Twitter Elite Accounts Are Hijacked in Unprecedented Cryptocurrency Scam

Twitter locked down thousands of verified accounts belonging to elite Twitter users and high-profile companies in an effort to prevent hackers from perpetrating a massive cryptocurrency scam.

Late Wednesday, the accounts of Bill Gates, Elon Musk, Apple and Uber and many other high-profile Twitter users fell victim to what cybersecurity experts say was an attack on Twitter’s back end. Tweets sent from those hijacked account each promoted an advance fee cryptocurrency scam, promising to double the value of Bitcoin currency sent to one specific wallet.

“This is 100 percent unprecedented,” said Satnam Narang, staff research engineer at Tenable. “We have never seen such a large and simultaneous number of Twitter accounts hijacked at the same time,” he told Threatpost.
For its part, Twitter acknowledged the mass account takeover in a tweet stating: “We are aware of a security incident impacting accounts on Twitter. We are investigating and taking steps to fix it. We will update everyone shortly.” In a followup tweet, the Twitter Support team said, “You may be unable to Tweet or reset your password while we review and address this incident.” 

Image courtesy of Tenable

The attacks began around 3 p.m. (ET), according the Narang, and first targeted accounts @bitcoin, @ripple, @coindesk, @coinbase and @binance. Tweets sent from those hijacked accounts urged followers of those cryptocurrency accounts to visit the website CryptoForHealth.

“We have partnered with CryptoForHealth and are giving back 5000 BTC to the community,” read a typical tweet. The site linked to a Bitcoin wallet address.

Within hours the website was taken down. But soon after the site was taken down a barrage of Verified Twitter user accounts began sending out a similar message. Bill Gates’ Twitter account, for example, tweeted: “Everyone is asking me to give back, and now is the time. I’m doubling all payments sent to my BTC address for the next 30 minutes.”

We are aware of a security incident impacting accounts on Twitter. We are investigating and taking steps to fix it. We will update everyone shortly.

— Twitter Support (@TwitterSupport) July 15, 2020

In an attempt to thwart the scammers Twitter “locked down” its verified accounts. Other efforts were made by digital currency exchange Coinbase, which prevented users to send money to the Bitcoin address.

Image courtesy of Tenable

“Because the tweets originated from these verified accounts, the chances of users placing their trust in the CryptoForHealth website or the purported Bitcoin address is even greater,” Narang said.

“This is a fast moving target and so far over $50,000 has been received by the Bitcoin address featured on the CryptoForHealth website and in Elon and Bill Gates’ tweets.”

The news agency Bloomberg was reporting at 4:45 p.m. (ET) that the Bitcoin address had amassed 12 Bitcoins, worth approximately $110,000.

Notable Twitter accounts hijacked include: Joe Biden, Kim Kardashian West, Wiz Khalifa, Warren Buffett, Apple, Wendy’s, Jeff Bezos, Barack Obama, and Mike Bloomberg.

James McQuiggan, security awareness advocate at KnowBe4, said the attack on Twitter could be tied to a third-party access system allowing a hacker to gain access to accounts.

“Several years ago, there was a similar event where a few accounts were seemingly breached. It turned out to be a third party access system that was causing the issues,” McQuiggan said. “This incident could be a similar situation on a much larger scale.”

He said the alternative is much more troubling. “A much larger concerning notion could be cyber criminals have had access to these accounts or possibly worked their way into a Twitter employee account, and inevitably worked their way into the Twitter backend’s administrative systems,” he said.

(This is an evolving story that is being updated in real time.)