Hubbry Logo
search
search button
Sign in
MainMain
starMorearrow-down
Sign in
Welcome to the community hub built to collect knowledge and have discussions related to 2020 Twitter account hijacking.
2020 Twitter account hijacking
View on Wikipedia

2020 Twitter accounts hijacking
A tweet from Apple, which reads, "We are giving back to our community. We support Bitcoin and believe you should too! All Bitcoin sent to our addresses will be sent back to you, doubled!" After a bitcoin address, it reads "Only going on for the next 30 minutes."
A representative scam tweet, from Apple's hacked account
DateJuly 15, 2020, 20:00–22:00 UTC
CauseCoordinated social engineering attack
TargetHigh-profile verified Twitter accounts
OutcomeAt least 130 accounts affected. The bitcoin addresses involved received about US$110,000 in bitcoin transactions.
Arrests3, as of July 31, 2020

On July 15, 2020, between 20:00 and 22:00 UTC, 69 high-profile Twitter accounts were compromised by outside parties to promote a bitcoin scam.[1][2] Twitter and other media sources confirmed that the perpetrators had gained access to Twitter's administrative tools so that they could alter the accounts themselves and post the tweets directly. They appeared to have used social engineering to gain access to the tools via Twitter employees.[3][4][5] Three individuals were arrested by authorities on July 31, 2020, and charged with wire fraud, money laundering, identity theft, and unauthorized computer access related to the scam.[6]

The scam tweets asked individuals to send bitcoin currency to a specific cryptocurrency wallet, promising the Twitter user that money sent would be doubled and returned as a charitable gesture.[7] Within minutes from the initial tweets, more than 320 transactions had already taken place on one of the wallet addresses, and bitcoins to a value of more than US$110,000 had been deposited in one account before the scam messages were removed by Twitter.[1][8] In addition, full message history data from eight non-verified accounts were also acquired.[9]

Dmitri Alperovitch, the co-founder of cybersecurity company CrowdStrike, described the incident as "the worst hack of a major social media platform yet".[2][10] Security researchers expressed concerns that the social engineering used to execute the hack could affect the use of social media in important online discussions, including the lead-up into the 2020 United States presidential election.[11][12] On July 31, 2020, the U.S. Department of Justice announced charges against three individuals in connection with the incident.[13]

Incident

[edit]

Forensic analysis of the scam showed that the initial scam messages were first posted by accounts with short, one- or two-character distinctive names, such as "@6".[14] This was followed by cryptocurrency Twitter accounts at around 20:00 UTC on July 15, 2020, including those of Coinbase, CoinDesk and Binance.[15][12] The scam then moved to more high-profile accounts with the first such tweet sent from Elon Musk's Twitter account at 20:17 UTC.[16] Other supposedly compromised accounts included those of well-known individuals such as Barack Obama, Joe Biden, Bill Gates, Jeff Bezos, MrBeast, Michael Bloomberg,[8] Warren Buffett,[17] Floyd Mayweather Jr.,[12] Kim Kardashian, and Kanye West;[18][2] and companies such as Apple, Uber, and Cash App.[19] Twitter believed 130 accounts were affected, though only 45 were actually used to tweet the scam message;[9][20] most of the accounts that were accessed in the scam had at least a million followers.[2]

The tweets involved in the scam hack claimed that the sender, in charity, would repay any user double the value of any bitcoin they sent to given wallets, often as part of a COVID-19 relief effort. The tweets followed the sharing of malicious links by a number of cryptocurrency companies; the website hosting the links was taken down shortly after the tweets were posted.[7] While such "double your bitcoin" scams have been common on Twitter before, this was the first major instance of them being sent from breached high-profile accounts.[2] Security experts believe that the perpetrators ran the scam as a "smash and grab" operation: Knowing that the intrusion into the accounts would be closed quickly, the perpetrators likely planned that only a small fraction of the millions that follow these accounts needed to fall for the scam in that short time to make quick money from it.[2] Multiple bitcoin wallets had been listed at these websites; the first one observed had received 12 bitcoins from over 320 transactions, valued at more than US$118,000, and had about US$61,000 removed from it, while a second had amounts only in the thousands of dollars as Twitter took steps to halt the postings.[1][8][21] It is unclear if these had been funds added by those led on by the scam,[21][22] as bitcoin scammers are known to add funds to wallets prior to starting schemes to make the scam seem legitimate.[2] Of the funds added, most had originated from wallets with Chinese ownerships, but about 25% came from United States wallets.[14] After it was added, the cryptocurrency was then subsequently transferred through multiple accounts as a means to obscure their identity.[14]

Some of the compromised accounts posted scam messages repeatedly, even after having some of the messages deleted.[23] The tweets were labelled as having been sent using the Twitter Web app.[24] One of the phrases involved in the scam was tweeted more than 3,000 times in the space of four hours, with tweets being sent from IP addresses linked to many different countries.[25] The reused phrasing allowed Twitter to remove the offending tweets easily as they took steps to stop the scam.[12]

By 21:45 UTC, Twitter released a statement saying they were "aware of a security incident impacting accounts on Twitter" and that they were "taking steps to fix it".[26] Shortly afterwards, it disabled the ability for some accounts to tweet, or to reset their password;[27] Twitter had not confirmed which accounts were restricted, but many users with accounts Twitter had marked as "verified" confirmed that they were unable to tweet.[28] Approximately three hours after the first scam tweets, Twitter reported they believed they had resolved all of the affected accounts to restore credentials to their rightful owners.[29] Later that night, Twitter CEO Jack Dorsey said it was a "tough day for us at Twitter. We all feel terrible this happened. We're diagnosing and will share everything we can when we have a more complete understanding of exactly what happened."[12] At least one cryptocurrency exchange, Coinbase, blacklisted the bitcoin addresses to prevent money from being sent. Coinbase said they stopped over 1,000 transactions totaling over US$280,000 from being sent.[30]

