undefined | Better HN

0 comments

120 comments · 50 top-level

fishtoaster5y ago· 11 in thread

It could just be a relatively unsophisticated actor who stumbled upon a serious vulnerability and didn't know enough to market it to, eg, a state actor or whatever.

doomjunky5y ago

I remember last year around christmas/new year 2018/2019 a similar hack/leak/doxxing took place, targeting 994 (!!) mostly german politicians, celebrities and influencers. Massive amounts of private information (names, addresses, phone numbers, e-mails, DMs, contacts, online profiles, chat logs, private documents and even intimate details) where leaked. The data was published on a wide spread of public pastebins and etherpads. It took ages to take them down. The attacker had set up a labyrinth of links, files and passwords and even structured the data by topics and political parties.

Attack vector: Sim-Swapping. It was too easy. As soon as he got into one account, he got access to it's contacts and more phone numbers.

The attacker (0rbit) was a 20 year old student living at his parents home. He bragged about his hack to a online friend. This friend knew that 0rbit had been raided by the police years earlier. He betrayed him to the investigators and with the exact date of the raid the they were able looked up the old case and reveal his identity.

Previously on HN: https://news.ycombinator.com/item?id=18823286

But then why set up a rather simply scam instead of getting the bug bounty from twitter? That wallet is currently sitting at about 150k USD and these are rather hard to pay out. Why not just go for 100k USD bug bounty, completely legal and with fame?

14 more replies

bb20185y ago

Occam's razor says this is almost certainly the case. It isn't like the hacker knew that it would generate such little bitcoin being sent their way until after it failed.

Especially if the hacker is not from the US it seems much easier to do the bitcoin hack than try to contact a company thousands of miles away that you know one at.

mortenjorck5y ago

While possible, this scenario requires such a massive disconnect between the attacker's skill, connections, and luck versus their understanding of economic and geopolitical context that I would consider it among the least likely.

Scoundreller5y ago

Sounds like the 2005 hack of the Danger Sidekick (early smartphone device). I think the fellow went by the 'nym "ethics".

Dude couldn't exploit it for much, despite being able to takeover/access any account, and everything was in the cloud.

zelly5y ago

What would a state actor do with this? Read celebrities' DMs?

WhyNotHugo5y ago

Quite true. Maybe some unscrupulous 19 year old with average understanding of tech, who happened to have access to the right tools at the right time.

ransom15385y ago

Yeah, like altering a POST variable.

Never attribute to malice what is easily explained by incompetence.

Hanlon's Razor BOIIII

mafia boy 2.0

VectorLock5y ago

Someone got mugged with their phone unlocked and the mugger had a friend who was into bitcoin.

jgbond5y ago· 8 in thread

I’m guessing DMs were the real loot. The public display with the BTC diversion validates any DMs that were stolen. Otherwise blackmail targets could deny them.

These are publicly managed Twitter accounts, they probably don't have any DMs of substance.

reilly30005y ago

I think that's the case. No prominent Republicans were targeted. See: Watergate, Wikileaks DNC emails. Same shit.

cj5y ago

If DMs were the real loot, they wouldn’t have exposed the hack by tweeting on the account.

Data theft like that is normally silently dumped after the breach occurs and anyone knows what happened.

This looks more like data injection somewhere. Perhaps an old API exploit. You used to be able to send an SMS to tweet, for example.

vlz5y ago

What does "DM" mean in that context?

(Went to wikipedia, but their suggestions like Death Metal and Dance marathon are probably not it ;) https://en.wikipedia.org/wiki/DM )

ben1745y ago

Interesting theory, but then why would they include Apple? Among others in the list, they’re almost guaranteed to be of no value and only increase the risk.

axaxs5y ago

Interesting theory, but this widespread hack pretty much gives most people plausible deniability in my opinion.

canjobear5y ago

Blackmail targets could still deny them.

bouncycastle5y ago· 4 in thread

Nope. They're actually getting away with quite a big loot!

The number of unconfirmed transactions has catapulted from ~9k to about ~50k right now, which means there's large amount of activity.

It will take a while for the dust to settle.

