undefined | Better HN

0 pointscwkoss5y ago0 comments

Yeah, the idea that this is an initial step in something bigger doesn't make sense.

If they wanted to exfiltrate data, they already did that previously.

They very loudly burned their access, this seems a lot more like someone trying to monetize their access quickly before their access token expires - squeezing out the last few drops before they can no longer get into the system.

0 comments

ALittleLight5y ago

I don't know the number of accounts affected, but there seem to be many, and there are multiple unique messages. Richer accounts offered to "double" BTC up to greater amounts than poorer accounts, some messages refer to "fans" and others refer to the bitcoin community.

Someone (or someones) had to configure a message for each victim, they had to write the script to send all the tweets simultaneously, they probably had to test the script, they had to execute it. To me, that says they had enough time to think about what they were doing and weren't racing a very short expiration clock.

If I were at twitter I might try to investigate by looking for accounts that they might have used to test their script. If you could look for something like multiple accounts tweeting the same thing within 1 minute, in the past couple weeks, you could turn up some candidates for test accounts. You could further refine that by checking the messages sent, follower counts, etc. Maybe the hacker will leave behind clues on the script test account.

tornato75y ago

It was only a couple dozen accounts right? They could have just had a bunch of browser windows up and hit send all at the same time. This is a very low-effort scam, all they really had to do was tweet their wallet address.

andymal5y ago

No, was watching the tweet stream for this address. It was sent out on hundrends or thousands of accounts. Dozens of high profile accounts sounds correct.

incidentnormal5y ago

> If you could look for something like multiple accounts tweeting the same thing within 1 minute, in the past couple weeks, you could turn up some candidates for test accounts

I think this would turn up alot more results than you bargained for.

ALittleLight5y ago

I think it could be easy enough to pare down programmatically. You'd have to search by adding things like:

* 5+ accounts tweeting exactly the same message

* Not using the mobile app

* Fewer than 10 followers

* Fewer than 10 following

* Liked fewer than 10 tweets

* Retweeted fewer than 10 tweets

* Accounts created within 24 hours of each other

* Account creation metadata is similar

* Account less than 1 month old

You could probably come up with more criteria to help narrow the scope and play with the numbers. I would bet that you probably come up with hundreds to low thousands of accounts fitting those criteria at most. You could spend an hour scrolling through them looking for something suspicious - and I don't think it would take too long to put this kind of thing together if you had database access.

aj35y ago

Or someone bragged about their super awesome access to Twitter on some IRC or Discord channel, posted proofs which unintentionally leaked the session tokens / exploit to others and the whole bunch of kids went crazy due to fear of missing out on the event of the century. Basically like all these seemingly normal people that suddenly turn into looters when all hell breaks loose.

yesplorer5y ago

and they all happen use the same BTC address?

1 more reply

tornato75y ago

And by burning their access they could make sure nobody else is able to use that exploit to exfiltrate data

benlumen5y ago

Very loudly indeed. Think message sent or stocks shorted.

mdoms5y ago

Unless they already did their exfil.

cwkossOP5y ago

Yep. If they did exfil, it would make sense to do before they tweeted. I expect we'll see solicitations offering to sell a copy of DMs from the affected accounts - even if the hacker didn't exfil, the public doesn't know that and opportunistic scammers may try to pose as the hacker to get BTC.

Interestingly, by tweeting a bitcoin address, the hacker could authenticate themselves to 'potential buyers' by accurately describing future transfers of bitcoin from the tweeted address.

boring_twenties5y ago

> accurately describing future transfers of bitcoin from the tweeted address.

No need to do this, just sign a short piece of text with the private key.

j / k navigate · click thread line to collapse

0 comments

ALittleLight5y ago

tornato75y ago

andymal5y ago

No, was watching the tweet stream for this address. It was sent out on hundrends or thousands of accounts. Dozens of high profile accounts sounds correct.

incidentnormal5y ago

> If you could look for something like multiple accounts tweeting the same thing within 1 minute, in the past couple weeks, you could turn up some candidates for test accounts

I think this would turn up alot more results than you bargained for.

ALittleLight5y ago

I think it could be easy enough to pare down programmatically. You'd have to search by adding things like:

* 5+ accounts tweeting exactly the same message

* Not using the mobile app

* Fewer than 10 followers

* Fewer than 10 following

* Liked fewer than 10 tweets

* Retweeted fewer than 10 tweets

* Accounts created within 24 hours of each other

* Account creation metadata is similar

* Account less than 1 month old

aj35y ago

yesplorer5y ago

and they all happen use the same BTC address?

1 more reply

tornato75y ago

And by burning their access they could make sure nobody else is able to use that exploit to exfiltrate data

benlumen5y ago

Very loudly indeed. Think message sent or stocks shorted.

mdoms5y ago

Unless they already did their exfil.

cwkossOP5y ago

Interestingly, by tweeting a bitcoin address, the hacker could authenticate themselves to 'potential buyers' by accurately describing future transfers of bitcoin from the tweeted address.

boring_twenties5y ago

> accurately describing future transfers of bitcoin from the tweeted address.

No need to do this, just sign a short piece of text with the private key.

j / k navigate · click thread line to collapse