- Several massive Twitter accounts were hacked Wednesday by bitcoin scammers asking for money, claiming they would return senders double the amount in an effort to provide financial relief during the coronavirus pandemic.
- Compromised accounts included those of Barack Obama, Joe Biden, Kim Kardashian West, Kayne West, Jeff Bezos, Bill Gates, and Elon Musk.
- Hackers reportedly gained access to an internal tool by bribing a Twitter employee with money. They were then able to change emails associated with the accounts and reset passwords.
- The hack has prompted many to ask how general privacy and even United States national security could potentially be affected, with Senator Josh Hawley (R-MO) asking Twitter CEO Jack Dorsey to provide more information about the attack.
- Thursday, the FBI and the New York State Department of Financial Services both opened investigations into the hack.
Bitcoin Hackers Gain Control of Huge Accounts
Twitter suffered its largest hack ever on Wednesday, which some fear could have far-reaching national security implications.
In fact, on Thursday, the FBI opened an investigation into the hack. The same day, at the direction of Governor Andrew Cuomo, the New York State Department of Financial Services launched its own investigation.
“The Twitter hack and widespread takeover of verified Twitter accounts is deeply troubling and raises concerns about the cybersecurity of our communications systems, which are critical as we approach the upcoming presidential election,” Cuomo said.
The list compromised accounts include those of Kim Kardashian West, Kanye West, Elon Musk, Jeff Bezos, Apple, and Uber, It even includes those of former President Barack Obama and presumed Democratic presidential nominee Joe Biden.
Most of those accounts, which were all hacked near-simultaneously, tweeted some variation of the same message: “I am giving back to my community due to Covid-19! All Bitcoin sent to my address below will be sent back doubled. If you send $1,000, I will send back $2,000! Only doing this for the next 30 minutes! Enjoy.”
Shorter messages were posted on accounts like Kardashian-West’s.
Though it’s highly unlikely that such wealthy and high profile figures would directly ask their followers for money in this way, the requests were coming from their personal, verified accounts (AKA, accounts with that coveted, blue checkmark next to their names). Thus, many fell for the scam, and hackers are estimated to have stolen as much as $120,000 as part of the scheme.
As the hack was happening and more verified accounts were compromised, Twitter became so worried and concerned that it did something unprecedented: temporarily disabling all verified accounts from directly tweeting.
While that prevented hackers from continuing to post tweets asking for money, it also had some unintended consequences. For example, the National Weather Service in Lincoln, Illinois was tweeting about a severe thunderstorm at the time, however, the verified account soon found itself unable to post updates. That then forced it to resort to retweeting its bot account, which is not verified.
How Did the Hack Happen?
If reports about how hackers breached Twitter’s security system are true, that exposes massive security flaws at the company.
According to Motherboard, which is owned by Vice Media, hackers convinced a Twitter employee to help them hijack the targeted accounts. In fact, according to leaked screenshots and two anonymous sources who took over those accounts, Motherboard alleges that the employee in question was bribed into—at least indirectly—handing over an internal tool that allowed them to hack into the accounts.
“We used a rep that literally done all the work for us,” one of the sources told Motherboard.
In a statement on Wednesday evening, Twitter Support said, “We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.”
According to a Twitter spokesperson who spoke to Motherboard, the company is also investigating whether that employee hijacked the accounts themselves or if they gave hackers access to the tools.
As to how those hackers actually gained access to the accounts, Alan Woodward, a cybersecurity expert at the University of Surrey, told Business Insider, “It looks like the way this was done was by using the tools inside Twitter to reset contact details and then trigger password resets.”
Essentially, those hackers likely gained access to the internal, high level tools then used them to change the email addresses associated with those accounts. From there, the hackers would have sent password reset requests, granting them full access to the accounts.
Such a strategy is difficult to counter (How many times have you reset your own password just because you couldn’t remember it?).
Twitter could always get rid of the internal tool that allows employees to reset passwords, but as Woodward noted to Business Insider, if the company did that, people might end up getting locked out of their accounts forever.
