The epidemic of Twitter-based Bitcoin scams took another twist this week as attackers tweeted scams directly from two verified high-profile accounts. Criminals sent posts from both Google’s G Suite account and Target’s official Twitter account.
Cryptocurrency giveaway scams work by offering money to victims. There’s a catch, of course: They must first send a small amount of money to ‘verify their address’. The money in return never shows up and the attackers cash out.
Authenticity is a key factor in these scams. Accounts with verified status shown by a blue tick carry more of that. So it makes sense for attackers to hack verified accounts and then use them to impersonate very high profile people with lots of followers. Elon Musk and Ethereum founder Vitalik Buterin have both been targets for imposters.
On Tuesday, criminals went one better, managing to compromise the official account of Google’s G Suite. This gave them an authentic platform to address the account’s 822,000 followers as Google itself, rather than impersonating it with another hacked account.
The Bitcoin giveaway scam quickly followed, claiming that G Suite was now accepting cryptocurrency payments and offering a total of 10,000 Bitcoins (BTC) to “all community”. The scammers asked for between 0.1 and 2 BTC, and promised to return ten times the amount sent. They also added a bonus: send 1 BTC or more and get an additional 200% back.
Well, with an offer like that, who could say no? Thankfully, everyone. A quick look at the address posted in the scam revealed no transactions at the time of writing. This is probably because Google removed the post quickly after spotting what had happened.
The same couldn’t be said for readers of Target’s Twitter feed, which was hit by a similar attack the same day. The address used in the Target hack was also used in an attack earlier this week on Elon Musk. Unlike the Target and G Suite accounts, though, Musk’s wasn’t hacked. Instead, the criminals hacked the @farahmenswear Twitter account, which has verified status, and then changed the name on the account to resemble Musk’s.
Altogether, the Musk/Target scammers scooped 5.86 BTC, amounting to $32,700 as of yesterday’s exchange rate. Yesterday afternoon, the crooks began cashing out, sending money from the scam Bitcoin address to others.
These are the latest in a long string of cryptocurrency frauds perpetrated on Twitter that the company has struggled to contain. It banned the use of Elon Musk handles in July, in a bizarre game of whack-a-mole which parodists and criminals alike – including this week’s scammer – easily won by using slightly different characters in Musk-like names.
In September, CEO Jack Dorsey testified before Congress that blockchain technology itself may be a solution to the rampant scams on the network. He said:
So blockchain is one that I think has a lot of untapped potential, specifically around distributed trust and distributed enforcement, potentially.
We haven’t gone as deep as we’d like just yet in understanding how we might apply this technology to the problems we are facing at Twitter but we do have people within the company thinking about it today.
That’s a statement of interest, not a solution.
Account owners have their part to play, too. It isn’t clear whether Google and Target were using two-factor authentication, which Twitter launched in basic form in 2013 and updated to support Authenticator apps in 2017. If they were, then the hackers somehow got around it. If they were not, then why not?
While Twitter continues to try and work this problem out, it’s advisable for everyone who uses Twitter (and any other site that has the option) to turn on 2FA – and avoiding giving money to strangers!