

Same as when a journalist in the UK got a temp job in BT's office in Edinburgh and looked up the queens unlisted phone numbers at Balmoral - lead to a major security incident and massive changes.

I bet you in this case not a lot changed. As you can see tons of accounts weren't "protected."

In BT it was 3 months later and the only way I could get in that building was if I was personally vouched for by some one the security guards knew.

This was a v high profile project we had two board members as sponsors.

Later on I knew that some team leaders had to be Vetted and this is Developed Vetting - this is the same as TS clearance

I could see this happening in FANG companies to

Or a distraction while a bigger hack is going on?

Without knowing what they have access to, it's hard to tell.

If it's a third party API key with special priviledged that they hacked, the potential harm is limited.

If they have access to the full system, they could be sending millions of ghost messages to some part of the population right now to get them to do something while we all watch the BTC show:

- scam them

- get them infected to gather a massive bot net

- make them very angry and start some kind of civil unrest in a specific part of the world

- cover a currently happening terrible event somewhere so that we don't learn about it too soon because twitter is the faster medium for that

At this point I realize how critical twitter has became to shape the way we view the world, and govs should worry a lot that this can be happening and act on it quickly.

That makes no sense. The BTC show increases general public suspicion in a huge way. It would be counteractive, if they are also doing what you say.

> If it's a third party API key with special priviledged that they hacked

Unlikely since the tweets appeared from "Twitter Web App"

Bingo, they're probably walking away with all of Twitter's internal data as we speak...

They're wasting time and money on purpose too, the dead rapper XXXTentacion just tweeted: “Smoking a fat blunt on my private island giving out bitcoin to my supporters”, Elon tweeted "hi" etc.

They also can't be stupid enough to not understand that using a single address that is blocked in most web wallets now is completely dumb.

> They also can't be stupid enough to not understand that using a single address that is blocked in most web wallets now is completely dumb.

Everyone always assumes stuff like this after every big criminal case. But every time it turns out that yes they were that stupid.

Occam's Razor. My bet is on it being some teenage hacker who was screwing around with Twitter APIs and noticed a glaring security flaw.

I sometimes get "we hacked your site, pay us bitcoin" spam via a contact page on my website. Once, I decided to send them a few cents to see if they were dumb enough to sweep it somewhere. To my surprise, they really were that dumb. It seems to be in some sort of wash trade loop (maybe a coin tumbler).


Alternative take, it could be a distraction while they short various stocks. Obviously 12 BTC/100K isn't worth hacking Twitter. Perhaps if everyone is watching the Bitcoin address, they may miss the real heist.

Shorting stocks will be suspicious if they do it from accounts who have never done much volume before. There are insider traders who are caught all the time doing 1 big trade (relative to their account values and previous activity) miraculously at the right time.

Definitely, this is like the theorized “Goldfinger” attack on cryptocurrencies—sabotage the network after building up a sizeable short position in derivatives. However a Goldfinger attack on Twitter stock would be a challenge to hide, since any evidence of anomalous trading patterns could open you up to prosecution by the SEC. Might want to check for any huge buys of daily put options on TWTR...

But why do it after hours then?

That's what I first thought of a potential better scam. Pump and dump. Emergency news covid vaccine gets emergency authorization or the opposite Moderna is pulled from next phase it killed people. I know the SEC is good at sniffing that out but seems like could easily get more than a few 100k especially given the Moderna news / earnings season

"Funding secured to take Tesla private at $42069 per share"

TWTR is probably the only stock that wouldn't bounce back immediately after the scam is revealed.

All the DMs would definitely be valuable.

That's definitely one way you could blackmail people for more BTC, or unmasking various prominent anonymous accounts... Lots of way to use that info to make serious money on the darkweb.

Why anyone take such a big risk when they could play with stocks with one account.

Go ahead.... try to anonymously purchase stock.

Pretty sure this is trivial. Buy someone’s identity on the dark web to pass an online brokerages KYC then wire money in from an international bank. I say this as person who worked at a fintech. KYC checks aren’t the most robust and you can brute force the knowledge based authentication if you have enough people’s information. Some of the KBA questions you can google because all the data brokers put people’s past cities online.

But remember: you'll also need to sell the stock after having committed the crime, with all the attention drawn to those getting a big payout.

