Twitter scrambles to contain damage after bitcoin scam targets celebrities

Twitter handles belonging to high-profile users were hijacked to promote a bitcoin scam.
Twitter handles belonging to Elon Musk, Kanye West, Bill Gates, Joe Biden and Barack Obama were among those hijacked.
(Emmanuel Dun / Associated Press)

The attack announced itself one account at a time. Elon Musk. Kanye West. Bill Gates. Joe Biden. Barack Obama. Within a span of minutes Wednesday, some of social media’s biggest power users posted near-identical messages soliciting bitcoin payments with an offer to pay back twice as much.

As more and more giant accounts chimed in — Warren Buffett, Jeff Bezos, Apple — it quickly became apparent the tweets were part of a coordinated attack, although it wasn’t immediately clear who was behind it, how it was perpetrated or whether it had a purpose beyond bilking some gullible Twitter users out of cryptocurrency.

By late afternoon, with the scam having already extracted more than $100,000 in cryptocurrency, Twitter determined the only way to protect its most prominent users was to silence them, at least temporarily. “We are aware of a security incident impacting accounts on Twitter,” the company tweeted. “We are investigating and taking steps to fix it.”


Among those steps was blocking accounts of verified users — a group that includes most celebrities, news organizations and major brands — from tweeting.

Social media has often been styled a great equalizer, a tool that gives nobodies the kind of broadcasting power once limited to presidents and sports stars. In reality, internet fame has mostly served to amplify the voices of the already famous.

But for the two hours before Twitter restored tweeting privileges to so-called blue checkmarks (the badge indicating an account is verified), the timelines belonged to the little people. Meanwhile, massive accounts such as NBC News, with followings in the millions, were left to tweet from alternate or temporary handles to cover the story of the hack.

Twitter, which saw its shares decline as much as 3.8% after the market closed, blamed “a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.”

“Tough day for us at Twitter,” Chief Executive Jack Dorsey tweeted. “We all feel terrible this happened.”

“This is definitely one of the largest hacks of high-profile accounts on a single day that I can remember,” said Theresa Payton, former White House chief information officer and now chief executive of Fortalice Solutions, a cybersecurity consulting firm.


“The question is was this an inside job, or was it sophisticated cyber operatives — perhaps nation states — who took advantage of Twitter authorization?” Payton said.

The effect on Twitter’s reputation will depend on how the company follows up, she said. Beyond repaying anyone who fell victim to the bitcoin fraud, Payton said the company owed a complete investigation to the people whose accounts were hacked, adding that the bitcoin scam messages could be just the most obvious sign of malicious activity.

They also serve as a wake-up call. “If today had been a week before the presidential election and the accounts of Bill Gates and Barack Obama and Joe Biden were taken over and they said something completely outrageous, that could have had an impact on the psyche of voters going into the voting booths,” Payton said. “If today was not the tsunami bell going off for all social platforms and all political campaigns, I don’t know what will be.”

Twitter users have been subject to hacks before, but they’ve often taken the form of broad data leaks or takeovers of individual high-profile accounts.

A 2013 hack gave attackers access to 250,000 users’ email addresses and usernames, and in 2016 news outlets reported that 32 million users’ login credentials had been hacked and posted online, but the accuracy of the compromised data came under dispute.

Targeted hacks of major accounts have also plagued the site over the years. In 2011, Fox News’ Twitter account was taken over to tweet false news that President Obama had been assassinated, PayPal’s British account was hacked and the profile photo changed to a pile of feces, and hackers took over NBC News’ account to tweet fake news of a plane crash at Manhattan’s Ground Zero.


Similar hacks occurred in 2013, when the accounts of Burger King and Jeep were taken over to tweet that they were being acquired by McDonald’s and Cadillac, respectively. That year, Twitter added two-factor authentication, which requires users who enable it to verify their identity with a phone number.

Although that measure improved security for accounts that enabled it, hackers were able to take over the account for the U.S. military’s Central Command in 2015 to tweet pro-Islamic State messages and hints they had access to military documents and private information on military personnel.

After a large hack of LinkedIn user data in 2016, attackers used that information to gain control of the accounts of celebrities such as Mark Zuckerberg and Kylie Jenner. And in 2017, a number of prominent Twitter accounts, including Duke University, Forbes, and Amnesty International, were taken over to tweet a message that included swastikas and a Turkish message accusing the Dutch of being Nazis.

The highest-profile hack in recent memory came in the summer of 2019, when Dorsey’s account was taken over and used to retweet pro-Nazi and hacking-related tweets.

Twitter has also faced a number of cryptocurrency-related hacks. In 2017, controversial antivirus and cryptocurrency entrepreneur John McAfee saw his account hacked and used to promote obscure cryptocurrencies, and in 2018 hackers took control of Target’s Twitter account to tweet a bitcoin scam message similar to the one deployed Wednesday.

In 2017, a contract worker in Twitter’s Trust & Safety division used his access to briefly deactivate the personal account of President Trump. After restoring Trump’s account, Twitter said it had put in place additional safeguards “to prevent this from happening again.” Trump’s account was not among those compromised in Wednesday’s attack.