🧨 Twitter Attacked — Issue No. 103

On Wednesday, July 15th, 2020, a hacker succeeded in compromising Twitter. The hacker gained access to seemingly all accounts on the platform, and used this power to tweet a Bitcoin giveaway scam, first from the accounts of crypto personalities and exchanges, and later from the accounts of high profile celebrities and politicians. Kanye West, Joe Biden, Elon Musk, Bill Gates, and Warren Buffett were among dozens of accounts that tweeted the scam. Link.

Image

There are two angles from which one can approach this event when thinking about how it impacts crypto. The first is obvious: a Bitcoin giveaway scam was used to monetize this attack. Does that tell us anything about Bitcoin? And how will it impact the public's perception of cryptocurrencies? The second angle is less obvious: what does this remarkable failure on the part of Twitter's security tell us about the risks of concentrated power, and the need for decentralized systems? We'll unpack both of these questions in this 103rd edition of Build Blockchain.

What Happened

On Wednesday afternoon (ET), a number of cryptocurrency exchange accounts began sharing tweets that were obvious scams, though they came from official accounts. Initial speculation was that a popular third-party tool used by many companies to schedule tweets may have been compromised. This changed when the same scam tweets began to be shared from the personal accounts of high profile people, starting with Elon Musk. Link.

Image

As the afternoon wore on, many more high profile accounts began tweeting the scam, and it became apparent the hacker had hit more than a third-party tool. The attacker seemingly had free rein to tweet from virtually any account. Finally, after nearly four hours had passed since the first fraudulent tweet, Twitter locked the accounts of all verified "bluecheck" users, which includes most of the large and prominent accounts on the platform. Several hours later, presumably after Twitter addressed the issue, the accounts of these high profile users became accessible again to the user.

Why Bitcoin?

The hacker seems to have netted an amount of Bitcoin valued on the order of $100,000 – $200,000. This is not pocket change, to be sure, but is relatively small given the scale of the breach. Weren't there many more valuable things the attacker could have done with that power?

This seeming mystery has led some to speculate that the Bitcoin scam itself may not have been the main event. Was it just a distraction while the hacker scraped the sensitive Direct Messages of famous users? Was it somehow a warning shot to Twitter, demonstrating the hacker's capabilities?

I admit that, in the moment, I was thinking along these lines as well. It seems like there are many more creative and profitable things one could do with the exploit. Upon further reflection, though, I'm not so sure. Many of the obvious moves one could imagine— like shorting Tesla stock and tweeting something crazy from Elon's account— require capital, access to western financial systems, and would also put the attacker at risk of being tracked.

It could just be that the properties of Bitcoin, and crypto more broadly, made it ideal for profiting from the hack with the least chance of getting caught afterwards. This is a reminder of an uncomfortable truth: Bitcoin is often used by less than savory characters. From darknet markets, to ransomware attacks, to money laundering, nefarious use cases remain a small-but-not-insignificant proportion of Bitcoin's usage. To the extent this attack registers with the general public, my guess is Bitcoin's involvement will only serve to reinforce the sometimes overblown perception of crypto as being used by criminals.

Our knee jerk reaction, as crypto proponents, may be to push back on or diminish this perception, but I think this would be shortsighted. The properties that make crypto great for objectionable use cases also make it great for freedom. These two things are not in conflict. In fact, how could it be any other way? Bitcoin can't tell who the good guys are. Are you sure you can?

The fact of the matter is, the end of physical cash is inevitable. The argument we should be making isn't that Bitcoin will never be used for behavior we don't like, it's that a future without decentralized digital money is far worse than the misdeeds that might be carried out because it does exist.

Twitter's Incompetence

If a future without decentralized money seems bleak, perhaps we could say the same about one without a more decentralized internet broadly. This incident demonstrates why.

Think of the incredible damage this attacker could have done with the power to tweet from any account. In a way, we got lucky if all they really wanted was to make some money. I don't think it's an exaggeration to say a devious tweet from a more villainous attacker could have provoked an international event, triggered mass rioting, or produced any number of other results that got people killed.

So how did Twitter let this happen? In a series of tweets after the attack, Twitter Support stated, "We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools." Link.

When I first heard this explanation, I was incredulous. Could Twitter really have employees walking around with "god mode" admin access? Is there not, at a minimum a, "two-man rule" failsafe required before commandeering the accounts of the most important people in the world? And if this god mode access does exist, would the employees who had it really be so poorly trained that they'd fall for a social engineering attack of some kind?

Once again, I found myself entertaining other theories. Was this merely the cover story for a more serious vulnerability? Yet once more, after some reflection, I'm not sure there's a reason to suspect anything deeper going on here. I'm a big believer in Hanlon's Razor, which exhorts us to "never attribute to malice what is adequately explained by incompetence." Well, if the official story is indeed true, it belies incredible incompetence on Twitter's part.

Proponents of a more decentralized internet, including myself, often worry about the power giant internet aggregators— like Facebook, Google, Twitter, and others— wield in the modern world. For me, this worry has always been driven by the fear these companies might abuse this power, or be co-opted by governments. I never thought to consider they might just be too stupid to be trusted.

Whatever the failure mode looks like, concentrated power seems always to come back and bite societies that tolerate it. Enough is enough! This hack demonstrates yet again why we ought not entrust our digital futures to pseudo-monopolous centralized platforms. It adds urgency to the mission of leveraging decentralized cryptonetworks to mitigate or diminish their power.

As a platform for building the kinds of systems that might curtail the power of these companies, Ethereum is leading the way, but I'd love to see even more experimentation. For the last couple of years, much of the energy in the ecosystem has been focused on financial primitives. Some incredibly impressive things are being built, but I hope we're just getting started by tackling finance. DeFi is great, but it should only be step one in reclaiming our digital sovereignty.