It will take at least a week for the SEC to make an official request. Funds would have settled and you can call up and wire the money away. Never seen it with stocks but have seen in on deposit accounts. One of the biggest issues with online banks is fake accounts that are used as mule accounts to move stolen money. Authentication in the us is weak and based around SSN and credit history which isn’t hard to buy. Want a billion dollar idea, solve that with out using things like sending a verification code in the mail to an address on active account in the person credit history.

The SEC will find you. I know from experience.

Assuming this is what you went to prison for, is there anything you can tell us about what happened or what the experience was like? Or have you written about it already on HN or anywhere else?

Of course I can understand if you somehow unable or unwilling to talk about it, but I'm really curious and it can't hurt to ask :).

You mean the deep OTM daily put options

Anyway you look at it you'd have the FBI and SEC on your ass in minutes. With Bitcoin nobody's going to really bother.

Recently some banks are using video calls to do KYC checks. You need to hold up your passport while they verify and then Q&A.

Why would you need to be anonymous?

I mean, if you spent $$$$ shorting Tesla stock, then a week later the stock nosedived in response to a tweet and you made a big profit, that doesn't prove you were behind the tweet.

It wouldn't even be illegal, unless there was independent proof you were behind the hack. Without that, you just placed a bet which happened to be a lucky one - just like anyone else who was short Tesla.

> It wouldn't even be illegal

Yes, it would be ... but it would also be hard to prove.

The SEC would _definitely_ have some questions for you in the scenario.

What are they going to ask? Why did you short the most shorted stock in America? Why did you later close your short position, locking in a large profit?

I'd be surprised if that even got you interviewed, let alone searched for hacking tools.

Unless they've fingered you by some other means, in which case it's irrelevant how you were planning to get the money out.

At that point, it's a criminal investigation and everyone on the right side of the trade is a suspect. If you'd made enough to make the risk worthwhile, they'd subpoena everything - phone records, emails, electronics, financial history, contacts, ...

You can easily trace stock trades.

Where does one go to sell or buy DMs like this? I'd like to take a look to see if or when twitter data becomes available.

Most communities that would actually have buyers for high level information are well hidden, you basically have to know someone to get in. I don't know of any sites on TOR that have a marketplace for this kind of high level information, but there's defintely a couple russian marketplaces on i2p. I don't have the links anymore but they're probably somewhere out there on the clear web.

Could explain why this happened during business hours. Data flowing out from servers doesn't look out of place then...

Twitter is 24/7, it's a global company

What's the logic? It makes the problem much more visible. Ostensibly the fix for fake tweets would also fix whatever they'd be trying to cover.

There's a simpler explanation: someone wants to destroy Twitter. (Bless them, lol.)

Twitter's only value to the world is the idea that it is a platform where "celebs" can safely broadcast their message to the public. That value proposition has now been destroyed.

"destroyed", a bit exaggerated, mate.

Well, if I was Obama I'd cancel my Twitter account ASAP. Today the tweet is relatively harmless and obviously fake, but who's to say that tomorrow something really toxic to Obama's reputation won't be posted under Obama's name? (Say, something anti-feminist.)

Are there better options?

Accounts get hacked/phished all the time, it's not a big deal.

> ...it's not a big deal.

Unless you're Obama or Trump.

It can‘t really be the first three, because Twitter will fix this problem soon. So it would be wasting the exploit.

It‘s either incompetence or your fourth option.

I read about this in the news before I saw it in my Twitter feed. My trust in Twitter has dropped severely.

Why weren’t these tweets deleted immediately and a note pinned to every users feed?

Arguably it was irresponsible of Twitter not to pull the plug on the servers at the first hint of an exploit at this scale. When you literally have no idea what's going on, job #1 is to keep it from getting worse.

Just wild speculation, but could it also be a stock-market play? It seems the stock went down by quite a bit in after-hours trading [0]. Shorting the stock I guess would have earned you quite a bit more than the few BTC made directly.

[0] https://techcrunch.com/2020/07/15/twitter-stock-slides-after...

It's possible this was conducted by somebody who underestimated the hack's value, or isn't even really doing it for monetary gain rather than to just stir chaos

Are you the AOL Pizza? (I’m guessing not but have to ask)

nope sorry :)

Another possibility is that they have already sold the hack, but the relationship with the buyer deteriorated for whatever reason, so they decided to burn the bridge.

