In brief
- A recent Twitter hack saw high-profile accounts taken over and used to tweet a Bitcoin scam.
- The scam invited victims to send Bitcoin to an address in order to double their money.
- It’s one of a number of similar scams that have been perpetrated, using similar techniques.
When Twitter was hacked recently, it was to engineer a Bitcoin scam on a scale never before seen. Accounts owned by celebrities, politicians, large organizations, and crypto exchange leaders such as Binance’s Changpeng Zhao were all compromised by hackers, who then used their accounts to scam people out of their Bitcoin holdings.
There’s still no official verdict on how exactly the hack took place, but Mikko Hyppönen, chief research officer at cybersecurity firm F-Secure, shared one possible explanation with Decrypt:
"We believe the unknown attackers used a social engineering attack against key Twitter employees,” he explained. “They gained access rights, credentials or remote access to Twitter's internal systems and tools. That effectively made them gods on Twitter; they could do anything."
We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.
— Twitter Support (@TwitterSupport) July 16, 2020
Regardless of how the attack took place, its instigators made off with at least $120,000 worth of Bitcoin. While we hopefully won’t see a scam of this magnitude take place again, similar scams remain commonplace online, raking in some $24 million this year alone.
How to keep your Bitcoin safe from scams
The scale of the recent Twitter hack may have been unprecedented, but the actual mechanics of the scam are familiar: a celebrity invites you to sent Bitcoin to a particular address, and they'll double your money.
The good news is that there’s an incredibly effective way to guarantee that your Bitcoin is safe from these scams—and the answer is, perhaps unsurprisingly, common sense.
Take the message sent out by Kanye West’s account, which stated that, “I am giving back to my fans. All Bitcoin sent to my address below will be sent back doubled. I am only doing a maximum of $10,000,000.”
Given Kanye’s long history of… unusual tweets, you could be forgiven for thinking that the eccentric rapper and one-time Presidential candidate was telling the truth. But the message boils down to an unlikely premise: that a wealthy individual, in a fit of largesse, is simply giving away free money.
In the same manner in which you’d (hopefully) never send money in response to an email from a Nigerian prince, exercising caution is your number one defense. "Normal Twitter users are safe from this attack—except if they fell for the scams,” Hyppönen explained. “Listen, nobody is going to give you free money if you first send them money. Not even Bill Gates. If something seems too good to be true, it's never true. Especially on the Internet."
Indeed, a cursory look at some of the personalities caught up in the attack would be enough to cast doubt on the claims made in their hijacked tweets. Elon Musk, one of those whose Twitter accounts was compromised, owns just 0.25 BTC. Democratic Presidential candidate Joe Biden, another victim of the hack, subsequently tweeted that he doesn’t own Bitcoin, “and I’ll never ask you to send me any.”
However, scammers can use other tricks to appear bona fide. One Reddit user recently shared a false campaign in which Bill Gates was purportedly promising to double Bitcoins sent to a nefarious address. Worryingly, the ad for the scam was actually served on Google’s own ad platform, lending it a veneer of legitimacy. "Sites like Twitter and Google have a really hard time filtering out all the badness,” said Hyppönen. “The amount of traffic on these systems is just amazing, and the ways users can get scammed are endless. It's just not an easy job to do."
A secondary line of defense is provided by exchanges themselves, who take extra precautions to warn users of any suspicious activity. “We have taken steps now and in the past to blacklist the address[es] and we show customers a scam warning dialog box if they're about to send money to a known scam address,” Roopa Ramaiya, head of PR and communications at London-based exchange Luno, told Decrypt. Like other exchanges such as Binance, Luno also provides advice on how to avoid scams.
Locking down your cryptocurrency
Although the recent Twitter Bitcoin scam relied on psychology to trick crypto owners into parting with their coins, rather than directly hacking their wallets, it’s still worth taking additional steps to keep your Bitcoin safe.
Unless you’re actively trading crypto online, it’s best to avoid leaving your cryptocurrency on an exchange. Although many exchanges have insurance, the safest place you can leave your coins is in a wallet that you hold the private keys to.
If you want to go a step further than a desktop or smartphone wallet, you can also use dedicated crypto hardware wallets, made by companies such as Ledger, Trezor and SecuX.
“Compared with a software wallet, hardware wallets hold your private keys offline for most of the time,” Woody Cheng, a spokesperson at SecuX, explained. “In addition, a hardware wallet with a secure element can enhance the protection from any physical or online attacker.”
As most people invest in crypto and hold assets for a long time, he added, “I would strongly advise all crypto investors to use a hardware wallet to hold their long term investments in an environment isolated from the Internet and hackers.”