Twitter declined to comment on the security associated with Trump’s account, and said that it was “looking into what other malicious activity [the hackers] may have conducted or information they may have accessed.” A company spokesperson declined to specify whether that information potentially includes direct messages.
“It could have been a far worse incident,” says Roi Carthy, CEO of cybersecurity firm Hudson Rock. “It wasn’t a particularly sophisticated operation.”
The bitcoin scam, though profitable, was as simple as it gets. It’s also not clear that the hackers will even be able to cash out, says Tom Robinson, cofounder of blockchain forensics company Elliptic. They used three bitcoin addresses to solicit payments. All of those are empty now, the proceeds dispersed to 12 new addresses, likely until the attackers feel it’s safe to move them again. But despite its reputation, Bitcoin hardly guarantees anonymity.
“If they send the funds straight to a regulated exchange, there’s a good chance they’ll be identified,” says Robinson. “However, if they try to use obfuscation techniques, for example mixers, that will make it more difficult to trace the funds.”
Even if they manage to walk away with the money eventually, it’s not actually that big of a haul, especially relative to the noise the attack made. “It’s a drop in the ocean when it comes to the illicit use of cryptocurrencies,” says Robinson. “The hacker might be extremely sophisticated in terms of exploiting a computer system, but not in terms of monetizing that.”
The relatively small stakes of that score, along with the potentially impactful gains that could have come from a more subtle approach, has sparked some speculation that the bitcoin scam was a cover for something more nefarious. There’s no definitive way to rule that out, based on the level of access Twitter acknowledges the attackers had. Still, nothing about the hackers’ confirmed actions so far suggests they were interested in anything other than a pay day. “I don’t buy that the bitcoin part of it is cover,” says former NSA analyst Dave Aitel. “Sometimes a cigar is just a cigar.”
Many companies have seen admin tools used for malign ends, either from hackers or rogue insiders. Several years ago, Uber employees infamously used the company’s “God View” to track riders for personal reasons. In the Myspace heyday, staff abused a tool called “Overlord” to read private messages and more. The most recent high-profile example comes from Twitter itself, where the Justice Department alleges two former workers spied on users on behalf of Saudi Arabia.
It’s unclear whether any Twitter employee was a willing participant in Wednesday’s hacks; the company says only that its investigation is ongoing, and tweeted that it has “taken significant steps to limit access to internal systems and tools” while that happens. Which invites the question of why those precautions weren’t in place to begin with.
“Unfortunately a lot of companies have way too loose controls for admin access,” says Tobac. “It runs rampant at a lot of these organizations, and folks who probably shouldn’t have admin access do.” Tobac suggests that given their sweeping capabilities, admin tools should be limited to as few people as possible, even if that slows a company’s gears. Insider threat monitoring software can also flag when an employee account accesses corners of the backend they shouldn’t, or more often than they would reasonably need to.
Twitter will hopefully share a full post mortem before long. The FBI is also looking into the hack, Reuters reported. But when your best-case scenario is that a hacker potentially had access to the private messages of the most powerful people in the world, but wasn’t savvy enough to know it, something has already gone very wrong.
Additional reporting by Lily Hay Newman.
More Great WIRED Stories