In addition to sending out tweets, the account data for eight compromised accounts was downloaded, including all created posts and direct messages, though none of these accounts belonged to verified users.[9][31] Twitter also suspected that thirty-six other accounts had their direct messages accessed but not downloaded including Dutch Parliament Representative Geert Wilders, but believed no other current or former elected official had their messages accessed.[32][33]

Method of attack

[edit]

Bloomberg News, after investigation with former and current Twitter employees, reported that as many as 1500 Twitter employees and partners had access to the admin tools that would allow for the ability to reset accounts, as had been done during the incident. Former Twitter employees had told Bloomberg that even as late as 2017 and 2018, those with access would make a game of using these tools to track famous celebrities, though the amount of data visible through the tools alone was limited to elements like IP address and geolocation information. A Twitter spokesperson told Bloomberg that they do use "extensive security training and managerial oversight" to manage employees and partners with access to the tools, and that there was "no indication that the partners we work with on customer service and account management played a part here".[34] Former members of Twitter's security departments stated that since 2015, the company was alerted to the potential of an inside attack and other cybersecurity measures, but these were put aside in favor of more revenue-generating initiatives.[34]

As Twitter was working to resolve the situation on July 15, Vice was contacted by at least four individuals claiming to be part of the scam and presented the website with screenshots showing that they had been able to gain access to a Twitter administrative tool, also known as an "agent tool",[35] that allowed them to change various account-level settings of some of the compromised accounts, including confirmation emails for the account. This allowed them to set email addresses which any other user, with access to that email account, could initiate a password reset and post the tweets.[14] These hackers told Vice that they had paid insiders at Twitter to get access to the administrative tool to be able to pull this off.[3]

Ars Technica obtained a more detailed report from a researcher who worked with the FBI on the investigation. According to this report, attackers scraped LinkedIn in search of Twitter employees likely to have administrator privileges account-holder tools. Then attackers obtained these employees' cell phone numbers and other private contact information via paid tools LinkedIn makes available to job recruiters. After choosing victims for the next stage, attackers contacted Twitter employees, most who were remote working due to the COVID-19 pandemic, and, using the information from LinkedIn and other public sources, pretended to be Twitter personnel. Attackers directed victims to log into a fake internal Twitter VPN. To bypass two-factor authentication, attackers entered stolen credentials into the real Twitter VPN portal, and "within seconds of the employees entering their info into the fake one", asked victims for the two-factor authentication code.[36]

TechCrunch reported similarly, based on a source that stated some of the messages were from a member of the hacking forum OGUsers, who had claimed to have made over US$100,000 from it.[4] According to TechCrunch's source, this member "Kirk" had reportedly gained access to the Twitter administrative tool likely through a compromised employee account, and after initially offering to take over any account on request, switched strategies to target cryptocurrency accounts, starting with Binance and then higher-profile ones. The source did not believe Kirk had paid a Twitter employee for access.[4]

The "@6" Twitter had belonged to Adrian Lamo, and the user maintaining the account on behalf of Lamo's family reported that the group that performed the hack were able to bypass numerous security factors they had set up on the account, including two-factor authentication, further indicating that the administrative tools had been used to bypass the account security.[14][37] Spokespersons for the White House stated that President Donald Trump's account, which may have been a target, had extra security measures implemented at Twitter after an incident in 2017, and therefore was not affected by the scam.[14]

Vice's and TechCrunch's sources were corroborated by The New York Times, who spoke to similar persons involved with the events, and from other security researchers who had been given similar screens, and tweets of these screens had been made, but Twitter removed these since they revealed personal details of the compromised accounts.[5] The New York Times further affirmed that the vector of the attack was related to most of the company's remote working during the COVID-19 pandemic. The OGUsers members were able to gain access to the Twitter employees' Slack communications channel where information and authorization processes on accessing the company's servers while remote working had been pinned.[5]

Twitter subsequently confirmed that the scam involved social engineering,[38] stating "We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools."[3][39] In addition to taking further steps to lock down the verified accounts affected, Twitter said they have also begun an internal investigation and have limited employee access to their system administrative tools as they evaluate the situation, as well as if any additional data was compromised by the malicious users.[29][40]

By the end of July 17, 2020, Twitter affirmed what had been learned from these media sources, stating that "The attackers successfully manipulated a small number of employees and used their credentials to access Twitter's internal systems, including getting through our two-factor protections. As of now, we know that they accessed tools only available to our internal support teams."[35] Twitter had been able to further confirm by July 30 that the method used was what they called a "phone spear phishing attack": they initially used social engineering to breach the credentials of lower-level Twitter employees who did not have access to the admin tools, and then using those employee accounts, engaged in additional social engineering attacks to get the credentials to the admin tools from employees who did have authorization for their use.[41]

Perpetrators

[edit]

The FBI announced on July 16 it was launching an investigation into the scam, as it was used to "perpetuate cryptocurrency fraud", a criminal offense.[42] The Senate Select Committee on Intelligence also planned to ask Twitter for additional information on the hack, as the committee's vice-chair Mark Warner stated "The ability of bad actors to take over prominent accounts, even fleetingly, signals a worrisome vulnerability in this media environment, exploitable not just for scams but for more impactful efforts to cause confusion, havoc and political mischief".[14] The UK's National Cyber Security Centre said its officers had reached out to Twitter regarding the incident.[43]

