Blue Check Twitter + Bitcoin
As we know, 2020 has been the year of endless headlines. Every week, there are multiple wild stories that are leading the headlines that no one could have ever imagined. The tweets likening 2020 to a game of Jumanji feel spot-on. One of this week's Jumanji headlines involves my favorite social media platform (Twitter), my favorite topic (fraud/social engineering), and my favorite digital asset (bitcoin). If you haven't heard about this story yet, you're welcome!
I'd like to preface this by saying that a few of our political, technological, financial and entertainment faves (including some who were targeted in this hack) have denounced bitcoin and other cryptocurrencies as fraudulent. For some reason, that adds to my amusement surrounding this story.
It all started on July 15. A number of accounts owned by very public supporters of bitcoin tweeted variations of the same message that essentially instructed followers to 1) visit a particular website, 2) send a certain amount of bitcoin to a particular address, and 3) wait to receive a certain amount of bitcoin (at least double what was sent) at the address from which they sent the initial bitcoin.
After some success, the hackers then moved on to verified (blue check) Twitter accounts owned by those political, technological, financial and entertainment faves. President Barack Obama, Vice President Joe Biden, Elon Musk, Bill Gates, Kanye West, Apple, Uber. The list goes on but you get the point--famous people/entities with large Twitter followings. These accounts, affectionately referred to as "Blue Check Twitter," began to tweet out similar messages--send bitcoin to a particular address and get more bitcoin in return. At some point, Twitter caught on to this widespread hacking and they disabled Blue Check Twitter's ability to tweet while they got a handle on the situation. And this freeze wasn't just placed on affected accounts--this was all verified accounts. Eventually, Twitter figured out what happened and restored Blue Chick Twitter's abilities to tweet later that evening. But the damage had already been done.
Obviously, none of the people that sent bitcoin to this benevolent-turned-malevolent account received a satoshi of bitcoin back. But more than people losing bitcoin, I think a lot of people have lost some trust in the security of the platform. But that's not where the story ends. And, actually, this is not where the story begins either.
The story begins with how the hacking occurred. And it appears that the hacking occurred through the use of social engineering. If you are not familiar with social engineering, it is essentially a tactic whereby one manipulates individuals into disclosing confidential or sensitive information. Every time I see one of those prompts on social media about your "stripper name" (the ones that ask for the name of your first pet and your favorite food), I instantly think of social engineering. The answers to these questions are oftentimes the answers to security questions that are needed to access accounts when a password is lost or forgotten. The AARP has a great podcast series on scams that is cohosted by Frank Abagnale (from Catch Me If You Can) and talks about social engineering a lot. I highly recommend it.
Anyhow, Twitter has said that some of its employees with access to "internal systems and controls" were the victims of social engineering, and that's how the hackers gained access to all of these accounts. But there are also reports that some of its employees were bribed (awkward). Only time will reveal what actually happened but the whole thing is both fascinating and terrifying. And lawmakers on both the legislative and regulatory sides are already calling for investigations. The FBI's San Francisco Division has already opened an investigation and the New York Department of Financial Services is likely moving in that direction, too. A security breach like this is a HUGE deal and lawmakers will want answers for how this happened and what will be done to keep something like this from happening again (election year, anyone?). Other large social media platforms will likely also feel some of the fallout from this incident.
In case you're wondering, the hackers made off with about approximately $100,000 in bitcoin. That's not a lot of bitcoin when you think about the effort that went into this hack. This makes me believe that maybe the point wasn't to make money but to make a point (*shivers*). What do you think? Let me know at email@example.com or on Twitter (lol) at @blockchainblawg.