I wonder if they have access to the accounts’ DMs too. Lots of juicy info potentially there.

I’m seeing a lot of discussion of the DMs being the real target, but executives and politicians usually have staff who monitor and post to their social media channels. Hard to imagine Barack Obama communicating anything of blackmail value over a channel that a mid-level social media manager has the password to.

No, but you could blackmail a social media manager to further your cause by planting a bug in the office, for example.

Or just, someone stupid and uncreative got very very lucky and this was all they could come up with.

They are not stupid if they could make such a big attack.

Reminder: macrumors.com/2017/11/28/macos-high-sierra-bug-admin-access/ Not all serious bugs are difficult to find.

I highly suspect that it's an inside job and someone had become aware that a security hole in the api/interface was getting ready to get patched so they jumped on it as a hail mary to make some bucks. It's one of the few things that makes sense. Otherwise they would have sold it to some nation state to pull the trigger on when they need a propaganda coupe.

> - a diversion while they get the real loot

It's that one. They were after the DMs of one target, and needed cover for who they were specifically after, so they hit many accounts.

>a demonstration to a big client

Okay, this has me curious. Could someone describe the context/circumstance where you have a 'big client' to whom you illustrate capabilities by this kind of hack? This is a black market thing, right?

I don't doubt it, I'm just curious what this market is, and what it means to be a 'big client' in it, etc.

this is not a way for you to demonstrate what can be done to a big client. ignore OP.


Common sense. You demonstrate on low profile accounts so when the “client” pays you for the real job, you still have access to the vulnerability.

I will bite. Without taking a political stance. Imagine you could show GRU that they can make Trump tweet "I just ordered a nuclear strike on..."

What value would you place on this?

The proof will go along with another method of hacking the account that is not disclosed.

After having alerted twitter to the hack and given them time to fix it? I'd say that's worth approximately $0

If life was like Sherlock Holmes, the real hack would be put in place during the rush to fix this one.

I don't seriously suggest this is what happened though. I don't have any information about this. Glad I never did send or receive Twitter DMs though.

Just imagine trading secrets to foreign actors, or selling misinformation. Can you even think of the covert operations that could have taken place to slowly poison streams of people in the twitter-sphere? This is a big yikes on a platform that "poses" as a platform of democracy and free speech.

You're overestimating the intelligence of the typical scammer.

The typical scammer doesn't hack twitter

Yeah, because this looks oh so professional.

They're not a scammer. They're a massive multimedia conglomerate hacker.

Nah, 14yr old in the basement who stumbled upon this.

Maybe the dude shorted the Twitter stock?

Yeah, I'm not sure there is much to be gained from leaking internal data (are DMs that valuable?). The actual scam is executed so poorly that it can't be the main goal too. "Prooving" you have a good exploit by throwing it away is also not plausible.

Exactly, this would be a pretty reckless way to prove an exploit. You could just tell the potential buyer to create a new account and then tweet from that handle.

Perhaps, however proving you can access verified accounts is harder, still even that could have been proved lot more quietly if they wanted to , clearly this is a distraction or something else being is sold/showcased beyond this exploit

While we'd hope that most people would be smarter than the send anything incriminating through a DM, the high profile nature of some of these accounts means anything embarrassing in their DMs could have significant value. They already have access to two presidential candidate's accounts and might have access to the incumbent's account even if they didn't post from it.

There is a spike of the short volume on 8th - https://fintel.io/ss/us/twtr

Bad idea for the hacker. Stock ownership is public information.

Doubt it, that would open up too many vectors on an otherwise easily anonymized operation.

I think you greatly overestimate the value of this. It’s a sham, everyone makes a few tweets, it’s on the news and it’s fixed and over tomorrow.

Very little damage done that isn’t obviously corrected/correctable short term. In other words, who cares?

I’d pay tree fiddy for this exploit. On the other hand, this person seems to be making BANK getting 13 BTC as of now.

You could move many, many millions of dollars on the stock market with these accounts. Would require more care and/or tricks to avoid being apprehended than a simple anonymous bitcoin scheme, but the pay off could have been at least a couple of orders of magnitude higher.

