Twitter Struggles to Unpack a Hack Within Its Walls

The Senate Select Committee on Intelligence said it would request information from Twitter about the hack. “The ability of bad actors to take over prominent accounts, even fleetingly, signals a worrisome vulnerability in this media environment, exploitable not just for scams but for more impactful efforts to cause confusion, havoc and political mischief,” said Senator Mark Warner, Democrat of Virginia, the vice chairman of the committee.

The attack on Wednesday came in waves. First, attackers used their access to Twitter’s internal tools to take over accounts with distinctive user names like @6, an account that once belonged to the security researcher and hacker Adrian Lamo. Then the attack hit the Twitter accounts of prominent cryptocurrency leaders and companies. The next wave included many of the most popular accounts, including those belonging to political leaders, industry titans and top entertainers.

The messages were a version of a long-running scam in which hackers pose as public figures on Twitter and promise to match or even triple any funds that are sent to their Bitcoin wallets. But the scam on Wednesday was the first to use the real accounts of public figures.

The hackers received $120,000 worth of Bitcoin in 518 transactions from around the world, according to Chainalysis, a research company that tracks the movement of cryptocurrencies. Most of the victims had Bitcoin wallets associated with Asia, but about a quarter came from the United States, according to another cryptocurrency research firm, Elliptic.

Soon after the money came into their wallet, the hackers began moving the money in a complicated pattern of transactions that will help obscure the source and make it harder to track, Chainalysis found.

“It looks like someone who has some computer skills, but not someone who is using the most sophisticated ways to launder the coins,” said Jonathan Levin, the chief strategy officer at Chainalysis.

Twitter quickly removed many of the messages, but in some cases similar tweets were sent again from the same accounts. The company eventually disabled broad swaths of its service for hours.