The Great Twitter Hack of 2020

Think about it this way, you’re some kid in Belgium and you get access to Twitter’s internal tools, how do you monetize that? Do you approach the Russian FSB and try to sell it? They probably already have access anyway, and there are substantial risks to your safety and future liberty betraying your country.

The Bitcoin scam is largely untraceable (poor opsec aside) and ultimately nobody important will care about it. Sure law enforcement will try to catch you, but you won’t have politicians putting the full force of their security services to tracking you down.

At a minimum I’d do a bit of insider trading. “Funding secured” Mk 2. But, yeah, this does point to it being a kid and not some serious group, let alone a state actor.

As argued in the link below, for such a public hack (and not something more subtle) this might have been the best that was possible. First you need extant capital to be able to make an “inside” trade. And that type of trading activity is noticeable in retrospective investigations. And then you get caught.

https://diff.substack.com/p/the-hack-when-crime-pays-fractions

There just isn’t a great supply chain linking the ability to move markets through hacks to the ability to realize profits from those hacks. Both skills exist, independently, but the social gap, information gap, and trust gap make it almost impossible for the two to combine. Add that to the low probability of the hacks themselves—it’s not every day that someone exploits a major tech tech company so effectively—and the odds drop to nearly nil.
…
If you’re a smart hacker who can break into Twitter and take over any account, bitcoin plus bragging rights may be the only payoff you have a reasonable chance to collect. If you want your Interactive Brokers account to briefly show a billion-dollar balance that you’ll never collect, you might as well edit your balance with Chrome’s DevTools. You’re just as likely to spend it that way.

So an example on that needing capital thing. If you played with with far OTM (out of the money) options (essentially high leverage for high risk) on meme stocks.

A call options on [email protected]@$3000 respectively would return you “only” 15x if you managed to drive the current price of $1500 to $2000 (a 33% price increase)

So if you only had 10k of liquid capital to invest, you end up with $150k, so not actually that much more then the bitcoin haul.

And even if you had capital/connections to someone with capital, someone dumping an order of magnitude more (e.g $100k+) into far OTM options expiring next week is probably going to be noticed on the followup investigation that will happen.

Gee, I wonder if it was all Democrats.

https://www.sao13th.com/2020/07/hillsborough-state-attorneys-office-tapped-to-prosecute-worldwide-bit-con-hack-of-prominent-twitter-users/

Mastermind currently pinned as a 17YO Floridian kid.

Twitter internal controls can be basically boiled down to lol what controls

The big secret here is that most companies are like that. Once you get past the perimeter and social engineer someone into thinking you should have access, you’re in. There are no access controls targeting employees.

This is doubly true for a social media company, employing many thousands of low-paid shellshocked “contractors” to moderate the most awful content in the world. You can’t lock down any system when you have thousands of third-parties in Dallas, Bangalore, Tijuana, and Odessa who need access.

Not that Twitter couldn’t have done better. Of course they should have added access controls, roles, etc, to their admin UI. But that’s not a revenue generator, it’s a cost. Nobody wants to pay for that shit until after they get burned.

You’re 17 and you’ve just been charged with 30 felonies. Have fun with that.

Eh, the dude does five years in jail, makes friends with drug lords, gets out and makes a few million running computer scams for the cartel. It’s an alternative higher education path!

Or goes the Kevin Mitnick route.

What is the Kevin Mitnick route?

Made a career after doing his time as a security consultant and doing security training.