You can watch them here https://www.blockchain.com/btc/unconfirmed-transactions

chart https://www.blockchain.com/charts/mempool-count

A better graph of the current transactions sitting unconfirmed: https://jochen-hoenicke.de/queue/#0,24h

Note: I'm not saying that these are all from the hack, I'm saying that the activity on the Bitcoin blockchain has significantly spiked, and the hack was still ongoing at the time of writing this.

icedistilled5y ago

I'm a little unclear, is the following correct?.

So basically rando's are sending famous people bitcoin because the famous people tweeted "send us $$ and we'll send you double back"?

And somehow the rando's haven't heard of the hack. Is this what's happening? Like are random people seriously sending them bitcoin? Or is it some weird form of money laundering?

Although since that's very weird behavior even if there was no hack, I suppose I'm not too surprised that those people sending the coin haven't heard of the hack.

reportgunner5y ago

Zoom out and you see that this is normal every ~14 days.

Also number of transactions is in no way related to amount of money being transferred.

Question (I'm not an expert): can unconfirmed transactions be withdrawn? If so, what's the timeline?

So we're likely talking some 50-100 million of dollars being stolen? Insane.

csomar5y ago· 4 in thread

Maybe the dude shorted the Twitter stock?

stjo5y ago

Yeah, I'm not sure there is much to be gained from leaking internal data (are DMs that valuable?). The actual scam is executed so poorly that it can't be the main goal too. "Prooving" you have a good exploit by throwing it away is also not plausible.

drra5y ago

There is a spike of the short volume on 8th - https://fintel.io/ss/us/twtr

wisemanwillhear5y ago

Bad idea for the hacker. Stock ownership is public information.

Doubt it, that would open up too many vectors on an otherwise easily anonymized operation.

dawnerd5y ago· 4 in thread

113k is a little reward?

dvt5y ago

This hack is (quite literally) worth billions of dollars. From market manipulation to geopolitical implications. So yes, 113k is peanuts.

break_the_bank5y ago

Twitter would have probably paid out about $100k for this to be reported via a bug bounty program. $100k is nothing for the risk taken, they could have made a lot more.

williamdclt5y ago

For taking the risk of impersonating several of the richest and most powerful people of the planet? yeah, I'd say yeah. Of course it's not stopping at 113k, but even assuming it'll stop at 500k I wouldn't say it's worth it

paulpauper5y ago

it if seems small it probably because twitter has been under constant attack by crypto giveaway scammers since early 2018. the pool of potential victims has shrunk

hharlequin5y ago· 3 in thread

Quite possibly this isn't a hack and someone got a Twitter admin's account, then got access to the admin panel and "all" accounts without having to hack much of anything.

If there is such a level of privilege in Twitter's stack, that says a great deal about their technology. Insiders must not be able to act as users except in prescribed ways requiring two-person control, logged and 100% audited. Glass-breaking privilege escalation should set off every pager in the company.

slantaclaus5y ago

Based off the NYT article on the stunt this morning, I believe you are correct. It was a social engineering hack. https://www.nytimes.com/2020/07/15/technology/twitter-hack-b...

VectorLock5y ago

After one incident of insider account tampering their entire response was "we must protect Donald Trump's account."

jonny_eh5y ago· 3 in thread

Or a distraction while a bigger hack is going on?

BiteCode_devOP5y ago

Without knowing what they have access to, it's hard to tell.

If it's a third party API key with special priviledged that they hacked, the potential harm is limited.

If they have access to the full system, they could be sending millions of ghost messages to some part of the population right now to get them to do something while we all watch the BTC show:

- scam them

- get them infected to gather a massive bot net

- make them very angry and start some kind of civil unrest in a specific part of the world

- cover a currently happening terrible event somewhere so that we don't learn about it too soon because twitter is the faster medium for that

At this point I realize how critical twitter has became to shape the way we view the world, and govs should worry a lot that this can be happening and act on it quickly.

Bingo, they're probably walking away with all of Twitter's internal data as we speak...

beaner5y ago

What's the logic? It makes the problem much more visible. Ostensibly the fix for fake tweets would also fix whatever they'd be trying to cover.

paulpauper5y ago· 3 in thread

>Such a hack is worth way, WAY more than the few BTC it could bring.

lol tons of ppl have been scammed. If by 'little' you means hundreds of k. In some Eastern European country that can last a lifetime.

break_the_bank5y ago

They could have probably made a 100k by disclosing this to Twitter. The reward/risk graph seems concave down and not convex up.

e20215y ago

They could have make >$10m With Elon’s account alone by manipulating the share price. A few 100k is nothing

JshWright5y ago

That's pennies compared to what a compromise like this would be worth...