In any case this is the perfect example why 2FA via ss7 is the worst idea any developer ever had.

I mean, to take over your account I just have to grab an old motorola phone and let an imsi catcher software run on it.

I hope that twitter learned that 2FA via SMS should be treated as what it is: totally unnecessary.

If this is a demonstration to a client I don't want to know what the product is they're selling. There are few more valuable targets than being able to hijack communication of public figures.

Agree; this looks like an ISK doubling Jita scam for laughs, given the sophistication of the event.

I thought it was just me, but yes... please send me your ISK and I will double it... here's a website with a wallet thing that shows we sent out money... everytime we received some.

> how little the BTC reward is going to be

So far, the address has received the equivalent of over 50,000 USD.

Again, nothing. Given the accounts that were hacked, they could easily have moved markets and had pre-placed short bets that would have netted them potentially hundreds of millions.

If they had capital to begin with. If this is some individual hacker without much for means, swiping $100k of BTC in a potentially narrow window when a security vulnerability is in place is greater than $0 while trying to line up capital and shorts.

That's a lot easier to trace than BTC transactions though. And of course even there if the adversary is determined enough you'll get caught.

If you do it in "real" markets, you get the attention of the SEC or similar agencies in other countries. Crypto is completely unregulated in this regard.

There are literally millions of put/short orders placed against TSLA every day. I don't think they track the intentions of every single one.

No, but if someone managed to hack a bunch of Teslas and cause chaos, driving their stock down, you can bet law enforcement would be looking at shorting activity.

With Elon Musk normal shitposting you could away with one well placed message to (temporarily) tank the stock.


Bad hacks are announced fairly regularly. I highly doubt law enforcement investigates shorts everytime one happens.

Inkl bite: lets say I hack capable of doing this. How do I sell my hack?

Walk into the [country] embassy, probably (or twitter these days...)

I wonder if it's coming from inside the US, to prevent the President from using Twitter the way he has used it -- signifying that the presidential twitter account could be compromised, without actually compromising it and with minimal damage otherwise.

this is the best fun i've had in a while but i've just ruined it for myself with a conspiracy theory that some prankster youtuber has set this up and there will be a "hilarious" video about it tomorrow

Yeah, not possible with both the last US pres and vice pres being hit.

Literally, at least 3 of the top 10 richest people in the world got hit. All of whom probably really don't like each other to begin with...

Doesn't even look like Twitter has acknowledged the attack yet. The status page [1] shows all green.

[1] https://api.twitterstat.us/

Twitter acknowledged the incident over two hours ago: https://twitter.com/TwitterSupport/status/128351803844522393...

>Such a hack is worth way, WAY more than the few BTC it could bring.

lol tons of ppl have been scammed. If by 'little' you means hundreds of k. In some Eastern European country that can last a lifetime.

They could have probably made a 100k by disclosing this to Twitter. The reward/risk graph seems concave down and not convex up.

Twitter says for account takeover hacks, their bounty is set at $7k.

$7k vs $100k, you choose.

I'm trying to think of other ways to monetize this without ending in prison, and not really coming up with much...

Sure, you could short stocks and then make "Aaah, Tesla is going bankrupt!" tweets... But without an army of lawyers and accountants and money to pay them, it's hard to anonymously short stocks.

You could bribe people with publishing DM's - but again that's pretty high risk. And how do we know that hasn't already happened?

What else is there?

Maybe shorting wouldn't have been needed. Just buy from the dip and trust that the stock recovers when twitter confirms hacking. But requires a lot of cash that the attacker probably doesn't have.

Sell the exploit to someone with a bigger appetite for risk?

Way more effort and risk there, much more difficult without existing underground connections.

Why would you need to anonymously short the stock? It feels like it would be easy to get lost in the noise of regular shorts.

also any attempt at negotiation can be construed as extortion, and now they have all your info too.

They could have make >$10m With Elon’s account alone by manipulating the share price. A few 100k is nothing

it does not work that way. the trades will be cancelled, the account frozen before $ is ever able to leave,

Crypto can also become tainted and basically unsellable. It's especially easy to do with bitcoin or ethereum.

