In March, Twitter CEO Jack Dorsey held a clear-the-air livestream discussion to address concerns about the #health of the company’s platform. Abuse and disinformation were top of mind, but Dorsey also spoke to another problem as well: the proliferation of cryptocurrency giveaway scams.
Send us a small bit of bitcoin, an account made to look like @ElonMusk or @realDonaldTrump would say, pledging in true Nigerian Prince fashion that it would deliver a much larger amount in return. These were unsophisticated schemes, but they were widespread. Dozens of bogus scam-peddling celebrity accounts were being created every day, and that was alarming to Dorsey and to Twitter’s vice president of trust and safety, Del Harvey. On the livestream, Dorsey and Harvey promised quick, tactical action against them, noting that Twitter would use pattern matching and machine learning to eliminate a problem that seemingly came out of nowhere.
More than eight months later, cryptocurrency scams are still prevalent on Twitter. Though the platform outright banned all cryptocurrency ads in March, fraudsters — some who appear to be Russia-based — have become more sophisticated and are starting to hack verified accounts with high follower counts to push their scams. In some cases, they’ve even purchased and run Twitter ad campaigns to promote them.
On Tuesday, hackers were able to post promoted tweets from the accounts of Target (1.9 million followers) and Google’s business apps division, G Suite (more than 823,000 followers), and used them — along with other verified accounts — to pump cryptocurrency giveaway scams through Twitter’s own ad network. BuzzFeed News was also able to purchase cryptocurrency scam ads with the same language.
Compared to platform-defining problems like abuse, harassment, and the manipulation of public discourse by fake accounts, ridding Twitter of cryptocurrency scams might seem a low priority for the company. But as Dorsey pushes ahead with his “healthy conversation" charm offensive, bitcoin giveaway schemes are an eyesore and another reminder of Twitter's ongoing failure to keep people safe on its platform.
“We're constantly adapting to bad actors’ evolving methods, and have made improvements in combating cryptocurrency scams on the platform,” a Twitter spokesperson said in a statement. “We'll continue to move quickly to address these issues and help our partners take the appropriate steps to protect their accounts.”
“I would say actually that Twitter's somewhat disconnected response here is indicative of the fact that they probably see this as an annoyance,” said Ryan Kalember, senior vice president of cybersecurity strategy at Proofpoint, an enterprise security company. He has been studying the scams since they became prevalent last spring, and he originally compiled a long list of IP addresses, websites, and wallets used by the bad actors.
Twitter has other big problems to address, he added, but “it’s not like the plumbing isn’t there to fix it.”
In March, as fake accounts proliferated in the replies sections of the official accounts of @ElonMusk and @realDonaldTrump, often mimicking the handle, avatar, cover photo, and tweets of the original account, Twitter made it seem like it had the tools to get it under control. “It’s something we’ve really seen come out nowhere and spike up, but we have different work streams that are solely focused on this,” Harvey said during the March livestream. “We’ve made a lot more progress within really the past week, and we hope to have a lot more of it under control in the near future.”
Target Becomes A Target
Harvey’s prediction has proven naive. Twitter’s bitcoin scam problem persists, and the scams themselves have evolved. Observers are seeing fewer impersonations of celebrity accounts, with fraudsters moving instead to take over verified accounts with high follower accounts to run giveaway scams in organic messages or promoted tweets. It’s happened to a wide swath of users with blue checkmarks: big brands, journalists, and even the campaign account of a sitting US lawmaker ahead of the midterm elections.
It persists because it works, Kalember said. And while it’s impossible to know how much scammers actually take in during the schemes — fraudsters will often seed their own giveaways to make it seem like money is going into their publicly viewable cryptocurrency wallets — Kalember estimates that “each of them seems to net somewhere between $25,000 and $200,000 in bitcoin.”
Tuesday’s hack of @Target and @GSuite was the newest variation of an old trick. In those cases, according to two sources familiar with the details, hackers gained access to a third-party marketing account with the ability to post promoted messages, but not organic tweets, for brands like Target and G Suite. That allowed the hackers to purchase and publish bitcoin scam ads to the brands’ followers, somehow circumventing Twitter’s advertisement review process.