GordonS5y ago· 2 in thread

Keeping in mind the attackers will not be able to perform this stunt again though the same attack vector, It could also simply be that the attackers overestimated how much they would make from this attack.

searchableguy5y ago

I doubt that. For one, they wouldn't be reusing the crypto messages from the past which have been seen by everyone on twitter a thousand times. I ignore based on tweet rather than looking at who tweeted it most of the time. So they at least would write new messages if they were after money.

There are so many ways to make money that even a dumb person could find something better than posting crypto ads without compromising on opsec.

ilaksh5y ago

I think they have proven that it works with thousands of YouTube videos with the same scam and basically the same operating mode (impersonating famous people). They have made quite a lot of money.

So they are probably on at least their second attack vector by now.

I mean, who knows, based on the massive number of imposter YouTube stream BTC giveaway scams, this might be a whole sub-industry in India by now. Similar to fake virus scams etc.

glenstein5y ago· 2 in thread

>a demonstration to a big client

Okay, this has me curious. Could someone describe the context/circumstance where you have a 'big client' to whom you illustrate capabilities by this kind of hack? This is a black market thing, right?

I don't doubt it, I'm just curious what this market is, and what it means to be a 'big client' in it, etc.

durpkingOP5y ago

this is not a way for you to demonstrate what can be done to a big client. ignore OP.

I will bite. Without taking a political stance. Imagine you could show GRU that they can make Trump tweet "I just ordered a nuclear strike on..."

What value would you place on this?

The proof will go along with another method of hacking the account that is not disclosed.

Acrobatic_Road5y ago· 2 in thread

You're overestimating the intelligence of the typical scammer.

williamdclt5y ago

The typical scammer doesn't hack twitter

s53005y ago

They're not a scammer. They're a massive multimedia conglomerate hacker.

humaniania5y ago· 2 in thread

Seems more likely to me that it was a Twitter employee or someone with access to an employee's PC to reset passwords.

dividedbyzero5y ago

But wouldn't that be evident very, very quickly, from just looking at a relevant account's audit log, and shut down right away?

toby5y ago

A senior engineer (juniors would not have this level of access) risking their job and facing prosecution for an amount that would certainly be far less than their salary? That doesn't seem likely.

monokh5y ago· 2 in thread

How about the possibility of a Bitcoin marketing campaign?

shdc5y ago

Hmm the thing is, associating it even more with "hack" and "scam" isn't really great marketing.

I like your thinking. This is a novel idea.

durpkingOP5y ago· 1 in thread

What was done was a guaranteed method of getting the method/exploit fixed in record time. If the perpetrator wanted to demonstrate, they would have targeted someone inconsequential that would not have put the problem on twitters radar. They blew their whole wad, likely on purpose, and there is nothing else planned.

cwkoss5y ago

Yeah, the idea that this is an initial step in something bigger doesn't make sense.

If they wanted to exfiltrate data, they already did that previously.

They very loudly burned their access, this seems a lot more like someone trying to monetize their access quickly before their access token expires - squeezing out the last few drops before they can no longer get into the system.

praveen99205y ago· 1 in thread

Or it could be attack on Twitter itself. Jack's policies are not loved by few folks in WH. Just speculating

OR

Twitter's stock was down by some major percentage because of this incident. It could be a way to earn bigger and "legal" money by having prior knowledge about this incident.

samanator5y ago

Wow that's brilliant. I didn't think of that. If someone had a non trivial amount in stock shorts, they could stand to make an exorbitant amount of money.

otabdeveloper45y ago· 1 in thread

There's a simpler explanation: someone wants to destroy Twitter. (Bless them, lol.)

Twitter's only value to the world is the idea that it is a platform where "celebs" can safely broadcast their message to the public. That value proposition has now been destroyed.

the_gipsy5y ago

"destroyed", a bit exaggerated, mate.

quonn5y ago· 1 in thread

It can‘t really be the first three, because Twitter will fix this problem soon. So it would be wasting the exploit.