Security researcher Brian Krebs corroborated with TechCrunch's source and with information obtained by Reuters, that the scam appeared to have originated in the "OGUsers" group.[44][45][4][46] The OGUsers forum ("OG" standing for "original gangsters") was established for selling and buying social media accounts with short or "rare" names, and according to its owner, speaking to Reuters, the practice of trafficking in hacked credentials was prohibited.[46] Screenshots from the forum, show various users on the forum offering to hack into Twitter accounts at US$2,000−3,000 each. Krebs stated one of the members might have been tied to the August 2019 takeover of Twitter CEO Jack Dorsey's Twitter account.[44] The OGUsers owner told Reuters that the accounts shown in the screenshots were since banned.[46]

The United States Department of Justice announced the arrest and charges of three individuals tied to the scam on July 31, 2020. A 19-year-old from the United Kingdom was charged with multiple counts of conspiracy to commit wire fraud, conspiracy to commit money laundering and the intentional access of a protected computer, and a 22-year-old from Florida was charged with aiding and abetting the international access. Both will be tried in the United States District Court for the Northern District of California.

A third individual, Graham Ivan Clark, 17 years old, of Hillsborough County, Florida, was also indicted; the charges were originally sealed in juvenile court, but he was eventually charged as an adult on 30 felony counts.[13] The charges included organized fraud, communications fraud, identity theft, and hacking. Florida state law allows for trying minors as adults in financial fraud cases.[6][47][48] Clark pleaded not guilty to the charges on August 4, 2020.[48] He accepted a plea bargain in March 2021 and was sentenced to 3 years in prison followed by 3 years of probation; he was sentenced under Florida's Youthful Offender Act, which limits the penalties on convicted felons under the age of 21.[49] According to the Tampa Bay Times, he would be able "to serve some of his time in a military-style boot camp".[50][51][36]

A fourth individual, a 16-year-old from Massachusetts, had been identified as a possible suspect in the scam by the FBI. Though federal agents had conducted a warranted search of his possessions in late August 2020, no indictments have been made yet.[52]

In April 2023, 23-year-old Joseph James O'Connor, a British citizen with the online handle PlugwalkJoe, was extradited from Spain to New York to face charges after being arrested in July 2020, and reported to have hacked over 100 Twitter accounts including the accounts of Apple, Uber, Kanye West, Bill Gates, Joe Biden, Barack Obama, and Elon Musk. O'Connor is also accused of extorting close to $800,000 in cryptocurrency. O'Connor entered a guilty plea,[53][54] and on June 23 was sentenced to five years in federal prison in addition for forfeiting at least $794,000 to the victims of the hijacking.[55]

Reaction and aftermath

[edit]

In the immediate aftermath, affected users could only retweet content, leading NBC News to set up a temporary non-verified account so that they could continue to tweet, retweeting "significant updates" on their main account.[56] Some National Weather Service forecast offices were unable to tweet severe weather warnings, with the National Weather Service in Lincoln, Illinois initially unable to tweet a tornado warning.[57] Joe Biden's campaign stated to CNN that they were "in touch with Twitter on the matter", and that his account had been "locked down".[1] Google temporarily disabled its Twitter carousel in its search feature as a result of these security issues.[58]

During the incident, Twitter, Inc.'s stock price fell by 4% after the markets closed.[59] By the end of the next day, Twitter, Inc.'s stock price ended at $36.40, down 38 cents, or 0.87%.[60]

Security experts expressed concern that while the scam may have been relatively small in terms of financial impact, the ability for social media to be taken over through social engineering involving employees of these companies poses a major threat in the use of social media particularly in the lead-up to the 2020 United States presidential election, and could potentially cause an international incident.[11] Alex Stamos of Stanford University's Center for International Security and Cooperation said, "Twitter has become the most important platform when it comes to discussion among political elites, and it has real vulnerabilities."[12]

Twitter chose to delay the rolling out of its new API in the aftermath of the security issues.[61] By September, Twitter stated they had put new protocols in place to prevent similar social engineering attacks, including heightening background checks for employees that would have access to the key user data, implementing day-to-day phishing-resistant security keys, and having all employees involved in customer support participate in training to be aware of future social engineering scams.[62]

Though not part of the Twitter incident, Steve Wozniak and seventeen others initiated a lawsuit against Google the following week, asserting that the company did not take sufficient steps to remove similar Bitcoin scam videos posted to YouTube that used his and the other plaintiffs' names, fraudulently claiming to back the scam. Wozniak's complaint identified that Twitter was able to act within the same day, while he and the other plaintiffs' requests to Google had never been acted upon.[63]

On September 29, 2020, Twitter hired Rinki Sethi as CISO and VP of the company after the breach.[64]

On November 20, 2020, Hulu aired the 5th episode of "The New York Times Presents" series entitled "The Teenager Who Hacked Twitter," which details the events of this incident.[65]