“We giving 5 000 [sic] Bitcoin (BTC) to all community!” @Target’s promoted message read. “We present cryptocurrency payments for your purchases in our store, and want to celebrate this event with all users!”
Twitter removed ads from both accounts within 30 minutes, but it’s unclear why the ads ran at all, given Twitter’s ban on cryptocurrency advertisements in March. And according to the company’s rules about promoted tweets, Twitter prohibits gambling content and “misleading or deceptive claims ... such as ‘get rich quick’ offers.” The company claims to closely scrutinize promoted tweets, which are vetted by algorithms and human reviewers.
Neeraj Agrawal, a spokesperson for cryptocurrency think tank Coin Center and an avid Twitter user, credited the social network for largely ridding itself of the mass celebrity impersonation accounts, but was surprised that the bitcoin giveaway ads were permitted on the social network. “You would think that there is some type of filter or review,” he said, citing his own experiencing placing Twitter ads.
Twitter declined to say how much scammers spent to run the ad and how many people it reached before it was removed. A spokesperson for Target confirmed the attack, stressing that there was “no inappropriate access, at any point to Target’s Twitter account,” and the company had “taken a number of security measures” to further secure itself on the social network. A spokesperson for Google declined to comment.
A BuzzFeed News analysis of the Target and G Suite account hacks suggests the perpetrators may have been the same ones responsible for similar schemes back in March. BuzzFeed News examined the websites touted in the Target and G Suite promoted tweet scams and determined they share a web server that also hosts sites like btc-back.net, elonmusk.gift, and eth-giving.com.
While domain registration information for those scam sites is hidden, other sites hosted on the server are registered to Russian names with associated emails, and Russian addresses. A QR posted in one of the tweets was hosted on a Russian domain. The server currently hosts 600 Russian and English–language websites for illegal pharmacies, escort services, and a business that promises to improve the levels of World of Warcraft characters. Many of them appear to be based in Russia.
“The phrasing of the tweet themselves seem to suggest a Russian or Ukrainian-language actor,” Kalember said. The researcher has also examined phishing emails sent by scammers to marketing and social media managers, which ultimately help them post from verified accounts like @Target. According to Kalember, those emails also show strong connections to Eastern European actors.
Twitter declined a request for technical details on the promoted scam ads.
Testing Twitter’s Ad Filtering
“If you are the social media manager for a major brand that would carry around something like a verified profile, you're going to be a target of a phishing attack,” Kalember said. “When you see these scams when there’s one verified account that’s tweeting out scams with, you know, a fake Elon Musk profile, and three or four or five different other verified accounts reply, all of that shows just how easy it is to phish the operators of these accounts.”
On Thursday, following the Target and G Suite-run scams, BuzzFeed News conducted a test, placing orders for six advertisements using a verified Twitter account. These test ads featured the same wording in Target and G Suite bitcoin giveaway tweets, with one containing the exact same scam website URL. The five others had either no URL or a made-up one intended to check if Twitter’s ad-filtering measures would be able to identify something that looked like an outright scam. The test ads were promoted in two ways: one encouraged website clicks, the other was optimized for impressions and the widest possible audience. A source familiar with the Target and G Suite scam ads told BuzzFeed News that they were most likely the latter and designed to reach the largest number of people.
BuzzFeed News paused the ads immediately upon buying them, to ensure they did not circulate on Twitter. Still, it took between 30 and 90 minutes for Twitter to flag and remove most of them from its ad network. About seven hours after the first ad was bought, the company locked the account from which the ads were purchased. It did not notify the account owner.
BuzzFeed News’ experiment shows that even if Twitter takes a short while to retake a compromised account, a scam has potential to do damage. Even as the company became aware of the scams and gave statements to the press about investigating the matter, the fraud kept spreading. It continues to snowball.
Three days after the Target and G Suite scampaigns hack, another bogus cryptocurrency giveaway appeared on Twitter. It claimed Tesla CEO Elon Musk was giving away free bitcoin to celebrate his alleged departure from the company's board of Tesla. The bitcoin wallet associated with it showed 32 transactions totaling just over $4,500 before Twitter removed it. ●