It‘s either incompetence or your fourth option.

I read about this in the news before I saw it in my Twitter feed. My trust in Twitter has dropped severely.

Why weren’t these tweets deleted immediately and a note pinned to every users feed?

pizza5y ago· 1 in thread

It's possible this was conducted by somebody who underestimated the hack's value, or isn't even really doing it for monetary gain rather than to just stir chaos

ErikAugust5y ago

Are you the AOL Pizza? (I’m guessing not but have to ask)

Firebrand5y ago· 1 in thread

I wonder if they have access to the accounts’ DMs too. Lots of juicy info potentially there.

I’m seeing a lot of discussion of the DMs being the real target, but executives and politicians usually have staff who monitor and post to their social media channels. Hard to imagine Barack Obama communicating anything of blackmail value over a channel that a mid-level social media manager has the password to.

madeofpalk5y ago· 1 in thread

Or just, someone stupid and uncreative got very very lucky and this was all they could come up with.

codesternews5y ago

They are not stupid if they could make such a big attack.

tbrock5y ago· 1 in thread

I think you greatly overestimate the value of this. It’s a sham, everyone makes a few tweets, it’s on the news and it’s fixed and over tomorrow.

Very little damage done that isn’t obviously corrected/correctable short term. In other words, who cares?

I’d pay tree fiddy for this exploit. On the other hand, this person seems to be making BANK getting 13 BTC as of now.

jessriedel5y ago

You could move many, many millions of dollars on the stock market with these accounts. Would require more care and/or tricks to avoid being apprehended than a simple anonymous bitcoin scheme, but the pay off could have been at least a couple of orders of magnitude higher.

sundvor5y ago· 1 in thread

Agree; this looks like an ISK doubling Jita scam for laughs, given the sophistication of the event.

WrtCdEvrydy5y ago

I thought it was just me, but yes... please send me your ISK and I will double it... here's a website with a wallet thing that shows we sent out money... everytime we received some.

LeoPanthera5y ago· 1 in thread

> how little the BTC reward is going to be

So far, the address has received the equivalent of over 50,000 USD.

hn_throwaway_995y ago

Again, nothing. Given the accounts that were hacked, they could easily have moved markets and had pre-placed short bets that would have netted them potentially hundreds of millions.

stilisstuk5y ago· 1 in thread

Inkl bite: lets say I hack capable of doing this. How do I sell my hack?

mhh__5y ago

Walk into the [country] embassy, probably (or twitter these days...)

maaarghk5y ago· 1 in thread

this is the best fun i've had in a while but i've just ruined it for myself with a conspiracy theory that some prankster youtuber has set this up and there will be a "hilarious" video about it tomorrow

s53005y ago

Yeah, not possible with both the last US pres and vice pres being hit.

Literally, at least 3 of the top 10 richest people in the world got hit. All of whom probably really don't like each other to begin with...

binwiederhier5y ago· 1 in thread

Doesn't even look like Twitter has acknowledged the attack yet. The status page [1] shows all green.

[1] https://api.twitterstat.us/

panopticon5y ago

Twitter acknowledged the incident over two hours ago: https://twitter.com/TwitterSupport/status/128351803844522393...

sbassi5y ago· 1 in thread

"few BTC", for US this is no money, but for a scammer in a 3rd world country 13 BTC more money than most people do in their lives.

"few BTC" is relative to the value of what they had, not the average income of the average person.

If I sold a 7500 sqft home in San Fransisco for $200,000 you could say the same thing.

dynamite-ready5y ago· 1 in thread

I think this is a state sponsored attack. Wouldn't want to speculate on which state.

vb6sp65y ago

based on what?

jsnider35y ago· 1 in thread

Frankly, I expect the real prize to be the DMs used by the blue checks. Biden and Barack's DMs are worth much more than 100 grand.

Answerawake5y ago

Do they seem the type of people that would send anything sensitive over Twitter DMs? I'd imagine if anything at the very least they would use iMessage or some messaging app of that nature. Biden seems like the type of guy who relies on e-mail.

staycoolboy5y ago· 1 in thread

I can't imagine the user's devices were targeted (e.g. Obama's cell phone), so this must be internal. Eff me.