He suggested having Twitter require more than one employee to sign off on the password reset function.
“If you allow such tools to exist (and it’s difficult to see how you’d not) then the only way to stop them being misused by an individual is to have a process in place to make sure you need two people internally to make it function,” he said.
What Else Did Those Hackers See While in the Accounts?
The idea that hackers could make their way into the account of a former president or that of a major presidential candidate is scary in itself, but it also raises several key questions: What else did they see? What information did they manage to access?
For example, Twitter does not encrypt private messages. Anyone who logs into an account can see the messages sent to and from that account. That’s not to suggest Obama or Biden have something to hide, but such a fact is a gaping privacy concern.
As Woodward noted, even for regular users, there’s currently no way to defend themselves against this type of attack.
But it’s not just privacy. The people behind the accounts that were hacked have massive influence and sway. While his account did not appear to be hacked in this attack, many have raised concern about what kind of power hackers could exert if they were able to comandeer President Donald Trump’s Twitter account.
On top of being the leader of the country, Trump is frequently known to attack political enemies—including foreign leaders. Many, including Senator Josh Hawley (R-MO), fear the national security implications Trump’s Twitter account could pose in the wrong hands.
“I am concerned that this event may represent not merely a coordinated set of separate hacking incidents but rather a successful attack on the security of Twitter itself,” Hawley said in a letter to Twitter CEO Jack Dorsey as the attack was unfolding.
“As you know, millions of your users rely on your service not just to tweet publicly but also to communicate privately through your direct message service. A successful attack on your system’s servers represents a threat to all of your users’ privacy and data security.”
Hawley asked Dorsey to provide detailed information on the attack, including information regarding Trump’s account.
“Did this attack threaten the security of the President’s own Twitter account?” Hawley asked in a series of questions.
So far, it is unknown how or if Dorsey has responded to Hawley, though Dorsey did make a personal statement on Wednesday.
“Tough day for us at Twitter,” Dorsey said. “We all feel terrible this happened. We’re diagnosing and will share everything we can when we have a more complete understanding of exactly what happened. [Love] to our teammates working hard to make this right.”
This isn’t the first time the accounts for high profile names have been hacked on Twitter. In fact, even Dorsey’s account was hacked last year. That same hack also targeted other massive online personalities like James Charles and Shane Dawson were also hacked last year.
See what others are saying: (Business Insider) (Axios) (The Verge)
Authorities Accuse 17-Year-Old of Orchestrating July’s Massive Bitcoin Twitter Hack, Teen Has More Than $3M in Bitcoin
- Three people were charged on Friday in connection to a massive Twitter bitcoin hack in July that compromised dozens of high profile accounts, including those of Kim Kardashian-West, Kanye West, and former President Barack Obama.
- Among those charged was 17-year-old Graham Ivan Clark who reportedly stole nearly $180,000 and is being described as the mastermind behind the attack.
- On Sunday, the Tampa Bay Times reported that Clark has over $3 million in bitcoin, and prosecutors believe that money was also obtained illegally.
- This is not Clark’s first run in with authorities. Last year, they seized cash and $700,000 bitcoin in a criminal investigation, though he was never charged.
17-Year-Old “Mastermind” Arrested
In news that would otherwise appear to come straight from a best-selling young adult heist novel, a 17-year-old Florida teen has been charged as the “mastermind” behind Twitter’s largest hack ever. Reportedly, he’s also worth $3 million in bitcoin.
That hack, which happened on July 15, successfully infiltrated dozens of high-profile accounts including: Kim Kardashian-West, Kanye, Elon Musk, Jeff Bezos, former President Barack Obama, and presumptive Democratic presidential nominee Joe Biden. It also attacked Twitter accounts for companies like Apple and Uber.
All of those accounts then tweeted out some variation of the same message: “I am giving back to my community due to Covid-19! All Bitcoin sent to my address below will be sent back doubled. If you send $1,000, I will send back $2,000! Only doing this for the next 30 minutes! Enjoy.”
