Twitter — verified-account Bitcoin scam

What happened

On 15 July 2020, at around 4 p.m. Pacific time, verified Twitter accounts belonging to Barack Obama, Joe Biden, Elon Musk, Jeff Bezos, Bill Gates, Apple, Uber, Kanye West, Kim Kardashian, Warren Buffett, and more than two dozen other high-profile users simultaneously posted near-identical messages promoting a cryptocurrency scam: send Bitcoin to a listed wallet address, and the amount would be doubled and returned. The messages appeared authentic — posted from verified accounts with millions of followers, with no visible sign of compromise.

The scam operated for a matter of hours before Twitter identified what was happening and took emergency action: it suspended all verified accounts’ ability to post new tweets globally, a drastic but effective containment measure. Approximately $118,000 in Bitcoin was sent to the attacker’s wallet before the posts were taken down.

Within two weeks, law enforcement had identified and arrested the perpetrators. Graham Ivan Clark, 17 years old at the time, was arrested in Tampa, Florida, and charged under Florida state law. Clark pleaded guilty in March 2021 to 30 felony counts and was sentenced to three years in juvenile detention followed by three years of probation. Two co-conspirators — Mason Sheppard (a UK national, 19) and Nima Fazeli (22, from Orlando) — were charged in federal court. The ease and speed of attribution reflected how thoroughly Clark and his associates had left a digital trail.

How it worked

The attack had two phases: obtaining access to Twitter’s internal admin tooling, and using that access to take over target accounts.

For the first phase, Clark and his co-conspirators used phone calls targeting Twitter employees. They posed as Twitter IT staff and persuaded employees to share their credentials for internal systems. The calls were convincing because the attackers had acquired some internal Twitter information in advance — possibly from earlier social engineering or from data available on criminal forums — that allowed them to seem familiar with Twitter’s internal environment. At least some of the targeted employees appear to have been contacted via Twitter’s internal Slack channels before or in parallel with the phone calls.

Using the harvested credentials, the attackers gained access to Twitter’s internal administrative console — referred to in media reporting as “GodMode” or “agent tools”. This interface was designed to allow Twitter’s trust-and-safety and customer-support teams to manage accounts: reset passwords, change associated email addresses, view account data, and take action on accounts reported for policy violations. It was not designed with the assumption that it would be operated by an adversary. A user of this tool could change the password and email address associated with any Twitter account, immediately locking out the genuine owner and enabling the attacker to log in.

For the second phase, the attackers used the admin console to take over high-profile verified accounts. They changed the email addresses and passwords on the target accounts, used the new email to generate password-reset links, and posted the Bitcoin scam messages. The whole process for each account took minutes. The selection of targets — Obama, Musk, Biden, Gates, Bezos — was designed to maximise the apparent credibility of the scam (if Elon Musk is promoting it, surely it’s real) and reach the largest possible audience quickly.

The $118,000 take is small relative to the access the attackers held. The admin console gave them the ability to post from, lock out, and read the private messages of any Twitter account — not just the accounts they chose to use for the scam. The fact that Clark used this access for a Bitcoin scam rather than for targeted data collection, narrative manipulation, or blackmail from private message content reflects the priorities of a 17-year-old focused on immediate financial return. The same access in the hands of a different actor would have been a fundamentally different category of incident.

Timeline

• 14–15 July 2020 — Clark and co-conspirators call Twitter employees posing as internal IT staff; credentials for admin tooling obtained.
• 15 July 2020, ~15:00 PT — Attackers begin accessing high-profile accounts via internal admin console.
• 15 July 2020, ~16:00–17:00 PT — Bitcoin scam posts appear across Obama, Biden, Musk, Gates, Bezos, Apple and other verified accounts.
• 15 July 2020, ~18:00 PT — Twitter suspends the ability for all verified accounts to post globally. Bitcoin scam posts removed.
• 15 July 2020, evening — Twitter publishes initial incident statement. Approximately $118,000 in Bitcoin sent by victims.
• 17 July 2020 — Twitter publishes updated statement confirming internal tooling was accessed.
• 31 July 2020 — Graham Ivan Clark arrested in Tampa, Florida; Mason Sheppard and Nima Fazeli charged.
• March 2021 — Clark pleads guilty to 30 felony counts. Subsequently sentenced to three years juvenile detention plus probation.
• 2021 — Sheppard pleads guilty to federal charges. Fazeli pleads guilty to related charges.

What defenders should learn

The Twitter hack demonstrates why internal admin tools at content platforms are a target category that deserves its own security architecture. The impact of this incident — temporary control of the most followed accounts on the world’s most-used public communications platform — was achieved not by exploiting a software vulnerability, but by reaching a legitimate internal tool through social engineering. The access level of Twitter’s internal admin console was appropriate for its intended users; the problem was that it had no controls capable of distinguishing an authorised internal user from an attacker who had stolen that user’s credentials.

For any platform with an internal trust-and-safety or admin console, the design principle should be that insider access to high-risk functions — mass account management, password resets on high-follower accounts, access to private messages — requires additional authentication factors beyond the initial login. Hardware security keys for admin-tool access, break-glass workflows for privileged account actions, and anomaly detection that flags bulk account modifications in short timeframes are all available controls. None of them are technically novel; they require a deliberate decision to treat the admin console as a privileged system rather than an internal productivity tool.

The social engineering here was straightforward. It was not sophisticated pretexting based on detailed insider knowledge. Employees were called, claimed to be IT, and were handed credentials. The same call can be made to any organisation, and the same outcome — compromised internal tool access — is achievable at most organisations whose helpdesk and internal-IT culture does not treat unsolicited credential requests as suspicious by default. The Twitter incident should be read alongside MGM and Caesars as evidence that this is not an edge case but a mainstream, repeatable attack pattern.

The counterfactual use case is worth confronting explicitly in any board-level discussion of the incident. Clark ran a Bitcoin scam. A state-level actor with the same access could have read private messages between heads of state, pre-staged influence operations to launch at a chosen moment, or created a permanent backdoor to a future version of the tool for long-term intelligence collection. The $118,000 in Bitcoin scammed is not the measure of the vulnerability. The vulnerability is that the most powerful communications infrastructure in the world was controllable by anyone who could trick a small number of employees into handing over credentials.