BuzzFeed News

Reporting To You

tech

Twitter Is Still Allowing Scammers To Hijack Verified Accounts To Take People’s Money

Unlike past versions of Twitter cryptocurrency phishing, @TronFoundationl is different: It has a verification badge, the blue check mark that Twitter uses to delineate famous or important accounts from imposters.

Last updated on February 26, 2018, at 7:49 p.m. ET

Posted on February 23, 2018, at 8:20 p.m. ET

This is the Twitter account for Tron Foundation, the organization behind a cryptocurrency that has a current valuation of $2.8 billion. Its handle is @Tronfoundation.

And this is @Tronfoundationl — a cryptocurrency phishing scam account that's posing as the cryptocurrency using the same profile photo, pinned tweet, bio, and location.

These types of scam accounts imitate real accounts and ask followers to send them bitcoin or ether. Often, these scammers promise those that send digital currency that they’ll receive as a reward four or five times the amount of money they put in.

Fortunately, these scammers are usually easy to spot: their usernames have extra letters or symbols, and the accounts were only recently created.

But unlike past Twitter cryptocurrency phishing schemes, TronFoundationl is different: It has a verification badge, which is the a blue check mark that Twitter uses to delineate famous or important accounts from imposters.

Some online have noticed as well.

Apparently somehow this fake acct got verified by @Twitter @TwitterSupport Seems like Twitter doesn’t care except t… https://t.co/li9xZHE6kx

TronFoundationl’s verification hijacking marks the latest in innovation in cryptocurrency scamming. Since the account is legitimately verified by Twitter, it's much more likely to be trusted than other scams, making people more susceptible to falling for its donation ploys.

Adding to the confusion, the FAKE Tron account has perfectly copied the REAL Tron's pinned tweet, which warns users to look out for imposter accounts. The result is an online scam inception of sorts — where the FAKE account is warning users to watch out for fake accounts.

Geoff Golberg, a Twitter user who frequently calls out bot and scam accounts, was one of the first to spot the Tron fake. "I saw it was a verified account so immediately was intrigued. To me, it was clear it was a scam, given that I have been encountering these for quite some time," he told BuzzFeed News. "But to others, given the verified account, I could totally see people falling for it."

And it appears people are falling for the scam. Here's an example of @TronFoundationl replying to a tweet by Justin Sun, the real founder of Tron on Friday afternoon.

In its reply, the FAKE Tron account links to its cryptocurrency wallet address and solicits donations. The blue checkmark sits besides the Tron foundation name, making it look legitimate. The fake tweet has over 200 likes and retweets

So how did @TronFoundationl get verified? A quick scroll through its Twitter feed suggests that the scammers running @TronFoundationl took over the account from a company called LiteracyBridge, an nonprofit based in Seattle, Washington. According to the cached version of its Twitter page and its current Facebook account, LiteracyBridge is an organization focused on "Improving the health, income & quality of life for the world’s most underserved communities by providing life-changing knowledge through innovative technology."

Here's an archived page of the @LiteracyBridge account.

And here is @TronFoundationl's account. After its three most recent tweets, the account picks up where @LiteracyBridge left off — the old tweets are still up and identical to those on the cached @LiteracyBridge page.

Shortly after BuzzFeed News reported @Tronfoundationl to Twitter, the account was taken down. A version of @LiteracyBridge was reinstated in its place. Literary Bridge could not immediately be reached for comment — a phone line listed on its Facebook page was dead.

And @LiteraryBridge doesn't seem to be the only verified account that's been repurposed for a scam.

Scammers appear to have hijacked the verified account of a user named @adaxnik and used it to spoof Tron founder Justin Sun's account as well.

A cached page for @adaxnik shows that the account once belonged to a luxury menswear design team in London.

It's unclear how the scammers took over the verified accounts, but some signs point to a hack.

Nik Thakkar, one of the designers behind @adaxnik, for example, tweeted to Twitter's support team on Monday that his account had been hacked.

Hijacking verified accounts and using them to scam users is, of course, is highly unusual. Normally, Twitter’s standard policy is that when a verified account changes its user name, it is stripped of its verification in order to prevent bad actors from taking over an account and exploiting its verification.

Please note: changing your username will result in losing your badge. Questions? File request at http://t.co/zb2ykUyF we'll get to it ASAP!

Twitter did not explain why the verified accounts were allowed to stay verified after changing usernames. A spokesperson told BuzzFeed News on Friday that it is investigating the changed usernames and noted, "we strongly encourage everyone to use login verification for account security. Also, if an account changes its username, it should lose its verified status. Any instance of this not occurring is an error."

On Saturday and Sunday, Twitter users continued to spot verified accounts that had been hijacked. Scammers began posing as Binance, a popular cryptocurrency exchange, which has a verified twitter handle, @binance_2017.

Seems to be another compromised + verified account @jack (previous one I reported as fake @binance_2017 account too… https://t.co/tEm3aT9o11

In most cases, the hackers did not change the handles of the accounts, but did alter everything else, including the display name, to imitate Binance's account. The accounts kept their verified check marks. On Monday, the company declined to clarify what "error" allowed verified accounts that changed their handles to keep their check marks.

Also, following the original publication of this article, the owner of the the hacked @adaxnik account, Nik Thakkar, regained access after a week of attempting to convince Twitter that he was indeed the real owner. Thakkar told BuzzFeed News that the account for his London-based fashion brand was verified a few years ago after he worked on a live stream collaboration with the social media company. Following its verification, he sporadically tweeted and did not use two-factor authentication to login. He was unsure how hackers gained access.

Thakkar sent BuzzFeed News direct messages that the hacker had with one of his friends. That friend was using an unverified impostor account pretending to be Sun, @justinsontronnn, and was impressed that the hacker been able to obtain access to a handle with a blue check mark.

In other messages that were exchanged last Tuesday and Wednesday, the scammers talked about their cryptocurrency investment strategies and who they should impersonate next, including the Litecoin Foundation, Litecoin creator Charlie Lee, and the founder of Binance. At one point, the hacker claimed that he made $10,000 in one day.

Other direct messages to the hacker, who had taken over compromised verified account @adaxnik, revealed people who seemed willing to send money. It's unclear if they ever did send ether.

On Monday, Twitter CEO Jack Dorsey said that "we discovered this and are fixing the process."

In recent months Twitter has made changes to the verification process; in November the company suspended all verification indefinitely after the social network verified Jason Kessler, a white supremacist who organized the Unite the Right rally last August in Charlottesville that resulted in the death of counterprotester Heather Heyer. "We realized some time ago the system is broken and needs to be reconsidered," said CEO Jack Dorsey.

about 72 hours after @RMac18 and I wrote about bitcoin scammers hijacking verified accounts and conning people out… https://t.co/prtrW1enYy

UPDATE

This post has been updated with a statement from Twitter, additional information about accounts that were hijacked on Saturday and Sunday, and photos from a hacker's direct messages.


ADVERTISEMENT