References

[edit]
[edit]
Revisions and contributorsEdit on WikipediaRead on Wikipedia

2020 Twitter account hijacking

View on Grokipedia
The 2020 Twitter account hijacking was a coordinated cyberattack executed on July 15, 2020, in which a group of hackers, primarily led by a 17-year-old from Tampa, Florida, used social engineering tactics to breach Twitter's internal administrative tools and temporarily seize control of over 130 high-profile verified accounts. These accounts, belonging to prominent figures such as former U.S. President Barack Obama, then-presidential candidate Joe Biden, Elon Musk, Bill Gates, and corporations like Apple and Uber, were exploited to post identical fraudulent messages promoting a Bitcoin "doubling" scam, where victims were instructed to send cryptocurrency to specified addresses with promises of doubled returns within 30 minutes. The incident netted approximately $121,000 in Bitcoin from around 400 victims before Twitter locked down the affected accounts and suspended the scam addresses. The attack's method relied on spear-phishing, specifically voice phishing (vishing), targeting a limited number of Twitter employees with internal access privileges; the hackers posed as IT support to extract credentials for Twitter's backend tools, which allowed them to reset passwords and post from VIP accounts without needing user authentication. This breach highlighted vulnerabilities in Twitter's employee access controls and internal network segmentation, as the tools provided broad administrative capabilities that were not adequately isolated from external threats. The perpetrators, including Graham Ivan Clark as the alleged mastermind, along with accomplices Nima Fazeli, Mason Sheppard, and Joseph O'Connor, were motivated by financial gain and notoriety within hacking communities; Clark, a minor at the time, pleaded guilty to charges including conspiracy to commit wire fraud and was sentenced to three years in prison, while O'Connor, operating from the UK, faced extradition and later pleaded guilty in 2023. The hijacking prompted immediate scrutiny of Twitter's security practices, revealing that the company had failed to implement sufficient multi-factor authentication or least-privilege principles for sensitive tools, and it spurred regulatory investigations, including a New York Department of Financial Services report recommending enhanced oversight of social media platforms' cybersecurity. While the financial impact was relatively modest compared to the platform's scale, the event underscored the risks of centralized control over high-influence accounts and the ease with which social engineering could undermine even large tech firms' defenses, influencing subsequent industry-wide improvements in employee training and access management. No evidence emerged of state-sponsored involvement, confirming the operation as a criminal enterprise driven by individual actors rather than geopolitical motives.

Background and Context

Twitter's Internal Tools and Verification Processes

Twitter employees utilized internal administrative tools, often referred to as dashboards or panels, to perform account management functions including verification, password resets, email address changes, and posting tweets on behalf of users. These tools were designed for support, moderation, and verification purposes, enabling staff to directly intervene in user accounts without user-initiated processes. Access to such tools was granted to over 1,000 employees based on job requirements, with permissions intended to be limited but lacking stringent segmentation for high-profile or verified accounts. These systems were accessible primarily through Twitter's internal network, requiring employee credentials and often a VPN connection for remote work, which had become more prevalent following the platform's shift to distributed operations. Multi-factor authentication for tool access relied on application-based methods delivered via smartphones, such as authenticator apps generating time-based codes, rather than hardware security keys across the board. Phone-based elements in this MFA setup, including potential SMS or voice verification prompts, introduced vulnerabilities to interception or real-time deception during login attempts. Prior to 2020, protections for verified accounts—distinguished by a blue checkmark badge awarded at Twitter's discretion—did not include dedicated tool restrictions or elevated barriers beyond standard employee access controls. High-profile verified accounts, including those of public figures and organizations, were treated within the same internal management framework as ordinary accounts, permitting tools to reset credentials or alter settings without account-specific audits or isolation. This architecture reflected a trust-based model prioritizing operational efficiency over compartmentalized security for elite account tiers.

Preceding Security Vulnerabilities

Prior to the July 2020 hijacking, Twitter's internal systems exhibited systemic vulnerabilities stemming from broad employee access to administrative tools, as demonstrated by a 2019 incident involving insider misuse. In November 2019, the U.S. Department of Justice charged two former Twitter employees, Ali Alzabarah and Ahmad Abouammo, with acting as agents of Saudi Arabia by exploiting their internal access to query non-public user data on approximately 5,900 accounts, primarily those of Saudi dissidents critical of the regime. Alzabarah, a Saudi national and technical service manager, and Abouammo, a U.S. citizen and media partnerships manager for the Middle East and North Africa, allegedly received bribes including luxury watches and over $100,000 in payments to provide this information, revealing how centralized control over account verification and data tools enabled unchecked abuse by personnel with elevated privileges. This case underscored a causal weakness in Twitter's architecture: reliance on employee discretion for handling sensitive support functions without robust segmentation or logging to prevent or detect unauthorized actions, creating opportunities for both malicious insiders and external actors targeting them via compromise. The platform's dependence on human operators for high-profile account management amplified risks from social engineering, a known vector that prior security analyses had flagged but not fully mitigated through training or procedural hardening. Twitter's support infrastructure allowed a limited number of employees to bypass standard verification for account resets, a design choice prioritizing operational efficiency over defense-in-depth, which inherently invited exploitation if staff were deceived or coerced. Although specific pre-2020 phishing successes against Twitter personnel remain undocumented in public records, the 2019 insider scandal highlighted patterns of targeting support-adjacent roles, where external incentives could override internal safeguards, reflecting inadequate vetting and ongoing education on deception tactics. The onset of the COVID-19 pandemic exacerbated these issues by accelerating Twitter's transition to remote work, introducing unmonitored home environments prone to phishing. In March 2020, Twitter directed all employees to work from home indefinitely to curb virus spread, followed by a May 2020 announcement offering permanent remote options to nearly its entire workforce of about 4,800. This rapid shift, enacted with minimal preparation, heightened exposure to social engineering as employees operated from less secure personal networks, often without enterprise-grade protections or supervised policy enforcement. A subsequent New York Department of Financial Services investigation identified Twitter's failure to adapt security protocols to these pandemic-induced changes, including unaddressed increases in remote phishing susceptibility, as a contributing factor to persistent vulnerabilities. Such lapses in causal risk management—prioritizing business continuity over fortified employee defenses—foreshadowed the ease with which attackers could later manipulate internal actors.

