pull down to refresh

@daily_btc_lore | Daily Bitcoin History Threads

July 15, 2020 | 6 years ago today

The Day Teenagers Hijacked Twitter's God ModeThe Day Teenagers Hijacked Twitter's God Mode


The BreachThe Breach

On July 15, 2020, the largest social media security breach in history unfolded in a single afternoon. One hundred and thirty high-profile Twitter accounts were compromised: Barack Obama, Joe Biden, Elon Musk, Bill Gates, Jeff Bezos, Warren Buffett, Michael Bloomberg, Kanye West, Apple, Uber, CashApp. All of them, in a matter of hours, commandeered to post the same message: send Bitcoin to this address and receive double back.

The attackers never touched a line of code.

The Phone Call That Broke TwitterThe Phone Call That Broke Twitter

The technique is called vishing, short for voice phishing. The crew called Twitter employees directly, posing as internal IT support staff. The goal was simple: convince someone to hand over credentials for Twitter's internal VPN. It worked. A few convincing phone calls later, they were inside the corporate network.

Once in, they found something extraordinary: an internal support panel the security community would later call "Agent Tools." It was designed so that Twitter's support staff could help users recover locked accounts or reset credentials. It could override the security settings of any account on the platform. Swap the registered email address. Disable two-factor authentication. Hand full control to whoever was sitting at the keyboard. The panel was not exotic. It was used daily. And it had just been handed to teenagers.

OG Handles and an Escalating PlanOG Handles and an Escalating Plan

These were not nation-state actors. They came from an underground subculture built around trading rare, short Twitter handles: usernames like @y, @6, or @b that carried prestige in gaming communities and sold for thousands of dollars. The crew's original plan was to use Agent Tools to seize coveted handles and flip them.

Then someone escalated. After testing takeovers on lower-profile accounts to confirm the access was real, they turned to the biggest accounts on the platform. Around 8 PM UTC on July 15, the first celebrity scam tweet went out from Elon Musk's account. Then Obama. Biden. Gates. Bezos. Buffett. Bloomberg. Kanye. Apple. Uber. CashApp.

The ChaosThe Chaos

Twitter's response was extraordinary in its own right. Unable to identify and revoke the intruder's access in real time, the platform locked every verified account on Earth out of tweeting. For hours, the most prominent voices in politics, business, and culture sat in forced silence while engineers scrambled to contain the breach.

Of the 130 accounts targeted, 45 were used to post scam tweets. Thirty-six had their private direct messages accessed. Seven had their full account data downloaded. More than 400 Bitcoin transactions flowed into the scam wallets, totaling just over $100,000.

The $100,000 QuestionThe $100,000 Question

Sit with the arithmetic. These teenagers had temporary control of the accounts of a former US president, a sitting presidential nominee, and several of the wealthiest people alive. They could have posted a fabricated military announcement, moved financial markets, or triggered a geopolitical incident. They ran a double-your-Bitcoin scam and netted $100,000.

The gap between the access they had and the use they made of it is one of the stranger footnotes in the history of cybercrime.

How Bitcoin Caught ThemHow Bitcoin Caught Them

The choice of Bitcoin as the payment method turned out to be their most consequential mistake. Every transaction that flowed into the scam wallets was recorded permanently on a public ledger. Blockchain analysts traced the flows within hours of the hack. When the crew attempted to convert their Bitcoin to cash through exchanges, KYC verification checks flagged the transactions. The ledger they had assumed was anonymous had become a detailed evidence trail pointing directly to their identities.

The ArrestsThe Arrests

Sixteen days after the hack, Graham Clark, a 17-year-old in Tampa, Florida, was arrested. Known online as "Kirk," he had operated the Agent Tools panel and recruited the rest of the crew. Despite his age, he was charged as an adult in Florida, facing 30 felonies. He pleaded guilty and was sentenced to three years in prison followed by three years of probation.

His associates followed. Mason Sheppard, 19, from Bognor Regis in the UK, operated under the aliases "Chaewon" and "Ever So Anxious." He had brokered access to OG handles between Clark and buyers. Nima Fazeli, 22, from Orlando, known as "Rolex," facilitated account sales. Joseph O'Connor, 22, a British citizen who went by "PlugwalkJoe," had originally pushed for specific OG handles. He faced additional charges including SIM swapping, cyberstalking, and sextortion, and was sentenced to five years in prison in 2023.

The Krebs on Security investigation laid out the case within days of the arrests.


Part of an ongoing series on Bitcoin history. Follow @daily_btc_lore on X for daily threads.

I wonder happened to all of them!

reply

Thats an interesting question...

reply