An Analysis Of The Twitter Bitcoin Scam, And How It Took Place

It's been one week since the Twitter accounts of high-profile personalities like Joe Biden, Elon Musk, Jeff Bezos and Bill Gates among others were hijacked on July 15, 2020. These accounts were used to spread a bitcoin scam and fool people into sending money through a link.

Within minutes of the initial tweets, more than 320 transactions had already taken place on one of the wallet addresses, and more than USD 110,000 of equivalent bitcoin had been deposited in one account before the scam messages were removed by Twitter.

We now deeply analyze more about the incident, how it happened, the suspected hackers and the investigation.

Elon Musk Twitter Bitcoin Scam

The Incident

On July 15, 2020, between 20:00 and 22:00 UTC, around 130 high-profile Twitter accounts were compromised by outside parties to promote a bitcoin scam. The tweets involved in the scam hack claimed that the sender, in charity, would repay any user double the value of any bitcoin they sent to given wallets, often as part of a COVID-19 relief effort.

Soon after the scam, it came to light that the initial scam messages were first posted by accounts with short, one- or two-character distinctive names, such as @6

This was followed by cryptocurrency Twitter accounts, including those of Coinbase, CoinDesk and Binance

The scam then moved to more high-profile accounts with the first such tweet sent from Elon Musk's Twitter account. Other apparently compromised accounts included those of well-known individuals such as Barack Obama, Joe Biden, Bill Gates, Jeff Bezos, MrBeast, Michael BloombergWarren BuffettFloyd MayweatherKim Kardashian, and Kanye West.

The scam also targeted accounts of companies such as Apple, Uber, and Cash App

Twitter believed 130 accounts were affected, though only 45 were actually used to tweet the scam message; most of the accounts that were accessed in the scam had at least a million followers.

Some of the accounts that were compromised deleted the scam tweets from their profile, but the scam message was reposted repeatedly, even after having it deleted. One of the phrases used in the scam message was tweeted more than 3,000 times in four hours. This reused phrase allowed Twitter to find the scam related tweets easily and remove them, once they were aware of the hack.

One hour 45 minutes after the start of the scam, Twitter released a statement saying they were "aware of a security incident impacting accounts on Twitter", and that they were "taking steps to fix it". Soon after that, it disabled the ability for some accounts (mostly verified accounts) to tweet.

Three hours afters after the start of the scam, Twitter reported that they had resolved all of the affected accounts to restore credentials to their rightful owners.

The scope of the scam can be seen by the fact that at least one cryptocurrency exchange, Coinbase, blacklisted the bitcoin addresses to prevent money from being sent. Coinbase said they stopped over 1,000 transactions totaling over USD 280,000 from being sent. This is aside from the fact that USD 110,000 had already been deposited to one of the accounts before the scam ended.

Twitter also believed that the hackers had accessed the DMs of 

How It Happened

On the day of the attack, the Canadian-American print magazine Vice was contacted by at least four individuals claiming to be part of the scam and presented the website with screenshots showing that they had been able to gain access to a Twitter administrative tool. This allowed them to change various account-level settings of some of the compromised accounts, including confirmation emails. These hackers told Vice that they had paid insiders at Twitter to get access to the administrative tool to be able to pull this off.

TechCrunch reported similarly, based on a source that stated some of the messages were from a member named "Kirk" of a hacking forum called "OGUsers", who had claimed to have made over US$100,000 from it.

According to TechCrunch's source, Kirk had reportedly gained access to the Twitter administrative tool likely through a compromised employee account, and after initially offering to take over any account on request, switched strategies to target cryptocurrency accounts starting with Binance and then higher-profile ones. The source did not believe Kirk had paid a Twitter employee for access.

The @6 Twitter had belonged to Adrian Lamo, and the user maintaining the account on behalf of Lamo's family reported that the group that performed the hack were able to bypass numerous security factors they had set up on the account, including two-factor authentication, further indicating that the administrative tools had been used to bypass the account security.

Twitter subsequently confirmed that the scam involved social engineering, which means that the attackers manipulated/ faked their way to the employees' insider credentials, stating "We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools."

In addition to taking further steps to lock down the verified accounts affected, Twitter said they have also begun an internal investigation and have limited employee access to their system administrative tools as they evaluate the situation, as well as if any additional data was compromised by the malicious users.

Suspected Hackers

It is believed that the attack was done not by an organized group, or a country, but rather by four young people.

Apart from the OgUsers member Kirk who is suspected to be the ringleader, the hackers are believed to include the user 'lol', who's real world identity is unknown. However, it is said he lives on the West Coast of Great Britain, and is in his 20s. The third suspected hacker goes by the name 'Ever so anxious', who has said he was 19 and lives in the south of England with his mother.

These British hackers were popular for dealing with taking over and selling short named Twitter accounts. One of their customers was another well-known figure among hackers dealing in user names — a young man known as “PlugWalkJoe.” On Thursday, PlugWalkJoe was the subject of an article by the security journalist Brian Krebs, who identified the hacker as a key player in the Twitter intrusion.

Twitter Hack Kirk screenshot
A screenshot, sent out by Kirk for a customer he was selling accounts to.


The Federal Bureau of Investigation (FBI) announced the following day it was launching an investigation into the scam, as it was used to "perpetuate cryptocurrency fraud", a criminal offense.

The Senate Select Committee on Intelligence also planned to ask Twitter for additional information on the hack, as the committee's vice-chair Mark Warner stated "The ability of bad actors to take over prominent accounts, even fleetingly, signals a worrisome vulnerability in this media environment, exploitable not just for scams but for more impactful efforts to cause confusion, havoc and political mischief".

The UK's National Cyber Security Centre said its officers had reached out to Twitter regarding the incident.

BitTorrent CEO Justin Sun announced a US$1 million bounty against the hackers, with his company's Twitter account stating "He will personally pay those who successfully track down, and provide evidence for bringing to justice, the hackers/people behind this hack affecting our community."

Final Verdict

Soon after the hack, when Twitter blocked accounts from tweeting. This meant that important services such as the National Weather Service were unable to tweet severe weather warnings, with the National Weather Service Lincoln, Illinois initially unable to tweet a tornado warning. The fact that such a hammer-on-metal approach had to be taken to control the threat shows the inability of platforms today to deal with threats that associate on the inside.

While this scam may have been relatively small in terms of affected finances, the fact that this actually happened through targeting of internal employees through social engineering is threatening. Twitter is an important platform for discussions of politics, among other topics, and it has real vulnerabilities. Vulnerabilities that may have unprecedented large-scale impacts.


  1. I generally check this kind of article and I found your article which is related to my interest for investment recovery. Genuinely it is good and instructive information. Thankful to you for sharing an article like this


Post a Comment

Thank you for commenting on The Binary Tree!

Popular Posts