On 15 July 2020, attackers took over some of the most prominent accounts on Twitter, including Barack Obama, Joe Biden, Elon Musk, Jeff Bezos, Bill Gates, Apple, and Uber, and used them to post a Bitcoin doubling scam. They did not exploit a single line of Twitter's code. They got in by calling Twitter employees on the phone, posing as IT support, and walking them onto a fake login page. The fake page captured their credentials and the multi-factor codes, relayed in real time. From there the attackers reached Twitter's internal administration console, the tool support staff use to manage any account, and that tool let them seize whatever they wanted. It ran on phone calls, a convincing pretext, and a credential-phishing page, with no software exploit anywhere.
This is the case I point to when someone argues that security is fundamentally a code problem. Twitter is a sophisticated engineering organisation, and none of that mattered, because the attack never touched the engineering. It targeted the human layer, and the human layer let it through to a tool with no meaningful limits on what it could do.
What happened, in one paragraph
Over 14 and 15 July 2020, attackers used phone spear-phishing (vishing) to trick a number of Twitter employees into entering their credentials on a phishing page built to look like Twitter's internal VPN and login portal. They captured passwords and relayed the multi-factor codes in real time. The first employees they fooled did not have access to the account-management tools, so the attackers used that initial foothold to learn Twitter's internal systems and identify employees who did, then phished those people specifically. With access to the internal admin console, they targeted about 130 accounts, tweeted from 45 of them, accessed the direct-message inboxes of 36, and downloaded the full "Your Twitter Data" archive for 7. The scam netted around $118,000 in Bitcoin before Twitter locked everything down.
The hijacked accounts all posted a variation of the same lure within the same hour:
I'm feeling generous because of Covid-19. I'll double any Bitcoin payment sent to my address for the next 30 minutes. Good luck. bc1qxy2k...0wlh
2:17 PM · Jul 15, 2020
I am giving back to my community due to Covid-19. All Bitcoin sent to the address below will be sent back doubled. Only doing this for 30 minutes. bc1qxy2k...0wlh
2:25 PM · Jul 15, 2020
Everyone is asking me to give back, and now is the time. I am doubling all payments sent to my Bitcoin address for the next 30 minutes. bc1qxy2k...0wlh
2:31 PM · Jul 15, 2020
We are giving back to our community. All Bitcoin sent to our address below will be sent back to you doubled. We support Bitcoin. bc1qxy2k...0wlh
2:48 PM · Jul 15, 2020
The attack chain
The detail that makes this case worth studying is that it was a two-stage social-engineering operation, not a single lucky phish.
- Vishing the perimeter. The attackers called employees claiming to be from Twitter IT, with a pretext about a VPN problem, a believable story in mid-2020 when the whole company had recently gone remote and VPN trouble was routine. They directed the employee to a phishing site that mirrored Twitter's real internal login. When the employee entered their credentials and MFA code, the attackers captured both and used them immediately, before the code expired.
- The pivot. The first employees compromised could not reach the account tools. This is where a weaker operation would have stalled. Instead the attackers used the access they had to read internal documentation and Slack, map which teams and individuals held the privileged access, and then ran the same vishing playbook against those specific people. The New York Department of Financial Services investigation laid this out clearly: the attackers climbed from low-privilege footholds to the employees who mattered.
- God-mode. The internal admin console could change the email address on any account, and it did so without notifying the account owner. The attackers used it to take over the target accounts, post the scam, and in some cases lock out the real owners by changing the recovery email.
No exploit. No malware. Every step was a person being helpful to a stranger with a good story.
Why it reached so far: the over-powered internal tool
The vishing got the attackers in, but what turned a handful of phished employees into a takeover of the most-followed accounts on the platform was the internal admin tool. It was, in effect, god-mode: a single console that could act on any account, change its email, and bypass the protections a normal user relies on, all without alerting the account owner.
That is the failure I keep coming back to. Powerful internal tools are necessary; support staff genuinely need to act on accounts. But a tool that can take over any account on the platform, reachable by a broad set of employees, with weak controls on who can use it and no notification when it does, is a single point of catastrophic failure. The phishing decided who got in. The tool decided how far they got, and the answer was "everywhere."
The DFS report also noted that Twitter had not had a chief information security officer since December 2019. The gap is not a coincidence; the controls that would have constrained this (tighter access to the admin tool, phishing-resistant authentication, alerting on sensitive admin actions) are exactly the things a security leader is meant to own.
What was actually exposed
The Bitcoin scam got the headlines, but the access was broader than a few scam tweets.
| Figure | What it was |
|---|---|
| ~130 | Accounts targeted by the attackers. |
| 45 | Accounts the attackers tweeted from. |
| 36 | Accounts whose direct-message inboxes were accessed. |
| 7 | Accounts for which the full "Your Twitter Data" archive was downloaded. |
| ~$118,000 | Bitcoin collected from the scam before lockdown. |
The DM access is the part that should worry anyone who used Twitter for sensitive conversations. For 36 accounts, the attackers could read private messages. The financial take was small for a breach this visible, which is almost the point: with this level of access, a quieter, more patient attacker could have done far more damage than a same-day crypto scam.
The attackers were young
The operation was traced to a small group of young people, not a state actor. The alleged mastermind, Graham Ivan Clark, was 17 at the time and was charged as an adult in Florida; he later pleaded guilty and received a three-year sentence as a youthful offender. Mason Sheppard and Nima Fazeli were charged federally for their roles, and a further individual, Joseph O'Connor, was charged later and sentenced in 2023. The technical bar was low. What the group had was the willingness to make the calls and a pretext good enough to work.
That is the uncomfortable lesson for defenders: the people who pulled off one of the most visible account takeovers in history were not elite. They were persuasive on the phone.
The lessons I take from it
Phishing-resistant MFA would have broken the chain. The attackers relayed one-time codes in real time, which works against app and SMS codes but not against FIDO2 hardware keys or passkeys, where the authentication is bound to the real site and cannot be replayed onto a phishing page. This single control would have stopped the credential capture cold. It is the highest-leverage fix and it is covered across the social engineering map.
Constrain the god-mode tool. Any internal tool that can act on every account is a crown jewel. It needs tight, audited access (few people, just-in-time, not standing), step-up authentication to use sensitive functions, and alerting when it touches a high-profile or flagged account. The takeover was so total because the tool placed almost no friction between "phished employee" and "act on any account."
Assume the foothold and limit the blast radius. The attackers did not start with the access they needed; they pivoted to it. Least-privilege access and good internal segmentation would have made that pivot far harder. This is the same lesson as the Heartland breach on the code-layer side: the initial compromise is rarely the whole story, and the damage is decided by how far a foothold can travel.
The human layer needs an owner. Going seven months without a CISO is a governance failure, not a staffing footnote. The controls that fail in social engineering are cross-cutting (authentication, internal tooling, access policy, training), and without someone accountable for them, the gaps stay open until an attacker finds them.
Where to go next
This is the flagship case in the social engineering taxonomy; start there for the full set of techniques. The closest siblings are the Uber breach, where MFA fatigue and a help-desk pretext led to over-powered internal access in the same way, and the MGM breach, where a single phone call to a help desk became a company-wide ransomware outage. For the code-layer equivalent of "one foothold, total reach," see the Heartland breach.
Sources
Authoritative references this article was fact-checked against.