Execution of the Hack

Social Engineering Attack

The attackers initiated the breach via a targeted phone spear-phishing operation on July 14, 2020, impersonating Twitter's internal IT help desk to deceive a small number of employees who held access to administrative tools. By contacting these individuals—likely limited to one or two in customer support roles—the perpetrators convinced at least one to disclose credentials for Twitter's virtual private network (VPN) and associated systems, exploiting lax identity verification during the calls. This social engineering succeeded without any exploitation of software vulnerabilities or external network intrusions, as confirmed by Twitter's investigation, which attributed the root cause to human error in bypassing standard protocols like callback confirmations or secondary authentication checks. The attackers' script mimicked legitimate help desk procedures, preying on urgency and familiarity to elicit voluntary credential sharing, a tactic that underscored deficiencies in employee training and procedural safeguards rather than systemic technical flaws. With VPN credentials in hand, the perpetrators established a remote connection that routed traffic through Twitter's trusted internal pathways, evading perimeter defenses and enabling lateral movement to tools for viewing and modifying user account settings. This phase relied on the VPN's role as a gateway without enforced multi-factor authentication for subsequent internal actions, allowing seamless escalation from external access to privileged operations.

Account Compromises and Bitcoin Scam

The attackers accessed approximately 130 Twitter accounts during the breach, enabling them to post fraudulent tweets from dozens of these, primarily high-profile ones. Affected accounts included those of former President Barack Obama, then-candidate Joe Biden, Elon Musk, Bill Gates, and corporations such as Apple and Uber. The scam messages followed a uniform template across compromised accounts, claiming the account holder was supporting Bitcoin and the community by doubling any cryptocurrency sent to a designated wallet address within the next 30 minutes. Archived screenshots and blockchain transaction records confirm the consistency of the tweet content and the associated wallet addresses used to receive funds. Victims responded by transferring Bitcoin to the scammers' wallets, resulting in approximately $121,000 stolen, as determined through on-chain analysis by cybersecurity firms tracking the inflows during the brief active period. Twitter personnel deleted the scam tweets shortly after detection, typically within minutes to about 30 minutes of posting, which curtailed further dissemination but did not prevent initial victim engagement. Some accounts were used to repost the messages multiple times before full mitigation.

Timeline of Events on July 15, 2020

In the mid-morning hours of July 15, 2020, PDT, attackers gained initial access to Twitter's internal systems through social engineering targeting employee credentials. This allowed exploitation of administrative tools by approximately 12:00 PM PDT. Compromise of lower-profile accounts, including original "OG" handles, occurred prior to 12:13 PM PDT, with some used to publicize screenshots of internal tools just before 11:00 AM PDT. The first Bitcoin scam tweets appeared shortly after, beginning with the @AngeloBTC account at 11:16 AM PDT, followed by @Binance at 12:18 PM PDT. Over the subsequent hour, approximately 10 cryptocurrency-related accounts, such as @Coinbase and @Gemini, posted identical scam messages promising to double sent Bitcoin. Peak activity ensued between 1:00 PM and 2:00 PM PDT, as high-profile verified accounts including @elonmusk at 1:17 PM PDT, and subsequently @billgates, @apple, @uber, @jeffbezos, @kanyewest, and @mikebloomberg around 1:55 PM PDT, disseminated the scam tweets directing users to a specific Bitcoin address. These posts, viewed millions of times, prompted rapid user reports and observable spikes in incoming transactions to the scammers' wallet, totaling over $118,000 in Bitcoin by the following day, as confirmed by blockchain analysis. Twitter detected the coordinated compromises and initiated mitigation around 3:18 PM PDT, blocking tweet functionality for verified accounts and restricting those with recent password changes, effectively halting further scam posts by 3:05 PM PDT.

Perpetrators

Key Individuals Involved

Graham Ivan Clark, a 17-year-old resident of Tampa, Florida, served as the primary orchestrator of the hijacking, conducting social engineering attacks to impersonate an authorized Twitter employee and gain access to the company's internal tools for account management. Mason John Sheppard, aged 19 and from Bognor Regis in the United Kingdom, assisted in compromising targeted accounts and promoting the associated bitcoin scam by posting fraudulent messages from the hijacked profiles. Nima Fazeli, an 18-year-old from Orlando, Florida, also known online as "Rolex," collaborated in the takeover of multiple high-profile accounts and the dissemination of the scam tweets soliciting bitcoin payments. Joseph James O'Connor, known by the online alias "PlugwalkJoe" and residing in the United Kingdom, was later implicated for providing unauthorized access to Twitter accounts in connection with the incident and subsequent extortion efforts targeting victims.

Motivations and Operational Details

The perpetrators' primary motivation was financial gain through a cryptocurrency scam, whereby compromised high-profile accounts posted messages promising to double any Bitcoin sent to designated wallet addresses within a limited time frame. This scheme resulted in over 400 Bitcoin transfers totaling approximately $118,000. Although the incident occurred amid the 2020 U.S. presidential election cycle, federal investigations found no evidence of political or ideological objectives, attributing the attack exclusively to profit-driven fraud. Operations centered on informal coordination via the Discord messaging platform among a loose network of young accomplices operating primarily from Tampa, Florida. The group employed low-tech social engineering techniques, such as voice phishing (vishing), to obtain internal Twitter credentials, bypassing more advanced hacking methods like malware or zero-day exploits. Post-breach, the hackers sold access to obtained credentials on underground forums, amplifying their illicit activities beyond the initial scam. FBI affidavits and departmental analyses emphasize this reliance on deception and persistence over technical sophistication, refuting narratives of state-actor involvement or elite cyber capabilities.