On Friday, state authorities arrested 17-year-old Graham Ivan Clark in Tampa, Fl. Though he reportedly lives alone and is a recent high school graduate, Clark is still a minor, which is why he was not arrested by federal officials. He will be tried as an adult.
Clark faces 30 different felonies, including 17 counts of communications fraud and one count of fraudulent use of personal information (over $100,000 or 30 or more victims).
On July 16, the Federal Bureau of Investigation announced it was opening an investigation into the hack. The same day that Clark was arrested and charged, two others were charged by federal agents.
One of those men, 22-year-old Nima Fazeli of Orlando, Fl., has been arrested by federal agents. The other, 19-year-old Mason John Sheppard of the United Kingdom, still hasn’t been arrested but the FBI is expecting him to be taken into custody soon.
How Clark Hacked Twitter
Despite many details around Clark being restricted because he is a minor, a criminal affidavit from Florida has still revealed some of the specifics behind how that attack happened.
According to that affidavit, Clark gained access to a portion of Twitter’s network on May 3. Reportedly, this happened after Clark convinced a Twitter employee that he was also an employee in the technology department. He then told the real employee that he needed their credentials to access the customer service portal.
From there, the affidavit jumps to July 15 and it’s not clear what happened between then, but according to Zdnet, “it appears Clark wasn’t immediately able to pivot from his initial entry point to the Twitter admin tool that he later used to take over accounts.”
In fact, according to The New York Times, he only got access to those credentials after he found a way into Twitter’s internal Slack workspaces and saw them posted there.
Still, that alone was not enough for him to make his way past Twitter’s two-factor authentication. Likely, he maneuvered around that through what Twitter called a “phone spear phishing attack.”
“The attack on July 15, 2020, targeted a small number of employees through a phone spear phishing attack,” Twitter Support said on Thursday. “This attack relied on a significant and concerted attempt to mislead certain employees and exploit human vulnerabilities to gain access to our internal systems.”
The affidavit accuses Discord user Kirk#5270, believed to be Clark, of initiating the attacks.
“I work for Twitter,” Kirk said in a chatroom on July 15. “I can claim any @. Let me know. Don’t tell anyone.”
Soon after, Sheppard and Fazeli joined under separate usernames of their own, and the three reportedly began selling access to Twitter accounts.
However, this attack is different from the one that targeted personalities like Kim K. Instead, this attack focused on stealing short handles like @drug, @xx, @vampire.
By the end of it, Kirk was accused of netting around $33,000 in bitcoin. Sheppard is accused of acquiring around $7,000 in bitcoin. Fazeli is accused of having worked in cooperation with the two in exchange for a Twitter handle he wanted.
From here, the criminal complaints against Sheppard and Fazeli end. Of course, that wasn’t the end of the attack. Later that same day, the main hack against numerous high profiles figures began.
By the end of that, Clark had reportedly stolen around $177,000 from both attacks.
How the 17-Year-Old “Mastermind” Got Caught
If the first part of their plan went off without a hitch, the latter half did not. The alleged criminals reportedly failed to hide their real identities and scrambled to hide their stolen money once the hack went public. Such mistakes led to a quick discovery of their identities by law enforcement.
Clark himself has faced legal trouble before, as well.
According to the Tampa Bay Times on Sunday, he has 300 Bitcoin — making him worth more than $3 million. Prosecutors have argued that most — if not all of that money — was likely illegally obtained, though Clark’s attorney has denied that claim.
Last year, Clark was the subject of a criminal investigation where authorities seized $15,000 in cash and 400 bitcoin. Ultimately, Clark was never charged, prosecutors returned 300 bitcoin to him.
While July’s Twitter hack stirred up significant (and justified) fear over just how easy it was for hackers to target users, as of now, it is unknown if this hack had any more sinister intentions outside of stealing money.
See what others are saying: (Tampa Bay Times) (Zdnet) (WIRED)
James Charles, Tana Mongeau, and Erika Costell Apologize for Attending Parties During Pandemic
- Youtube and TikTok personalities have recently come under fire for attending parties during the ongoing coronavirus pandemic.
