The billionaires apparently tweeted the same message, asking users to send money to a Bitcoin account and would be given twice as much back.
“You send $1,000, I send you back $2,000,” the message said.
However, it quickly became clear that this was a scam. Hackers had taken over the accounts of some of Twitter’s most prominent and, arguably, powerful users.
Who got hacked?
A number of verified users on Twitter lost control of their accounts.
Elon Musk, Bill Gates, Joe Biden, Barack Obama, Kanye West, George Wallace, Kim Kardashian, Wiz Khalifa, Warren Buffett, Jeff Bezos, former New York City mayor Mike Bloomberg, and others, all had their accounts tweet similar messages.
Several company accounts, including Apple, Uber, Wendy’s and Square’s Cash App, were also targeted.
A number of cryptocurrency accounts, including @bitcoin, @ripple, @coindesk, @coinbase and @binance were hacked to post one message.
What did they post?
The first messages appeared from Tesla CEO Elon Musk’s account.
”I’m feeling generous because of Covid-19. I’ll double any BTC payment sent to my BTC address for the next hour. Good luck, and stay safe out there!”
That message was deleted and replaced with another: “Feeling greatful [sic], doubling all payments to my BTC address!”
“You send $1,000, I send you back $2,000,”
The cryptocurrency accounts posted: “We have partnered with CryptoForHealth and are giving back 5000 BTC to the community,” and a link to a website.
That website’s domain was taken offline rapidly, with Kristaps Ronka, chief executive of domain name registrar Namesilo saying that it was suspended “on the first report”.
The accounts then changed, sharing bitcoin wallet addresses instead.
What was the aim?
The aim of the hackers seemed to be simply financial gain, directing naïve users towards a Bitcoin address they could transfer funds into.
The accounts managed to receive over $120,000 (£95,600). At some point, half of that money was withdrawn from the account.
The name ‘Cryptoforhealth’ was also registered on Instagram, and posted a message saying: “It was a charity attack. Your money will find its way to the right place.”
There was also, reportedly, a series of hidden messages in the transactions, which read: “Just Read All/Transaction Outputs As Text/You Take Risk When Use Bitcoin/For Your Twitter Game/Bitcoin is Traceable/Why Not Monero”.
Monero is a coin with more privacy features than Bitcoin and is apparently the cryptocurrency of choice for scammers and users of the dark web.
It is possible the scammers were hoping to direct Bitcoin users into switching to the alternative cryptocurrency.
Cryptocurrencies are more valuable the more users are using them.
The price of the Monero cryptocurrency did increase during the hack by 4.66 percent, to $71.04 per coin.
What did Twitter do?
At approximately 10.45pm, Twitter’s official account tweeted: “We are aware of a security incident impacting accounts on Twitter. We are investigating and taking steps to fix it. We will update everyone shortly.”
For a brief moment, the company stopped all verified users from tweeting in order to halt the spread of the scam.
“Tough day for us at Twitter. We all feel terrible this happened. We’re diagnosing and will share everything we can when we have a more complete understanding of exactly what happened,” Twitter CEO Jack Dorsey wrote.
“Our investigation into the security incident is still ongoing but we’ll be posting updates from @TwitterSupport with more detail soon. In the meantime I just wanted to say that I’m really sorry for the disruption and frustration this incident has caused our customers,” said Twitter Product chief Kayvon Beykpour.
How did this happen?
According to a thread from Twitter’s official support account, the company detected a coordinated social engineering attack by people who targeted Twitter employees.
These employees had access to internal systems and tools and used that access to take control of the high-profile accounts.
According to Motherboard, who reportedly spoke to those behind the scam on the condition of anonymity, the individuals “used a rep that literally done all the work for us,” paying the Twitter employee for access.
The accounts seem to have been compromised by changing the email address associated with the logins.
Data breach monitoring and prevention service ‘Under The Breach’ tweeted a screenshot of the Twitter tool, showing access to the account @binance.
Under The Breach was suspended for 12 hours and the tweet was removed. A Twitter spokesperson said that “as per our rules, we’re taking action on any private, personal information shared in Tweets”.
What could have happened?
The amount of power the hackers had access to is arguably unprecedented.
Rogue tweets have the ability to affect the stock market. When Elon Musk tweeted that he was taking Tesla private for $420 per share, the Securities and Exchange Commission (SEC) accused him of fraud.
”Musk published this tweet in the middle of the day’s official market trading. Immediately after this tweet, the trading volume and price of Tesla shares spiked”, the SEC complaint read.
With control of Bill Gates, Jeff Bezos, and Apple’s account a coordinated series of tweets could have shocked the technology industry in any number of ways.
As well as profiting from the hack, the individuals could have used their influence to stoke political debate or attempt to change the path of upcoming elections.
Control over Joe Biden, Barack Obama and Kanye West’s account could have had serious impact on the November 2020 presidential election.
“This is bad on July 15 but would be infinitely worse on November 3rd” said Adam Conner, vice president for technology policy at the Center for American Progress, a liberal think-tank.
Mr Biden’s account could have tweeted that the Democratic nominee was dropping out of the race, or Mr Obama’s account could have tweeted an endorsement of president Trump or reinforced the claim often made by Mr Trump (without evidence) that president Obama tapped Trump Tower.
West, meanwhile, had recently dropped out of the presidential race after announcing his bid two weeks prior. The hackers could have suggested that West was running again, supporting Mr Biden or president Trump, encouraged people not to vote, or any number of other actions.
Some security experts believe that the Bitcoin scam could be a cover for something more damaging.
“If the hackers do have access to the backend of Twitter, or direct database access, there is nothing potentially stopping them from pilfering data in addition to using this tweet-scam as a distraction,” said Michael Borohovski, director of software engineering at security company Synopsys.
Twitter said it is not yet certain what other actions the hackers may have taken.
“We’re looking into what other malicious activity they may have conducted or information they may have accessed and will share more here as we have it,” the company said.