Twitter Bitcoin scam and admin-tool compromise

On 15 July 2020, attackers seized control of 130 high-profile Twitter accounts — including those of Barack Obama, Joe Biden, Elon Musk, Jeff Bezos, Bill Gates, Apple, and Uber — and used them to post a Bitcoin-doubling scam. The compromise did not come through a software vulnerability. It came through people: a targeted social-engineering campaign that gave a small group of young attackers access to Twitter's most sensitive internal tool.

What happened

Beginning 14 July 2020, the attackers ran a phone spear-phishing campaign. They scraped LinkedIn and used recruiter tools to identify Twitter employees with administrative access and obtain their phone numbers, then called them impersonating Twitter IT help-desk staff. Victims were directed to a convincing fake VPN/single-sign-on portal, where the attackers harvested their credentials and captured multi-factor-authentication codes in real time.

With valid employee access, the attackers reached Twitter's internal "agent" admin tool — software that let support staff change account-level settings, including the email address tied to an account. By swapping the registered email and disabling protections, they could take over any account and reset access.

The scam

Between roughly 20:00 and 22:00 UTC on 15 July, 45 of the 130 targeted accounts tweeted variations of a message promising to double any bitcoin sent to a given wallet, often framed as COVID-19 charity. Victims sent approximately $118,000 worth of bitcoin before the wallets were widely flagged; the exchange Coinbase blocked a further ~$280,000 in attempted transfers.

Beyond the tweets, the intrusion exposed private data: the attackers accessed the direct-message inboxes of 36 accounts and downloaded the full Twitter data archive for 8 accounts, including the account of a member of the Dutch parliament.

Response and consequences

Twitter took the drastic step of temporarily blocking all verified accounts from tweeting while it locked down the admin tool and investigated. On 31 July 2020, U.S. and Florida prosecutors charged three individuals: Graham Ivan Clark (17), who orchestrated the attack and was treated as the mastermind; Mason Sheppard ("Chaewon," 22); and Nima Fazeli ("Rolex," 19). Clark pleaded guilty as a youthful offender in March 2021 and was sentenced to three years in prison.

The New York Department of Financial Services published a detailed report concluding that Twitter lacked adequate access controls, monitoring, and a dedicated CISO, and that the company's internal tooling granted broad, loosely-governed power over the platform.

Why it matters

The Twitter hack is the canonical example of insider-tool abuse via social engineering at one of the world's most influential platforms. It proved that the human layer and privileged internal tooling are the real attack surface — strong account security meant nothing once support tooling was reachable. The incident drove broad adoption of phishing-resistant MFA (FIDO2/hardware keys), tighter just-in-time and least-privilege access to admin consoles, and far greater scrutiny of who can wield god-mode controls over user accounts.