The big hack DEVANGSHU DATTA
The details of how the Twitter-bitcoin hack occurred this week are as yet unclear. What we know is that somebody gained access to about 130 verified and highly followed Twitter accounts, and used that access to scam an estimated $120,000 equivalent.
This list of hacked Twitter accounts included the accounts of Elon Musk, Bill Gates, Barack Obama, Apple, Uber, etc. The hacker or hackers sent out a series of identical messages. These essentially solicited bitcoin donations into a couple of cryptocurrency wallets with a promise that the sender would reciprocate by sending back double the amount.
Mr Musk’s first scam-tweet, for instance, said he would double any payment sent to a given bitcoin wallet because he was feeling generous due to Covid-19. The other messages from other verified accounts were identical or similar, with minor variations, and at least one other bitcoin wallet mentioned.
These were all verified, blue tick twitter accounts, with two factor authentication (2FA) enabled in many cases. According to Twitter, which shut down access to all verified accounts for a brief while, passwords were not compromised. The hacker or hackers gained access to the tools used within Twitter to spoof these messages.
How they did this is not yet clear. The hack may have been done by a rogue Twitter employee, or it may have been a smart hack into the Twitter system, or a social hack where someone conned Twitter ’s employees into giving them access. Some people fell for the scam and transferred bitcoins equivalent to about $120,000 to the referred wallets. Bitcoin traded at around $9,100 when the hack happened, so there were around 13 coins transferred to those wallets. Each coin can be broken up into multiple, unique micro-units, down to a Satoshi, which is one-hundred-millionth of a coin. So, there may have been a large number of people who fell for the scam.
Bitcoin is famous for its blockchain, the electronic ledger which can be accessed by anyone who cares to do so. Blockchains are difficult to hack. Every bitcoin transaction has to be verified by a majority of blockchain users, and every transaction ever made in bitcoin is recorded on the blockchain.
Using the blockchain we can look at a wallet and see the coins it holds. A transaction is confirmed when users agree that the unique coin “X” was in a given wallet “A”, and that X was transferred to another given wallet “B”, by using a unique cryptographic key possessed by only the owner of that wallet A.
However, the bitcoin blockchain is anonymous by design. While anybody can verify a specific bitcoin has been transferred from wallet “A” to wallet “B”, the name of the owner of either wallet is not verifiable. Anybody can own any number of wallets. Indeed, anybody can make a wallet, or download any number of wallets for free, anonymously from different services.
Since transactions can only be made by the use of that unique key which is associated with each wallet, the owner of a wallet can remain anonymous. Finding the actual owner of the wallets used in the hack will be hard. Transfers of coins can be tracked, even though a smart hacker will layer in multiple transactions to make this hard. Transfers of the hacked coins on crypto exchanges outside the jurisdiction of US l aw enforcement will be impossible to stop. It’s very likely that the victims will never get their money back.
It’s clear there are ways of bypassing 2FA and taking control of verified accounts even at one of the world’s most high-profile tech companies. Whether this involves a social hack, or a smart guy bypassing security is almost irrelevant. There will always be routes into widely used systems, where a multitude of people (Twitter’s employees in this case) have access to system tools.
Twitter stores little in the way of sensitive personal information, even about verified accounts. The US also has a good set up for investigating cybercrimes. What happens in India if somebody hacks into Aadhaar or Aarogya Setu, where there is a truckload of sensitive personal information and no law for personal data protection?