- After much backlash online for attending a party last week, YouTuber James Charles issued a text apology within a new video, calling it a “selfish and stupid decision.”
- Viral footage from Tana Mongeau’s social media showed her and Erika Costell at another party Saturday, saying “We don’t care!” which many interpreted as their stance on the pandemic.
- Both later issued text apologies for attending parties and clarified that the comment was in reference to suspected drama between them.
Influencers Just Want to Party
Influencers James Charles, Tana Mongeau, and Erika Costell have issued apologies for attending parties during the coronavirus pandemic after widespread backlash.
On July 21, an estimated 70 people gathered at a Hollywood Hills home to celebrate Hype House member Larray Merritt’s birthday. Influencers in attendance included James Charles, Tana Mongeau, Nikita Dragun, and the D’Amelio sisters.
The guests were widely criticized for ignoring social distancing recommendations and not wearing face masks after fans and fellow creators saw photos and videos of the party online. Despite online backlash, most creators were silent about being involved with the party, only Larray issued a quick apology.
James Charles Apology
Photos of the event showed James Charles ignoring social distancing guidelines and not wearing a mask. Most of these images have since expired from his Instagram story, but on Twitter, he still has a photo up with the caption, “uhh, I think this is the best paparazzi photo I’ve ever taken oh my god.”
It wasn’t until Saturday, after delaying a video he was supposed to have released on Friday, that he finally broke his silence on the matter.
Saturday’s video is titled “A Day in the Life of James Charles,” and shows what the title suggests. Around 17 minutes in, there’s footage of James in an Uber, wearing a mask on his way to the party. The video also shows him at the party wearing a mask, albeit ignoring social distancing.
Then the video cuts to the following message, “Hi sisters! I decided to cut the party footage from the video. Even though I have been wearing a mask in public and have tested negative multiple times, going to a party during a pandemic was a selfish & stupid decisions. People’s safety and keeping COVID-19 contained is FAR more important than celebrating a friend’s birthday and unsafe partying is not something I want to promote to my audience.”
“I recognize that with my platform comes responsibility,” he continued, adding, “and I encourage you guys to be smarter than I was – Wear your masks and continue to social distance. Love you.”
The message stays on screen for 12 seconds before showing footage of James speaking with paparazzi while standing outside of the party.
His apology for attending the party was met with severe backlash online.
“James Charles apology is bs. He knew what he was doing when he went and he knew he shouldn’t go but he didn’t care. He’s only apologizing because he got in trouble and the same with everyone else apologizing,” wrote one user.
James Charles apology is bs. He knew what he was doing when he went and he knew he shouldn’t go but he didn’t care. He’s only apologizing because he got in trouble and the same with everyone else apologizing.— Destiny Lopez (@deslo11) July 25, 2020
However, there were people who defended the YouTuber, saying, “Y’all just an excuse to hate, nothing ever pleases you all, he could’ve made a 1 hr long apology and y’all still would have been shitting on him, he messed up…”
Y’all just an excuse to hate, nothing ever pleases you all, he could’ve made a 1 hr long apology and y’all still would have been shitting on him, he messed up… but seriously don’t we all ?? Stop acting like you’re some perfect angels, and let people learn from their mistakes xo— gisselle 🦋 (@gxssxllxv) July 26, 2020
One Party Is Bad Enough…
While James faced critiques over attending Larray’s party, Tana has received particular backlash for attending at least three parties during the pandemic: one at Jake Paul’s home, Larray’s birthday bash, and another party on Saturday.
Outrage against her grew after an Instagram story she posted with Erika Costell Satursady made it seem like the two were making light the pandemic. In the now-expired Instagram live story, the two can be heard saying, “Listen, we don’t fucking care.”
The video quickly caused outrage, and users wrote things like, “Nobody is surprised at the fact that tana mongoose is out there partying everyday day and instead of posting an apology shes out there saying “we dont fucking care” during a whole ass pandemic.”
Although, it’s worth noting that many pointed out that both women were involved with Jake Paul, leading to theories that the post was actually about that.
