In July 2020 a crypto scam affected millions of Twitter users.
The scam used 130 public figure and company accounts to scam users to deposit money in Bitcoin wallets. Victims lost about USD 118K in two days.
The scammer, is likely to have used social engineering techniques such as phishing to gain access to inside systems. The attached document deconstructs the scam and offers lessons to be learnt from this incident.
2. WHAT happened?
• Twitter users were targeted with a crypto
scam.
• 130 accounts were hacked, using them
millions were targeted.
• The accounts used for the scam were public
figures like, Elon Musk, Bill Gates, and Barack
Obama.
• Company accounts such as Apple, Uber were
also used.
• Scam ran for two days (15 – 16 July) before
Twitter took action.
• Victims lost a total of USD 118K.
3. HOW it happened?
• The scammer used Bitcoin wallet to remain
untraceable.
• The scammer used social engineering
attacks on Twitter employees to gain
access to internal systems and tools.
• The scammer turned Twitters own tools
against them to access accounts and
posted tweets on their behalf.
• Multi-factor authentication was bypassed.
• Personal information of the account holders
was accessed.
4. HOW Twitter responded?
• Twitter support worked to investigate and
mitigate the issue.
• Locked affected accounts so they could not
tweet.
• Secured access to the internal systems.
• Contacted affected users individually to
regain access.
• Provided updates about the scam to the
community using blog post.
5. What is the AFTERMATH?
• Twitter will have to fix gaps in the
company’s security awareness program to
avoid social engineering attacks in the
future.
• Twitter faces huge fines under the European
GDPR.
• Twitter may face huge fines from US FTC
(fair Trade Commission).
• Twitter users who fell for the scam
collectively lost USD 118K in two days.
• BitTorrent and Tron founder Justin Sun
announced a USD 1 million bounty to track
down the hackers.
6. What are the key TAKEAWAYS?
• Social engineering attacks are best prevented by
improving user awareness. Companies should
regularly test and review their employees for cyber
security awareness.
• A tool in the wrong hands can do harm. Learning
from Twitter’s mistake, companies should control
access for such critical business tools to limited
users.
• Companies like Twitter that have a public platform
must understand that the platform can be used to
scam users. Content moderation must be planned
and implemented.
• Users should not blindly trust unvalidated content.
Messages received on SMS, emails and social media
must be validated before acting on.