Immediate Responses

Twitter's Mitigation Efforts

Following the detection of unauthorized activity around 3:18 p.m. PDT on July 15, 2020, Twitter's incident response team initiated efforts to contain the breach, but these measures exhibited delays that allowed the scam tweets to propagate for several hours. By approximately 4:00 p.m. PDT—roughly an hour after the initial wave of hijackings—Twitter temporarily suspended the ability of verified accounts to post tweets, preventing further scam dissemination from those profiles for about 30 minutes. At 6:18 p.m. PDT, the company locked accounts that had undergone recent password changes and significantly restricted employee access to internal tools used for account management, effectively suspending such capabilities to block additional unauthorized takeovers. These steps, however, followed an hours-long window during which attackers maintained access, underscoring operational shortcomings in real-time detection and expulsion of intruders despite the breach's visibility through public scam posts. Twitter subsequently deleted the fraudulent tweets from compromised accounts and conducted a forensic scan of approximately 130 targeted profiles, confirming that attackers had initiated password resets on 45, accessed direct message inboxes on 36, and downloaded full data archives from 7 using the "Your Twitter Data" tool. On July 17, 2020, Twitter issued a public update disclosing the breach's scope, including the targeting of 130 accounts, while emphasizing that immediate restrictions on internal systems had prevented further exploitation. By July 18, most affected accounts were restored to normal functionality, with Twitter's later assessment verifying no additional unauthorized access post-mitigation. These short-term fixes, though effective in halting the immediate threat, were critiqued for lacking proactive real-time public communication during the incident, contributing to prolonged exposure.

Initial Law Enforcement Actions

The Federal Bureau of Investigation opened an investigation into the hijacking on July 16, 2020, classifying it as involving cryptocurrency fraud after the compromised accounts promoted a Bitcoin scam that received over 400 transfers totaling more than $100,000. Early efforts focused on blockchain analysis of the associated wallet addresses to trace fund flows, with investigators leveraging Bitcoin's transparent ledger to identify transaction patterns and potential endpoints. The FBI coordinated with Twitter to obtain internal logs and access credentials, aiding in reconstructing the breach timeline and identifying targeted employee vulnerabilities, while issuing alerts to international partners for possible accomplices based on preliminary digital footprints. This included monitoring hacker communications on platforms like Discord, where boasts about the operation provided initial leads without immediate doxxing risks to investigators. Concurrently, the New York Department of Financial Services launched a probe on July 15, 2020, directing regulated cryptocurrency firms at 6:59 p.m. ET to block the scam wallet addresses and mitigate further victim losses, emphasizing the hack's implications for digital asset security. The inquiry examined Twitter's safeguards and the rapid response of crypto entities, informing subsequent regulatory recommendations without delving into perpetrator identities at the outset.

Arrests and Charges

On July 31, 2020, the U.S. Department of Justice unsealed charges against three individuals for their roles in the July 15 Twitter hack: Nima Fazeli, a 22-year-old from Orlando, Florida; Mason Sheppard, a 19-year-old from the United Kingdom; and an unnamed co-conspirator. The federal indictment in the Northern District of California accused them of conspiracy to commit wire fraud, conspiracy to commit computer intrusions in violation of the Computer Fraud and Abuse Act (CFAA), and related offenses, including aiding unauthorized access to Twitter's internal tools to hijack accounts for the Bitcoin scam. Fazeli and Sheppard were arrested shortly thereafter; Fazeli in Florida and Sheppard in the UK, where he faced extradition proceedings. Separately, on July 30, 2020, Graham Ivan Clark, a 17-year-old from Tampa, Florida identified as the primary orchestrator, was charged in Hillsborough County state court with 30 felony counts, including 17 violations of the CFAA, communications fraud, and identity theft. Clark was arrested on August 1, 2020, in Tampa following a joint investigation by local police and the FBI. Law enforcement seizures from the suspects' devices, including laptops, phones, and external drives obtained during arrests and searches, uncovered critical evidence such as Discord chat logs detailing the conspiracy, Bitcoin wallet private keys, and tools used for social engineering Twitter employees. These artifacts directly linked the group to the unauthorized access and monetization scheme. In July 2021, Joseph O'Connor, a 22-year-old from the UK, was charged in a federal criminal complaint in the Northern District of California for conspiracy to commit computer fraud and wire fraud related to the Twitter hack, as well as unauthorized access to victim accounts. O'Connor, who operated under online aliases, was arrested in Spain in 2022 and extradited to the U.S. in April 2023. Graham Ivan Clark, the 17-year-old Florida resident identified by federal prosecutors as the principal architect of the hijacking, pleaded guilty on March 16, 2021, to 12 felony counts including conspiracy to commit wire fraud, identity theft, and unlawful computer access. He was sentenced the same day by U.S. District Judge Robert N. Scola Jr. to three years in federal prison, three years of supervised release, and ordered to pay $794,024 in restitution to affected victims, reflecting the approximately $120,000 in Bitcoin proceeds from the scam alongside broader harms. The sentence drew scrutiny for its relative brevity given Clark's role in compromising accounts of political figures like then-candidate Joe Biden and former presidents Barack Obama and Bill Gates, potentially amplifying misinformation risks near the 2020 U.S. election, though his juvenile status under Florida law limited adult penalties despite the operation's sophistication via internal tool access. Joseph James O'Connor, a United Kingdom national also known as "PlugwalkJoe" and implicated in the conspiracy alongside Clark through social engineering and account takeovers, was extradited from Spain and pleaded guilty on May 9, 2023, in the U.S. District Court for the Southern District of New York to conspiracy to commit wire fraud related to the Twitter hack, as well as separate SIM-swapping extortion schemes targeting celebrities. O'Connor, who was approximately 20 at the time of the incident, received a five-year prison sentence on June 23, 2023, plus three years of supervised release and $794,000 in forfeiture, encompassing his involvement in hijacking accounts for the Bitcoin promotion and subsequent demands for cryptocurrency ransoms from figures like Travis Scott. This outcome exceeded Clark's term, attributable to O'Connor's adult prosecution and additional offenses, though both avoided maximum penalties exceeding decades due to plea agreements and cooperation. Co-conspirators Nima Khalil and Mason Shepard, both minors at the time and charged federally for aiding in account takeovers and scam promotion, received deferred prosecution agreements in 2021, involving community service, restitution payments, and eventual charge dismissals upon compliance, underscoring prosecutorial deference to youth rehabilitation over extended incarceration for peripheral roles. Civil litigation persists from victims including corporations and individuals affected by the breaches, with some pursuing damages against the perpetrators under theories of fraud and negligence, though recoveries remain limited by the hackers' assets. Federal investigations conclusively attributed the incident to this adolescent network without evidence of foreign state sponsorship, despite initial speculations amid geopolitical tensions.