OriginalPenguin5y ago

Why? It's certainly imaginable Obama's cell phone was targeted.

feydaykyn5y ago· 1 in thread

What about Donald Trump wanting to shame the company which prevented him to tweet? Is it too far fetched?

WillPostForFood5y ago

Real estate developer by day, elite hacker at night?

6nf5y ago· 1 in thread

The BTC is adding up to many millions so far. I'd say it's worth it by itself.

nseggs5y ago

Lol not even close

joering25y ago· 1 in thread

I think its mostly test of miners - prominent group of tech-related personas have been hacked, so I wonder if they end up asking miners not to validate/approve the list of incoming/outgoing transactions. If they choose to minimize priority of this transactions, they may get delayed over 14 days and eventually fell off a block as never processed bitcoins. Then spender gets their money back. In 14 days they may realize it was a scam. They probably already did!

londons_explore5y ago

If I were a miner now, I would not reverse these transactions.

Setting the precident that transactions can be reversed will do more harm to the crypto ecosystem than than $100k being taken from gullible users.

drefanzor5y ago

Twitter's API is being updated within the next day. This is likely hackers abusing a known exploit in the current API before the changeover.

1) https://twitter.com/TwitterDev/status/1283068902331817990?s=...

Just wild speculation, but could it also be a stock-market play? It seems the stock went down by quite a bit in after-hours trading [0]. Shorting the stock I guess would have earned you quite a bit more than the few BTC made directly.

[0] https://techcrunch.com/2020/07/15/twitter-stock-slides-after...

powersnail5y ago

Another possibility is that they have already sold the hack, but the relationship with the buyer deteriorated for whatever reason, so they decided to burn the bridge.

stjohnswarts5y ago

I highly suspect that it's an inside job and someone had become aware that a security hole in the api/interface was getting ready to get patched so they jumped on it as a hail mary to make some bucks. It's one of the few things that makes sense. Otherwise they would have sold it to some nation state to pull the trigger on when they need a propaganda coupe.

adventured5y ago

> - a diversion while they get the real loot

It's that one. They were after the DMs of one target, and needed cover for who they were specifically after, so they hit many accounts.

caretak3r5y ago

Just imagine trading secrets to foreign actors, or selling misinformation. Can you even think of the covert operations that could have taken place to slowly poison streams of people in the twitter-sphere? This is a big yikes on a platform that "poses" as a platform of democracy and free speech.

cookiengineer5y ago

In any case this is the perfect example why 2FA via ss7 is the worst idea any developer ever had.

I mean, to take over your account I just have to grab an old motorola phone and let an imsi catcher software run on it.

I hope that twitter learned that 2FA via SMS should be treated as what it is: totally unnecessary.

dx0345y ago

If this is a demonstration to a client I don't want to know what the product is they're selling. There are few more valuable targets than being able to hijack communication of public figures.

rland5y ago

I wonder if it's coming from inside the US, to prevent the President from using Twitter the way he has used it -- signifying that the presidential twitter account could be compromised, without actually compromising it and with minimal damage otherwise.

m0zg5y ago

Apparently hackers have commented that they now have DMs of all the hacked blue checks. They referred to that as the "fun" part of this exercise.

lanevorockz5y ago

There is a bit of romanticism about hacking here, things are way more boring than you would think. Likely that some process on the authentication process at twitter was broken and someone took advantage to have a laugh.

Hijacked the authentication cookies and injected into the app that skips validation for performance. Likely nobody got access to the accounts themselves but just allow them to tweet some jokes.

Isn't a bit to high profile - the perps risk attracting the attention people a bit more serious than overworked police fraud squads

lazyjones5y ago

> a diversion while they get the real loot

How about market manipulation via other tweets that subtly affect trading bots reading Twitter?

homero5y ago

Yeah a couple of tweets could have made them millions with financial derivatives.

etxm5y ago

> a diversion while they get the real loot

Twitter as a riderless horse would be wild.

tazedsoul5y ago

This.

downandout5y ago

People have been gushing about the value of such a hack, but as a marketer I can tell you that Twitter traffic is pretty close to worthless. I suppose there are other things you could do, such as manipulating stock prices. But that would take a large amount of capital to take advantage of, which this person may not have had.

j / k navigate · click thread line to collapse