Also, unless they have the identity of the hackers, it wouldn't be that hard to make millions without sending any red flag. Tesla has an insanely high option volume, you could get into highly traded positions a few weeks/days before and cash out easily. Unless you really, really make dumb moves it's pretty safe. Much safer than cashing out on a BTC haul.

if the hacker lives in Eastern Europe opening a stock options account is not possible, unless he has connection with an American who can make the trades and cash out. no need to try to fool the SEC , which has billions of dollars of resources behind it. Also not all exchanges are regulated, and even regulated exchanges may not be able to trace the source. The money can be split and sent to many exchanges and mixing services over a long period. It is not safe. elon musk twitter being hacked would trigger extra scrutiny of all tesla stock option trades. The SEC has extremely advanced tools for detecting this stuff.

Anyone can trade US options from Eastern Europe, with a broker like Interactive Brokers

That's pennies compared to what a compromise like this would be worth...

Apparently hackers have commented that they now have DMs of all the hacked blue checks. They referred to that as the "fun" part of this exercise.

There is a bit of romanticism about hacking here, things are way more boring than you would think. Likely that some process on the authentication process at twitter was broken and someone took advantage to have a laugh.

Hijacked the authentication cookies and injected into the app that skips validation for performance. Likely nobody got access to the accounts themselves but just allow them to tweet some jokes.

Isn't a bit to high profile - the perps risk attracting the attention people a bit more serious than overworked police fraud squads

"few BTC", for US this is no money, but for a scammer in a 3rd world country 13 BTC more money than most people do in their lives.

"few BTC" is relative to the value of what they had, not the average income of the average person.

If I sold a 7500 sqft home in San Fransisco for $200,000 you could say the same thing.

> a diversion while they get the real loot

How about market manipulation via other tweets that subtly affect trading bots reading Twitter?

Seems more likely to me that it was a Twitter employee or someone with access to an employee's PC to reset passwords.

But wouldn't that be evident very, very quickly, from just looking at a relevant account's audit log, and shut down right away?

But it was shut down right away...

I think it only stopped in the last few minutes. It lasted hours

I also think the exploit wasn't stopped, they just stopped all verified accounts from tweeting.

They also shipped a block on tweeting the address: https://twitter.com/_akavi/status/1283524504866586624

A senior engineer (juniors would not have this level of access) risking their job and facing prosecution for an amount that would certainly be far less than their salary? That doesn't seem likely.

I think this is a state sponsored attack. Wouldn't want to speculate on which state.

based on what?

Perceived motive.

The resources needed to do this. Compromising and paying Twitter staff, the practical, technical know how (and it's cost), and that no real attempt to profit from this has been made?

I don't think that sounds like a financially motivated crime at all. As a crime it has more in common with the proverbial 'horse head on the bed', than a sophisticated heist. I think this was done to shake confidence in the perceived invincibility of Silicon Valley and FANG like companies particularly.

But then any number of well resourced 'political' actors would love to send that message to the large tech companies...

Yeah a couple of tweets could have made them millions with financial derivatives.

> a diversion while they get the real loot

Twitter as a riderless horse would be wild.

How about the possibility of a Bitcoin marketing campaign?

Hmm the thing is, associating it even more with "hack" and "scam" isn't really great marketing.

I tell you what: it has been working pretty well so far. Just about every year, this is exactly how Bitcoin is portrayed.

- Bitcoin is used for scams

- Bitcoin hacks

- Bitcoin used for illegal activity

All the meanwhile, more people become aware and interested.

These sort of events prime the "nocoiners" to read and understand that little bit more.

This is good for bitcoin - /r/bitcoin probably.

I like your thinking. This is a novel idea.

Frankly, I expect the real prize to be the DMs used by the blue checks. Biden and Barack's DMs are worth much more than 100 grand.

Do they seem the type of people that would send anything sensitive over Twitter DMs? I'd imagine if anything at the very least they would use iMessage or some messaging app of that nature. Biden seems like the type of guy who relies on e-mail.

113k is a little reward?

This hack is (quite literally) worth billions of dollars. From market manipulation to geopolitical implications. So yes, 113k is peanuts.

Billions? Ridiculous.

There's a lot of suggestions of what one might accomplish with this exploit, but I'm not sure they would be obviously more lucrative than this. Any time you use it, you're likely to lose it, so its value is pretty precarious. How much can you really accomplish in a few hours?

