Twitter's bad, no good Wednesday.
Twitter sustained a major hack Wednesday afternoon in which a number of high-profile, verified Twitter accounts began posting bitcoin scams. The accounts affected included those belonging to Joe Biden, Barack Obama, Elon Musk, Jeff Bezos, Bill Gates, Apple, Uber, Kanye West, Kim Kardashian, Warren Buffet, and Michael Bloomberg, as well as the Twitter accounts used by major cryptocurrency exchanges and sites (Gemini, Coinbase, Binance, KuCoin, TRON Foundation, CoinDesk).
Twitter said the attack was the result of "what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools." In response, the social media platform restricted the ability of all verified accounts to post their own tweets for several hours. The company later added, "Based on what we know right now, we believe approximately 130 accounts were targeted by the attackers in some way as part of the incident. For a small subset of these accounts, the attackers were able to gain control of the accounts and then send Tweets from those accounts."
Many observers speculated whether the bitcoin scams were simply a cover for more sinister activity, given the scale of access the attackers had versus the relatively low-impact attacks they actually conducted. That's possible, and the investigation is still in its relatively early stages, but it's looking more like a criminal operation. Brian Krebs even has a suspect to suggest: a sim-swapper (nom de hack "PlugWalkJoe") connected with the ChucklingSquad gang. He’s believed to be an early twenty-something British student somewhere in Spain.
Alex Stamos told CNBC that the attacks "were the equivalent of stealing a McLaren F1, taking it for a joyride and then crashing it into a telephone pole four minutes later." And of course that's something people do, sometimes. (For more visual impact he might have compared it to the chickie run in Rebel Without a Cause.) In general, the incident came to look like a crime without a clear end in view. Reuters reported pre-hack chatter on a grey market forum that’s frequented by gamers, swappers, and skids, and this particular chatter offered to sell Twitter accounts. That suggests low-level criminal activity as opposed to state-directed espionage. It’s not just that offers to sell some stolen commodity appeared. State-run operations do that, too, often when they wish to be mistaken for simple criminals (consider NotPetya as one example), sometimes when they’re letting criminals whose services they’ve suborned profit from their hacking, and occasionally when they themselves wish to profit directly.
But in this case the outcome seemed messy, and disproportionate to the relative smoothness and ambition of the hack. Reuters quoted Allison Nixon, chief research officer at security consultancy Unit 221B, who said “When you have these less professional criminal groups, you see chaotic outcomes. One member might stumble across a powerful hack, and it spirals out of control. That’s probably what happened here.”
Consider a comparison. When the Mirai botnet first appeared, and took down Internet service across a much of the eastern United States, it wasn’t, as was widely believed at the time, a Russian shot across the American bow, but rather the work of a student at Rutgers who was pursuing some vaguely conceived grifting, like clickfraud, or taking down his rivals in selling Minecraft commodities.
The Wall Street Journal says the FBI is investigating the incident.