Twitter Just Had Its Worst Security Day in Years
A phone-based social engineering attack let hackers hijack roughly 130 verified Twitter accounts to run a bitcoin scam.
Something very strange happened on Twitter today, and it wasn’t a bug — it was people. Within a short window this afternoon, verified accounts belonging to Barack Obama, Elon Musk, Jeff Bezos, Bill Gates, Kim Kardashian, and corporate accounts like Apple and Uber all started posting the same message: send bitcoin to this address and get double back. Classic scam copy, except this time it wasn’t coming from some throwaway account with a stolen profile picture. It was coming from the real, blue-checkmark accounts of some of the most-followed people on the planet.
By the time platforms and users caught on and Twitter locked things down, the attackers had reportedly pulled in over $118,000 in bitcoin, apparently in about two hours of activity. That’s not a huge amount of money by scam standards, but the amount was never really the point. The point is that roughly 130 high-profile accounts got compromised more or less simultaneously, and that shouldn’t be possible if an account takeover requires guessing a password or phishing an individual user.
How does this even happen at scale
The early picture emerging is that this wasn’t a mass password breach or a flaw in Twitter’s public-facing login. Instead, it looks like the attackers went after Twitter’s own people. Using phone-based social engineering — essentially, convincing employees over the phone that they were someone they weren’t — they got access to internal admin tools, the kind of backend panel support and trust-and-safety staff use to manage accounts. Once you have that level of access, you don’t need anyone’s password. You can just post as them directly, or reset the account’s associated email and take it from there.
If that account of events holds up, it’s a much scarier scenario than a technical exploit, because it means the vulnerability wasn’t in Twitter’s code at all — it was in Twitter’s own processes and people. You can patch a server. It’s a lot harder to patch a human being on a support desk answering a convincing phone call.
Why this matters beyond the bitcoin
Set aside the money for a second. The accounts hit today included a former U.S. president and some of the most powerful people in business. If an attacker can post as Obama or Musk on a whim, the scam angle is almost the best-case outcome — a dumb, obvious, easily-debunked crypto grift. A more patient or malicious actor with the same access could have done real damage: moving markets, spreading disinformation, triggering a diplomatic incident, or targeting someone’s DMs for blackmail material. Twitter has apparently now restricted the ability of many verified accounts to tweet at all while they investigate and lock down the internal tooling that got exploited, which tells you how seriously they’re treating this.
We don’t yet know the full mechanics of how the phone calls worked or how many employees were involved, and Twitter hasn’t published a full post-mortem. But three names are already circulating in connection with the case — Graham Ivan Clark, Mason Sheppard, and Nima Fazeli — and it wouldn’t be surprising if charges follow soon given the scale of what happened. For a platform that world leaders, journalists, and companies treat as a real-time communication backbone, today is a reminder that the weakest link in security is very often not the encryption or the firewall. It’s whoever has to answer the phone.