The Twitter hack, and why we need a better class of criminal

The Twitter logo as seen hidden among several other images including fingerprints
Twitter security (Image credit: Shutterstock)

This week, the tech world was rocked by a hack that saw multiple prominent Twitter accounts hijacked and used to spread a coordinated message. Accounts belonging to the likes of Bill Gates, Elon Musk and even Barack Obama were taken over, and the impact was so severe that Twitter was forced to ban all verified users (me included) from tweeting until they sorted everything out.

While I’m sure that being unable to tweet would be classed as cruel and unusual punishment by some of my fellow journalists, it’s no surprise that Twitter clamped down as hard as it did: This constitutes a major breach and has come at a time when Twitter is a more powerful communications tool than possibly anything else on the planet. The platform has been used to announce global foreign policy, crash stock prices and even fuel revolutions.

So what did the attackers do with near-unfettered access to the virtual mouthpieces of the world’s most influential people? They tried to flog a Bitcoin scam.

The sheer lack of creativity is almost mind-boggling; here is a group that found itself with the power to rewrite economies or start wars at a stroke, and used it to try and fleece people for cryptocurrency.

What’s worse is it wasn’t even a good scam. If you’ve spent any length of time on Twitter, you’ll almost certainly have seen similar efforts floating around, often from dummy accounts made to look like those of celebrities. The fact that this one came from genuine accounts evidently lent it enough credibility to trick users out of more than $120,000 in bitcoin, but it was hardly sophisticated.

The possibilities of such an opportunity are almost limitless; leaving aside the potential for political manipulation (say, by endorsing a particular viewpoint or political candidate), a coordinated ‘pump and dump’ scheme would have been child’s play to execute, and would have made the perpetrators a hell of a lot more money than $120,000. All they would have needed to do is invest in a cheap stock, tweet out endorsements of said stock from accounts like Jeff Bezos, Kanye West and Joe Biden, and then cash out once the stock inevitably skyrocketed.


How malware and bots steal your data

Protect your organisation with a layered defence


Even if they did want to rely on untraceable cryptocurrencies as their payment method, their offer to double any cryptocurrency sent to the target address was transparently bogus, whereas framing it as a promise to double any crypto-based donations to the COVID-19 relief effort, for example, would have been much more plausible coming from high-profile political and business leaders.

Of course, as we discussed on this week’s episode of the IT Pro Podcast, the crypto scam may have merely been a smokescreen, and the DM records of victims may well have yielded a veritable treasure trove of information that could be used to compromise other accounts or to carry out blackmail in the future.

The most interesting omission was that of the Tweeter-In-Chief, US president Donald Trump. He would have been a goldmine for this type of scam, but was omitted from the list of victims. The logical explanation is that Twitter has ring-fenced his account, with only a handful of employees permitted to access or modify it – a rule that was presumably enacted after a departing employee deactivated Trump’s account in 2017.

Amidst all this, I’m reminded of simpler times, when hackers would use their skills not simply to siphon money from the gullible but to advance genuinely-held ideals, or even simply to amuse themselves with mischief. The advent of cyber crime as a legitimate large-scale revenue stream may have put paid to the days of hackers as harmless tricksters, but at the very least, it would be nice to feel like they’re at least putting some effort in.

Indeed, reports on this latest incident indicate that the perpetrators may simply have paid off a Twitter employee to give them access to internal tools, and between that and the growing trend of ransomware as a service, it seems that even cyber thieves are now outsourcing their work. Hackers may be criminals, but if they’re going to steal from us, is it too much to ask that they at least take a little pride in their work?

Adam Shepherd

Adam Shepherd has been a technology journalist since 2015, covering everything from cloud storage and security, to smartphones and servers. Over the course of his career, he’s seen the spread of 5G, the growing ubiquity of wireless devices, and the start of the connected revolution. He’s also been to more trade shows and technology conferences than he cares to count.

Adam is an avid follower of the latest hardware innovations, and he is never happier than when tinkering with complex network configurations, or exploring a new Linux distro. He was also previously a co-host on the ITPro Podcast, where he was often found ranting about his love of strange gadgets, his disdain for Windows Mobile, and everything in between.

You can find Adam tweeting about enterprise technology (or more often bad jokes) @AdamShepherUK.