The confusion was clarified on Sunday night, when Costell tweeted out, “Hey guys – I just want to apologize for the video that was posted last night on Tanas Instagram story. The comment we made as NOT intended as it was perceived. Saying “we don’t care” was about our previous “beef”. It was in no way related to the COVID-19 pandemic we are in.”
She went on to add that she understands why people were offended, calling her attendance “careless and stupid.”
“I am truly sorry to anyone I let down or upset in any way & I fully take accountability for my actions,” she added.
A few hours later, Tana followed up with her own apology on her Instagram story.
“Partying/going to any social gatherings during a global pandemic was such a careless and irresponsible action on my behalf. I fully hold myself accountable for this + will be staying inside,” she wrote.
“Actions like that don’t deserve a platform and I want to fully apologize and be better than this. I’m sorry. While Erika and I were referring to past drama in our video the topic no longer matters – I need to be a example and person.”
While many appreciated that an apology and explanation was finally given, not everyone was buying it. Many pointed out that Tana is constantly giving apologies over the various controversies that she seems to find herself in. YouTuber Elijah Daniel directly called out Tana and Erika for partying, and later added that he was fed up with influencers constantly apologizing and not actually changing.
“hi influencers caught partying, this video is for you. spread this to your fans on ALL of your platforms (since you don’t mind spreading things!), then self quarantine for 14 days and come back and we will consider even reading your apologies.”
US Army Suspends Twitch Streaming Amid Recruitment Concerns and Free Speech Controversies
- The U.S. Army has faced substantial blowback for banning Twitch users asking about war crimes on its eSports channel, a move that potentially violates free speech laws.
- The criticism has been so intense that the Army has now paused streaming on its Twitch channel, which it uses as a recruitment method.
- Also on Wednesday, Representative Alexandria Ocasio-Cortez (D-NY) filed a measure that aims to completely block the military from using Twitch to recruit.
- Separately, the Army has come under fire for seemingly hosting a fake giveaway that linked to a recruitment page. Twitch ultimately forced it to remove that giveaway, but the Army maintains that it was a legitimate giveaway.
Army Suspends Twitch Streaming
The United States Army has hit pause on the Twitch channel for its eSports team as of Wednesday, following mounting concerns that it has repeatedly violated First Amendment free speech laws by banning viewers who ask about everything from U.S. war crimes to Eddie Gallagher.
The news of the Army’s banning practice gained traction on July 8 when activist Jordan Uhl posted a clip of him asking about war crimes during a stream on the channel. Notably, the channel is used as a way for the Army to promote recruitment and talk with viewers about life in the military.
“What’s your favorite U.S. w4r cr1me?” Uhl asked after learning that “war crime” was already a banned phrase on the channel.
Uhl also posted a link in the chatbox to the Wikipedia page for U.S. war crimes. He was then banned.
“Have a nice time getting banned, my dude,” said Army recruiter and gamer Joshua “Strotnium” David.
On Saturday, Uhl was again banned for asking similar questions, this time on the Twitch channel for the Navy’s eSports team. Reportedly, others asking similar questions were also banned during that stream.
On Wednesday, the Knight First Amendment Institute then demanded that the Army and Navy change their banning practices. It also asked the Army to restore access for not only Uhl but also for 300 others who have been banned for similar comments.
“When the government intentionally opens a space to the public at large for expressive activity, it has created a ‘public forum’ under the First Amendment, and it cannot constitutionally bar speakers from that forum based on viewpoint,” the Institute said in a letter to the two branches.
Later that same day, the Army announced it would suspend streaming on Twitch to “review internal policies and procedures, as well as all platform-specific policies.”
Still, a spokesperson for the Army has maintained that the branch did not violate free speech laws, arguing that people like Uhl were banned because the term “war crimes” is “meant to troll and harass the team.”
AOC Files Measure to the Block Military from Twitch
Also on Wednesday, Representative Alexandria Ocasio-Cortez (D-NY) announced plans to file an amendment that would block the military from using video games and esports as recruitment methods.
“It’s incredibly irresponsible for the Army and the Navy to be recruiting impressionable young people and children via live streaming platforms,” Ocasio-Cortez said.
