The high-profile bitcoin solicitation scam that was successfully executed on Twitter last month was the product of a well-planned mobile spearphishing attack targeting a handful of Twitter’s employees via phone and utilizing a sophisticated (albeit unoriginal) mix of SIM-swapping, social engineering and the most popular cryptocurrency: BTC! The attack is the largest breach of Twitter to date, and spotlights the importance of security awareness training as a cornerstone of all corporate cybersecurity programs.

On Thursday, Twitter posted an update regarding the attack, which overtook control of 130 accounts of high-profile users such as Elon Musk, Binance, Kanye West, Apple and Uber. Each account was hijacked at the same time, and used to promote a fraudulent, promotional “2 for 1” bonus of the Bitcoin Core software’s popular asset.

“This attack relied on a significant and concerted attempt to mislead certain employees, and exploit human vulnerabilities, to gain access to our internal systems,” the company said in its update. “This was a striking reminder of how important each person on our team is in protecting our service,”

Twitter revealed that the accounts were compromised by a group of hackers that managed to access internal tools to secure elevated employee privileges – a common goal of threat actors. Since some of the targeted employees did not have useful privileges, the attackers used those identities and credentials for social engineering the more highly privileged Twitter employees in order to gain knowledge and trust in Twitter’s internal environment.

“Using the credentials of employees with access to these tools, the attackers targeted 130 Twitter accounts, ultimately tweeting from 45,” according to Twitter.

Amid the attack, Twitter locked down thousands of accounts belonging to verified “blue checkmark” users and high-profile companies to prevent hackers from perpetrating the scam on a larger scale. Unfortunately, the attack was almost immediately successful at soliciting sizable amount of BTC from average Twitter users looking to double their holdings by sending transactions to the address posted on the hijacked accounts. 

Curiously, the attackers utilized a native Segwit-Bech32 address rather than an address generated and represented by a native bitcoin hash, and many of the transactions were sent from wallets that were created to display vanity address hashes with variations on phrases mentioning classic bitcoin tropes. This suggests an uncommon level of sophistication with some of the more advanced tools that exist in the blockchain space. It also suggests that the hacker was aware of some of the obfuscation tools created by Blockstream Corporation: the controversial blockchain research firm that developed the Segwit protocol. Native Segwit-Bech32 addresses are used as launching points to deploy BTC to other networks (such as the Lightning Network) where transactions can disappear indefinitely by transacting them off of the BTC ledger, commonly referred to as “the blockchain.”

Perhaps, the hackers had a plan that they were not able to fully execute with the BTC. 

At the time of the attack, the value of the BTC received into the attackers' wallet was worth a little over $100,000, but the attackers were unable to properly anonymize the spoils of their malicious labor – leaving everything open on the public ledger to be tracked. Due to their failure to obfuscate, and some aggressive detective work from authorities, Graham Ivan Clark, the 17 year old Tampa, Florida hacker, was arrested less than two weeks after the attack, and he was charged as the mastermind of the team who carried out the attack. 

Twitter acknowledged Thursday that there has been “concern following this incident around our tools and levels of employee access,” and said that it’s taking steps and updating its account tools to make them more “sophisticated” to prevent such a breach in the future.

At GoVanguard, we engage in on-going training for our clients who are at risk of similar attacks. We maintain an active partnership with KnowB4, and we recommend the utilization of KnowB4 Security Awareness Training. While the security team at Twitter acted promptly and effectively during the persistent attack, the entire affair could have been avoided if Twitter’s staff had been properly trained to recognize that they were being social engineered and spearphished before people were scammed on their platform.

If your organization maintains valuable financial or identifying data for customers, it is important to make sure that it remains secure. The most effective way to secure your data is by empowering your entire staff to engage in new behaviors, and keep them alert with frequent attack simulations of spearphishing and social engineering engagements. Bundled with a regimen of pentesting services, GoVanguard can help you achieve the greatest mix of security and awareness available!

Contact us today to get started on the path to greater security.