Twitter Hack 2020 Was Probably Done by a Bitcoiner – But Not a Savvy One

A massive cyberattack against Twitter raised many questions about who people trust and what it means for the future of bitcoin.

AccessTimeIconJul 16, 2020 at 7:21 p.m. UTC
Updated May 9, 2023 at 3:10 a.m. UTC
10 Years of Decentralizing the Future
May 29-31, 2024 - Austin, TexasThe biggest and most established global hub for everything crypto, blockchain and Web3.Register Now

A cyberattack against Twitter has sparked widespread debate about tech industry regulations and borderless money. 

So far the scam has garnered $120,000 worth of bitcoin by tweeting about a fake giveaway campaign. Verified Twitter accounts briefly lost the ability to post Wednesday, which inspired one New York magazine columnist to tweet that making cryptocurrency “illegal” would “prevent this sort of thing.” 

  • Navigating Crypto: The Ongoing Struggle between Privacy, Transparency, and Enforcement
    00:55
    Navigating Crypto: The Ongoing Struggle between Privacy, Transparency, and Enforcement
  • Exploring the Intersection Between Privacy, Transparency and Law Enforcement
    05:12
    Exploring the Intersection Between Privacy, Transparency and Law Enforcement
  • ConsenSys to Update MetaMask Crypto Wallet After Privacy Backlash
    06:07
    ConsenSys to Update MetaMask Crypto Wallet After Privacy Backlash
  • Wall Street: Fed Digital Dollar Spells Destruction for Banks
    07:06
    Wall Street: Fed Digital Dollar Spells Destruction for Banks
  • Click here for CoinDesk’s full coverage of the Twitter hack.

    Missouri Republican U.S. Sen. Josh Hawley promptly published a public letter to CEO Jack Dorsey, saying Twitter should work with the Justice Department and the Federal Bureau of Investigation to address security issues. By Thursday morning, many authentic Twitter accounts were no longer able to tweet bitcoin addresses at all, although QR codes still worked. 

    “As much as I can tell by the evidence I see right now, the attackers did not understand the value of the information that they had,” ClearSky CEO Boaz Dolev told CoinDesk. “We need to find a way to build a more resilient audience that won’t believe anything they see in a certain format is true. It’s a new era where we need new tools to understand what is true.”

    That said, with an audience reach of over 375 million followers, the hacked accounts only ensnared 421 bitcoin transactions, with only 17 of those transactions valued above $1,000. Roughly half of the transactions hailed from North American exchange accounts.

    Whoever is behind the Twitter Hack of 2020, which collected bitcoin by hijacking the accounts of everyone from Barack Obama to Elon Musk, Dolev said it doesn’t appear to be a state actor or a terror group. 

    So far the evidence suggests the attackers were well-versed in crypto culture, using inside jokes like spending up to 6.15 bitcoin, a popular meme reference, and tweeting about paid Telegram groups

    “Based on the history of the first destination address of the CryptoForHealth scam addresses, the scammers have a history of gambling on BitMEX and Coinbase usage,” said the privacy-centric team behind Samourai Wallet

    Misinformation

    And yet, despite clearly being a crypto veteran, the attackers didn’t use some of the best bitcoin privacy tech available. 

    Samourai Wallet said so far none of the 12.8 BTC appear to have been mixed with the firm’s WhirlPool tool nor any other non-custodial CoinJoin software. Instead, the evidence suggests the hackers have used centralized exchange accounts, like BitMEX, in the past.

    The crypto startup CryptoQuant tweeted “4.8 BTC went into the mixer.” But evidence from the analytics firm Quantstamp shows the illicit funds have not been used with any non-custodial mixing or CoinJoins. To Quantstamp CEO Richard Ma, this suggests an unsophisticated attacker because it will be hard to liquidate these funds.

    “The hacker used a single address, which likely reduced the hacker’s earnings by making it easier to trace,” Ma said. “Many exchanges including Coinbase, Kraken and Gemini have already blacklisted the address as well as the derivative addresses as the hacker seeks to exit with the funds.”

    CryptoQuant CEO Ki Young Ju promptly responded to a direct message from CoinDesk clarifying this blockchain data may suggest use of a “centralized mixing wallet.” 

    “The transaction patterns look like mixing because this wallet has multiple unknown tx inputs from one-time used wallets,” he said. But after further investigation, he replied again that it was a mistake.

    “I sincerely apologize for giving the wrong info,” Young Ju said in a message.

    Only a sophisticated user would notice this data about “the mixer” was described incorrectly and that the hack was not affiliated with any popular mixing wallets or software projects. Bálint Harmat, co-CEO of the Wasabi Wallet maker zkSNACKs, said, “We took a quick look at the addresses. They are not related to Wasabi CoinJoins as of now.” 

    Even using the same bitcoin addresses, experts may incorrectly interpret the data. Both Ma and the Samourai Wallet team described the bitcoin transactions as simple, sometimes even a single hop. In the end, all parties agreed there is no evidence of mixing.

    Broader implications

    As Twitter users struggle to regain full access to the platform and protect their data, there’s no way for the social media company to prioritize millions of issues at once. Legacy brands and celebrities may have the resources to manage public broadcasts but few citizen journalists do. 

    ClearSky’s Dolev said the most interesting implications of the attack won’t be related to bitcoin itself. It will be how this impacts the communications infrastructure on which so many markets, including crypto markets, rely.

    “We can learn a lot about what banks are doing to protect themselves from fraud, and there’s a lot of similarity between fraud and this type of action,” Dolev said. “We’ll have to see what Twitter is going to do to secure accounts and also what Facebook and other social networks will do as well.” 

    Will Foxley contributed reporting. 

    coindesk-twitter-hack-2560x854-03a

    Disclosure

    Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

    CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.


    Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.