The hacker's actions are reminiscent of many other incidents involving social media sites and cryptocurrency, but for Twitter users, the reputational risks can be significant.
First Published 30th July 2020
Scam at scale.
4 min read | Reflare Research Team
As dozens of high-profile Twitter accounts started tweeting out Bitcoin scams last week, many media outlets rushed to report on the hack itself and speculations about the attackers. While that reporting is doubtlessly valuable, we see even greater value in a post-mortem analysis to see what ended up being true, what the hack tells us about Twitter’s internal workings, and what the large-scale implications of the breach may be.
What happened?
At the point of writing, the following facts are clear enough for us to state as the likely truth:
On July 16th, several dozen high-profile Twitter accounts suddenly started tweeting out Bitcoin scams. The initial scam seems to have netted the attackers just over USD 100k in revenue. Twitter was quick to react and went as far as temporarily preventing high-profile accounts from tweeting.
Several people who claimed to be behind the attack gave an interview to Motherboard 24 hours later. In said interview, they claim that an insider performed the attack for them and that one or several Twitter employees were paid off. While responsibility for attacks is often claimed fraudulently, the screenshots and in-depth knowledge provided by the people talking to Motherboard lead us to believe their authenticity at this point in time.
In addition to the Bitcoin scam tweets, the attackers appear to have also accessed and copied large amounts of private messages from affected Twitter accounts.
What does this tell us about Twitter?
The attack and the leaked screenshots provided to Motherboard confirmed several rumoured administration features used by Twitter. For one, moderators appear to be able to blacklist certain accounts from appearing in trending topics or search results. Twitter has been relatively open about these moderating practices but that information does not appear to have been widely known outside of the tech community.
Since what is visible on Twitter determines what its users perceive as consensus reality, such moderation practices are always controversial.
Secondly, the fact that a small number or potentially even a single insider could take over a large number of high-profile accounts indicates that Twitter does not have solid controls on their moderators. In most infosec settings, high-risk data can only be accessed by several individuals at once - precisely to prevent a rogue inside actor from performing attacks like this one.
While the current attackers seem to have been after short-term financial gain and fame, it is hard to tell if - and to what degree - morally questionable behaviour by Twitter moderators is a common occurrence. If moderators have - as it seems - unfettered access and can make unilateral decisions about banning, removing, accessing, or blacklisting accounts that do not require secondary approval, then it is very likely that at least some moderators will abuse that privilege.
What is the larger picture?
Whether we like it or not, Twitter has a disproportionate impact on news, culture, and politics. While the site only has 126 million daily active users, these users are disproportionately likely to be politicians, journalists, activists, celebrities, and other thought leaders. What is visible on Twitter, therefore, has an impact on what is discussed in society. Be it because Twitter acts as the reference frame of normality for a journalist researching an article or because a politician announces new legislation in a Tweet before even filing paperwork.
The high level of access that moderators appear to have, and the perceived low level of overall security are both very concerning. After all, in the current political climate, a tweet could conceivably lead to deaths or even war. The fact that both malicious attackers and individual Twitter moderators appear to be able to - if they so wish - fabricate such tweets presents a grave risk.
Combined with ongoing coordinated disinformation campaigns by state actors, the risk surface of Twitter in particular and social media, in general, is set to increase further over the coming years. We cannot predict how communities will choose to handle the destabilizing effects of attacks on social media, but we will likely see some form of regulation - either through legal or social means - in the coming years.