Broader Implications and Analysis

Exposed Cybersecurity Weaknesses

The 2020 Twitter account hijacking demonstrated Twitter's over-reliance on employee credentials for accessing internal administrative tools that permitted direct alteration of user account details, such as email addresses and phone numbers associated with two-factor authentication, effectively bypassing standard user-level security controls. Attackers targeted a limited set of employees via phone-based spear-phishing on July 15, 2020, convincing them to disclose login information for these tools, which were intended for legitimate support tasks like content moderation and account recovery. This architecture exposed a fundamental flaw in treating internal access as inherently trustworthy, without enforcing zero-trust principles that demand continuous verification independent of user status or location; over 1,000 employees retained broad privileges to these sensitive tools, enabling rapid escalation once a single set of credentials was compromised. Authentication relied on application-based multi-factor methods that proved susceptible to social manipulation, as perpetrators posed as colleagues or IT support to elicit cooperation, rendering phone verification a vulnerable chokepoint in the absence of hardware-enforced alternatives like physical security keys. Inadequate logging and auditing of tool usage further compounded the breach, allowing attackers to query and modify approximately 130 accounts undetected for several hours—beginning around 2:16 PM ET and extending through coordinated posting campaigns—due to the lack of real-time anomaly detection or comprehensive security information and event management systems capable of flagging irregular internal activity. The remote work environment, accelerated by VPN reliance since March 2020 without commensurate hardening of verification protocols, amplified social engineering risks, as employees operated without the mitigating oversight of physical office interactions or robust anti-vishing training.

Impacts on Platform Trust and Financial Markets

The 2020 Twitter account hijacking resulted in scammers receiving approximately $121,000 in Bitcoin through fraudulent transactions prompted by the hijacked posts, representing direct financial losses tied to the incident. While Bitcoin's overall price exhibited limited volatility immediately following the July 15 event—trading stably around $9,100–$9,200 per coin with no sustained dip attributable to the hack—the episode underscored vulnerabilities in leveraging social platforms for cryptocurrency scams. Twitter's stock (TWTR) experienced a sharp decline, dropping nearly 7% in pre-market trading on July 16, 2020, which equated to a $1.3 billion loss in market capitalization as investors reacted to revelations of internal tool exploitation and compromised high-profile accounts. This reaction reflected broader market concerns over the platform's security lapses, though shares partially recovered in subsequent sessions amid Twitter's mitigation announcements. The incident eroded confidence in Twitter's verified badge system, as hackers commandeered accounts of prominent figures like Barack Obama, Elon Musk, and Joe Biden, prompting users and experts to question the reliability of authentication markers for distinguishing legitimate content. Security analyses highlighted this as a fundamental breach of platform integrity, fostering skepticism about tweet authenticity and raising fears of user disengagement, even without quantified exodus data. A New York Department of Financial Services investigation revealed systemic cybersecurity deficiencies at Twitter that enabled scam facilitation, with surveyed cryptocurrency firms reporting proactive countermeasures but emphasizing the hack's potential to amplify financial fraud risks across markets. The report criticized Twitter's internal controls, noting how the breach exposed users to phishing and misinformation vectors, thereby diminishing perceived platform trustworthiness for secure communications and transactions.

Implications for Election Security and Misinformation Risks

The 2020 Twitter account hijacking, occurring on July 15, 2020—less than four months before the U.S. presidential election—intensified apprehensions regarding the platform's susceptibility to manipulations that could masquerade as authentic political communications. Compromised accounts included those of presidential candidate Joe Biden and former President Barack Obama, among others, illustrating how internal tool access could enable the rapid posting of deceptive content from verified profiles. Had perpetrators leveraged this access for ideological aims rather than a cryptocurrency scam, such accounts could have disseminated false endorsements, fabricated policy announcements, or inflammatory statements timed to sway voter sentiment or erode trust in electoral processes. Despite the breach yielding approximately $120,000 in Bitcoin profits through scam promotions rather than overt political disruption, its mechanics—social engineering of Twitter employees to gain administrative privileges—exposed a pathway for state or non-state actors to inject high-fidelity misinformation into election discourse. Official investigations confirmed the attackers' profit motive, with no evidence of coordinated election interference, yet the incident refuted claims minimizing such vulnerabilities as improbable or contained, given the minimal resources (a 17-year-old lead perpetrator and accomplices) required to target over 130 accounts. This ease of compromise underscored causal risks in relying on unverified internal safeguards, where a single breach could flood timelines with content mimicking deepfake-level authenticity from trusted sources, potentially amplifying echo chambers or suppressing counter-narratives during vote mobilization phases. Centralized platforms like Twitter, dominant in shaping real-time public information flows, inherently concentrate failure points that adversaries could exploit for asymmetric influence operations, as evidenced by the hack's demonstration of unchecked administrative access propagating uniform false posts across disparate accounts. This monopoly dynamic contrasts with distributed architectures, which, by design, lack singular chokepoints for content control, though real-world implementations have yet to face equivalent scale tests. The episode prompted congressional scrutiny into platform accountability, revealing how Big Tech's internal opaqueness could enable undetected escalations in misinformation potency, particularly when high-credibility accounts serve as vectors for untraceable narratives in polarized electoral environments.