People get hacked so often on twitter that there's already substantial doubt ("did they get hacked?") whenever somebody tweets something odd, so I really doubt you could accomplish some diabolical geopolitical aim that some seem to expect.

And as if it's so straightforward to find a terrorist billionaire that's willing to pay top dollar to use it to start a war or something to that end.

>There's a lot of suggestions of what one might accomplish with this exploit, but I'm not sure they would be obviously more lucrative than this.

People have made far more from things Elon has tweeted. Now billions is ridiculous, but you could have made millions via market manipulation. Not to mention the amount of damage had he done a targeted exploit - there would be a ton of speculation as to whether Elon/Trump/Gates was "really" hacked or if it was just a cover.

There's basically no way to earn any significant amount of money beyond what they've already done without getting caught. Certainly not a billion dollars.

No one has ever gone bankrupt by taking profit. State level actors/smoke screen/geopolitical implications all sounds great and are exciting but this might be a small group that just thought 'let's get what we can, easier to launder 100k that billions lol'

How did you determine it to be literally worth billions of dollars? I don't understand how sending some faked tweets could have much in the way of geopolitical implications.


The Prime Minister of Israel was hacked. What if he'd announced "Dear holy men of our faith, now is the time to immediately strike the black devil threatening our very way of life within the U.S."

Or Barack Obama and Joe Biden's account saying "The jews have finally taken over the White House. Donald Trump has been confirmed to be a planted Russian agent. Act now in the streets before it's too late"

Obviously, those aren't worded very well because I'm tired as shit. But how can you not imagine the implications that could be had? It's not that hard...

If they had waited until election day in November it could have tipped the election. This of course assumes that no one else would have found the problem in the meanwhile (difficult to say if that's realistic or not), but yeah ... the potential could be a lot more than "just" ~$110k in scam damage.

That's quite some hyperbole.

I don't think any state actor or 'player' of significance would be stupid enough to do something terrible based on a tweet. It's much more likely that these actors would consider the account hacked and at the very least do a bit of googling to find out.

And when it comes to specifically the kind of message that you use as an example, it's not like they wouldn't wait to see how it unfolds (Twitter saying their accounts were hacked. message void) and see because immediate action wouldn't be necessary.

Hypothetically, I can see some danger if a nuclear power would respond to a tweet saying "we're launching nukes" by launching a pre-emptive strike. But that's fully in the realm of fantasies hysterics have.

That's the problem: whatever they do, it's got to be plausible.

If I read that from Obama and Biden I'd immediately smirk and think "They've been hacked!" I mean there would need to be a sit-down interview on CNN before I'd believe that.

Israel... same. They're a sophisticated nation state with Harvard Ph.D.'s helping to lead their foreign policy, and messaging. If they go from diplomacy to sounding like jihadists in 15 minutes, that's a hack.

Anytime the volume or aggression level goes from like 10 to 1,000,000, it's probably a hack.

Given that context, I think tweeting out a BTC address for a giveaway is something that's halfway plausible, as opposed to totally unbelievable.

What do you suppose would happen in the minutes before those tweets are taken down and identified as fraudulent?

Or just say, as Trump, "I've just ordered a nuclear strike on China!". People wouldn't even know if it was fake or not.

Tweets are not nearly as important as you seem to think.

Twitter would have probably paid out about $100k for this to be reported via a bug bounty program. $100k is nothing for the risk taken, they could have made a lot more.

Twitter should have paid millions for a bug like this.

It should be but it is not, in the bounty program the actual payout for owning accounts is 7k ish, that is assuming you met all the criteria and they still accepted the bug, which is not always the case.

Having said this attack was not best way to monetize this 0 day either, it looks like something else is happening behind the scenes we wont't know about, which is paying out the kind of money this attack should have been worth.

Even things such as "Administrative functionality" and "Unrestricted access to data" is "only" $12.5k. It's not a small amount of money, but pretty sure I could make a hell of a lot more with full access to everyone's DMs. Grepping for CCs would be a good start, and "password", and so forth. Never mind that "admin access" might give the ability to send DMs.


Even forgoing the value arguments, the skill required to identify a vulnerability and develop a provable exploit for it and the time it will take is not free, just to pay a senior security researcher a hourly rate or monthly salary will cost much more.

