This article was published on July 15, 2020

Hackers take over Obama, Musk, Apple, and dozens more Twitter accounts in massive Bitcoin scam

A more bizarre day on Twitter than usual


Hackers take over Obama, Musk, Apple, and dozens more Twitter accounts in massive Bitcoin scam

It’s a more bizarre day on Twitter than usual. The Twitter accounts of several prominent companies and celebrities — including Obama, Biden, Uber, Apple, Musk, and others — were illicitly commandeered today, in an apparent effort to scam some of their millions of followers out of their hard-earned bitcoin. It’s by far the most widespread Twitter hack we’ve seen, even if the accounts were quickly restored to normal.

The messages varied in their exact wording, but generally followed a similar format: For example, Elon Musk’s tweet read:

Feeling greatful, doubling all payments sent to my BTC address!

You send $1,000, I send back $2,000!

Only doing this for the next 30 minutes.

bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh”

All tweets featured the same Bitcoin address. Meanwhile, several accounts for major cryptocurrency companies featured fake tweets announcing a partnership with an organization called ‘Crypto for Health.’ Naturally, this link pointed to the same scam.

The 💜 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol' founder Boris, and some questionable AI art. It's free, every week, in your inbox. Sign up now!

Seriously, the list reads like a who’ s who of famous people, companies, and cryptocurrency-related services. So far we’ve been able to identify at least these accounts as having posted fraudulent tweets:

  • Barack Obama
  • Elon Musk
  • Apple
  • Joe Biden
  • Bill Gates
  • Wiz Khalifa
  • Warren Buffet
  • Uber
  • Jeff Bezos
  • MrBeast
  • Floyd Mayweather
  • ‘God’ (@TheTweetOfGod)
  • Mike Bloomberg
  • XXXTentacion
  • Kim Kardashian
  • CoinDesk
  • Gemini
  • Gate.io
  • Cash App
  • Binance
  • CZ_Binance
  • Tron
  • Justin Sun
  • Ripple
  • Charlie Lee
  • Coinbase
  • Coindesk

Despite their rapid removal, several tweets were captured in the Wayback Archive and Google search results:

Presumably, most or all of these accounts are using two-factor authentication, which makes this hack particularly troubling. As noted by several security researchers on Twitter (via TechCrunch), hackers seemed to fully hijack the accounts, even changing the emails associated with at least some accounts to make them harder to recover.

Though we can’t tell for sure given the blocked out characters, the hackers appear to have changed the recovery addresses to emails from encrypted email service ProtonMail. That could certainly complicate investigation efforts, considering the service prides itself on the fact that even it “cannot decrypt and read your emails.”

While it’s hard to imagine such blatantly scammy messages would lead to much profit for the scammers, the wallet address does, in fact, show transactions are happening. As pointed out by Twitter user @RMac18, the wallet is active, although it’s not clear how many of the transactions are from people who have been duped versus from the scammers themselves, in an attempt to make the address appear legit:

Twitter, for its part, says it is investigating:

And while it’s probably a good idea to change your Twitter login info if you’re a public figure, Twitter warns that you might not be able to access all app functions while it figures out what happened:

Developing: Refresh for updates…

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with