References

  1. https://www.dfs.ny.gov/Twitter_Report
  2. https://blog.twitter.com/en_us/topics/company/2020/an-update-on-our-security-incident.html
  3. https://www.justice.gov/usao-ndca/pr/three-individuals-charged-alleged-roles-twitter-hack
  4. https://www.elliptic.co/blog/bitcoin-money-laundering-after-twitter-hack-july-2020
  5. https://thehackernews.com/2023/05/mastermind-behind-twitter-2020-hack.html
  6. https://www.dfs.ny.gov/reports_and_publications/press_releases/pr202010141
  7. https://www.theverge.com/2020/7/15/21326656/twitter-hack-explanation-bitcoin-accounts-employee-tools
  8. https://www.vice.com/en/article/twitter-insider-access-panel-account-hacks-biden-uber-bezos/
  9. https://blog.x.com/en_us/topics/company/2020/an-update-on-our-security-incident
  10. https://www.wired.com/story/inside-twitter-hack-election-plan/
  11. https://www.npr.org/2019/11/06/777098293/2-former-twitter-employees-charged-with-spying-for-saudi-arabia
  12. https://www.washingtonpost.com/national-security/former-twitter-employees-charged-with-spying-for-saudi-arabia-by-digging-into-the-accounts-of-kingdom-critics/2019/11/06/2e9593da-00a0-11ea-8bab-0fc209e065a8_story.html
  13. https://www.justice.gov/archives/opa/pr/former-twitter-employee-found-guilty-acting-agent-foreign-government-and-unlawfully-sharing
  14. https://www.forbes.com/sites/danabrownlee/2020/05/18/twitter-square-announce-work-from-home-forever-optionwhat-are-the-risks/
  15. https://www.cnn.com/2020/07/26/tech/twitter-hack-remote-working-security-risks
  16. https://www.bbc.com/news/technology-53425822
  17. https://www.cnbc.com/2020/07/16/twitter-hackers-made-121000-in-bitcoin-analysis-shows.html
  18. https://www.merklescience.com/blog/updated-hack-track-twitterhack-bitcoin-scam
  19. https://www.npr.org/2020/07/31/897815039/florida-teen-charged-as-mastermind-of-massive-twitter-hack
  20. https://www.bbc.com/news/business-53617198
  21. https://www.bbc.com/news/technology-65540901
  22. https://www.nytimes.com/2020/07/17/technology/twitter-hackers-interview.html
  23. https://www.technologyreview.com/2020/07/15/1005290/twitter-blocks-all-tweets-from-verified-accounts-after-massive-security-breach/
  24. https://www.theguardian.com/technology/2020/jul/15/twitter-elon-musk-joe-biden-hacked-bitcoin
  25. https://www.bbc.com/news/technology-53445090
  26. https://www.bbc.com/news/technology-53439585
  27. https://www.npr.org/2020/07/16/892033751/twitter-hack-under-investigation-by-fbi-and-new-york-state
  28. https://www.chainalysis.com/blog/chainalysis-doj-twitter-hack-2020/
  29. https://www.wired.com/story/how-alleged-twitter-hackers-got-caught-bitcoin/
  30. https://baynews9.com/fl/tampa/news/2020/08/01/tampa-teen--2-others-arrested-in-massive-twitter-hack
  31. https://www.justice.gov/archives/opa/pr/man-arrested-connection-alleged-role-twitter-hack
  32. https://www.theguardian.com/technology/2021/mar/16/florida-teen-sentenced-twitter-bitcoin-hack
  33. https://abcnews.go.com/Politics/florida-man-pleaded-guilty-hacking-twitter-17-year/story?id=76513232
  34. https://www.cbsnews.com/sanfrancisco/news/teen-sentenced-to-3-years-in-prison-for-hacking-celebrity-twitter-accounts/
  35. https://www.justice.gov/usao-sdny/pr/uk-citizen-sentenced-five-years-prison-cybercrime-offenses
  36. https://www.theguardian.com/us-news/2023/jun/23/british-man-celebrity-twitter-hacking-bitcoin-elon-musk-joe-biden
  37. https://www.bankinfosecurity.com/florida-teen-pleads-guilty-in-2020-twitter-hack-a-16199
  38. https://www.theguardian.com/technology/2020/jul/30/twitter-breach-hackers-spear-phishing-attack
  39. https://www.chainalysis.com/blog/twitter-hack-july-2020-update/
  40. https://www.coindesk.com/business/2020/07/16/twitter-hack-2020-was-probably-done-by-a-bitcoiner-but-not-a-savvy-one
  41. https://markets.businessinsider.com/currencies/news/twitter-shares-down-7-pre-market-trading-after-bitcoin-hack-2020-7-1029400767
  42. https://www.businessinsider.com/twitter-market-value-losses-after-massive-hack-2020-7
  43. https://www.bbc.com/news/technology-53428304
  44. https://www.theguardian.com/technology/2020/jul/16/twitter-hack-security-concerns-privacy
  45. https://www.nytimes.com/2020/07/16/us/politics/twitter-hack.html
  46. https://www.npr.org/2020/07/17/892044086/twitter-attack-underscores-broad-cyber-risks-still-facing-u-s-elections
  47. https://www.politico.com/news/2020/07/16/twitter-security-hack-congress-366771
  48. https://theconversation.com/twitter-hack-exposes-broader-threat-to-democracy-and-society-142948
  49. https://www.huffpost.com/entry/twitter-hack-election_n_5f10b311c5b6cec246c04715
Add your contribution
Related Hubs
Hub tags
+1
Discuss 2020 Twitter account hijacking with community