“War is not a game,” she added while pointing to the Marine Corps, which is the only branch of the U.S. military that has refused to form an esports team.
For its part, the Marines have said it does not want to “gamify” combat since it is a military agency that deals in combat.
“The Marine Corps’ decision not to engage in this recruiting tool should be a clear signal to the other branches of the military to cease this practice entirely,” Ocasio-Cortez said.
Is the Army Violating the First Amendment on Twitch?
Uhl has maintained that he wasn’t simply trying to troll the Army eSports Team; rather, he said the reason he asked questions about war crimes was because he had heard rumors of people receiving bans by the Army and Navy for broaching such topics on their Twitch channels.
“Was I undiplomatic? Sure,” Uhl said in an article posted on The Nation. “But if the military is going to use one of the world’s most popular platforms to recruit kids, then it shouldn’t be able to do so without some pushback. Right now, with the support of Twitch, gamers with the US military are spending hours with children as young as 13, trying to convince them to enlist.”
“While members of military e-sports teams offer the regular gaming skill set, they’re also on-screen talent and recruiters,” Uhl said. “Instead of approaching a recruiter behind a table in a school cafeteria, kids can hang out with one who is playing their favorite video games and replying to their chat messages for hours on end.”
While a normal Twitch streamer can generally moderate their channel however they want, public forums hosted by the government must abide by free speech laws. In fact, there’s even legal precedent to support this.
For example, in June 2019, a federal appeals court ruled that President Trump can’t block critics from his Twitter account because it constitutes a public forum.
Despite that, in a statement, the Army originally argued that it banned Uhl because he had violated Twitch’s harassment policies.
“Team members are very clear when talking with potential applicants that a game does not reflect a real Army experience,” a spokesperson said following the July 8 incident. “They discuss their career experiences in real terms with factual events.”
“Team members ensure people understand what the Army offers through a realistic lens and not through the lens of a game meant for entertainment,” the spokesperson added. “This user’s question was an attempt to shift the conversation to imply that Soldiers commit war crimes based on an optional weapon in a game, and we felt that violated Twitch’s harassment policy.”
That spokesperson also went on to defend the Army by noting that it offers multiple career paths and that “the goal of the Army eSports Team is to accurately portray that range of opportunities to interested youth.”
Despite that, the statement quickly drew the ire of the American Civil Liberties Union, which responded on Twitter by saying, “Calling out the government’s war crimes isn’t harassment, it’s speaking truth to power. And banning users who ask important questions isn’t ‘flexing,’ it’s unconstitutional.”
US Army Caught Seemingly Offering Fake Giveaways
In addition to free speech concerns, the Army has also found itself defending its recruitment practices on the platform.
Last week, Uhl accused the branch of “repeatedly” presenting viewers “with an automated chat prompt that says they could win a Xbox Elite Series 2 controller… and a link where they can enter the ‘giveaway.’”
However, upon clicking that link, Uhl said he was redirected to a recruiting form with no additional information on the “contest, odds, total number of winners, or when a drawing will occur.”
The Army esports team routinely points viewers as young as 13 to this page with “Register To Win!” at the top in all caps. In some cases, they claim you can win a $200 controller.— jordan (@JordanUhl) July 15, 2020
The form is actually a recruiting form.https://t.co/Vk1mC7bn5U pic.twitter.com/N8oQkikeQJ
The news prompted outrage among streamers and game developers who urged Twitch to take action against the Army’s esports channel.
On Thursday, Twitch finally responded, telling Kotaku that it had forced the Army to stop advertising that giveaway, saying, “This promotion did not comply with our Terms, and we have required them to remove it.”
Since then, an Army representative has said that, despite transparency issues, a legitimate giveaway system had been in place.
“Each giveaway has its own URL and marketing activity code that directly connect the registrant to the specific giveaway,” the rep said. “An eligible winner is selected at random, and the prize is given out. Twitch asked our team to remove the giveaway for lack of transparency, and they did. The team is exploring options to use platforms for giveaways that will provide more external clarity.”