These kinds ofrewards are better than nothing I suppose, but it is looks like a cheap trick to crowdsource blackbox pen testing.

It could be that companies are cheap, but I bet there's also tension between paying enough to get bugs reported and paying enough to encourage insiders to introduce (or, if they're smarter, find but fail to fix or report) bugs then have them "discovered" by someone outside (for a cut of the cash, naturally). Maybe (probably) these bounties are too low to be anywhere near the tipping point for that so are indefensible as-is, but there surely is a level at which you'd expect to be encouraging bad behavior (proof that such a point exists: imagine a $100m bounty—now, that's plainly on the other side into "too likely to encourage, and be claimed by, fraud").

Most companies this size will have at least couple of peer reviews, so you will need collusion from all of them .

Nothing in the world can protect you from poor hiring .

If the employees truly are corrupt then they would make more money selling the bug in the black market then to a legit bug bounty .

Again it should not be linked to value , I.e. not 100m , it should be linked to effort it will take for a security researcher to find it .

Let’s say it took 3 months for a 0 day , the payout should be in the range of 40-50 k dollars perhaps .

It is still not a good deal for the guy finding it , he is risking months and he may not find anything , however being fairly remunerated for the effort if not the value is the first step companies have to take and it won’t look like a cheap trick.

Again, the smart insider doesn’t have to write the vulnerability, they just have to (with much greater access to code and infra than an outsider) notice it and not say anything (except to the outsider they sell it to). Selling such a vulnerability is a lot easier and safer than other ways of illegally monetizing a “hack”—your biggest risk is that you won’t get paid and will have no recourse, if you don’t get the money up-front, or that you do get paid but then someone else fixes the vulnerability before it can be used (that’s probably the worst likely outcome)

[edit] before it can be used to claim the bounty, that is—part of why this is relatively safe and so fairly tempting if the pot is big enough is that the money looks legitimate without some serious digging, so if some of it goes in a crypto wallet and sits there for a couple years then quietly gets siphoned off and laundered until it becomes fiat in the insider’s pocket, well, that’s probably gonna fly under everyone’s radar.

What makes you think it's even a "bug"? Perhaps poor administrative / operational controls, insider job, etc.

For taking the risk of impersonating several of the richest and most powerful people of the planet? yeah, I'd say yeah. Of course it's not stopping at 113k, but even assuming it'll stop at 500k I wouldn't say it's worth it

it if seems small it probably because twitter has been under constant attack by crypto giveaway scammers since early 2018. the pool of potential victims has shrunk

I can't imagine the user's devices were targeted (e.g. Obama's cell phone), so this must be internal. Eff me.

Why? It's certainly imaginable Obama's cell phone was targeted.

Because that would require dozens of simultaneous simjacks on corporations, billionaires and politicians. Simjacking has about a 20 minute - 4 hour effective window, shorter if the person uses their phone extensively. Hacking the 2FA of Apple, Bezos, Buffet, Gates, Obama, Musk ... in that time window ... naaaaah.

What about Donald Trump wanting to shame the company which prevented him to tweet? Is it too far fetched?

Real estate developer by day, elite hacker at night?

What an entertaining idea! I was thinking more about hiring talent or using gov resources, he has the money and the position for either one.


The BTC is adding up to many millions so far. I'd say it's worth it by itself.

Lol not even close

He didn't say in what currency

100k USD = 4.2 billion rial or 2.3 billion dong

People have been gushing about the value of such a hack, but as a marketer I can tell you that Twitter traffic is pretty close to worthless. I suppose there are other things you could do, such as manipulating stock prices. But that would take a large amount of capital to take advantage of, which this person may not have had.

I think its mostly test of miners - prominent group of tech-related personas have been hacked, so I wonder if they end up asking miners not to validate/approve the list of incoming/outgoing transactions. If they choose to minimize priority of this transactions, they may get delayed over 14 days and eventually fell off a block as never processed bitcoins. Then spender gets their money back. In 14 days they may realize it was a scam. They probably already did!

If I were a miner now, I would not reverse these transactions.

Setting the precident that transactions can be reversed will do more harm to the crypto ecosystem than than $100k being taken from gullible users.

Applications are open for YC Winter 2022

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact