An "advance fee" Bitcoin scam that used hacked verified Twitter accounts made over 28 Bitcoins (approximately $179,000) from unsuspecting users. The scam's success can also be attributed to the fact that it impersonated Elon Musk's Twitter account and also used a "Promoted Tweet" (paid advertising on Twitter).

Like any 419 or any other variation of an advance fee scam, the scammers asked unsuspecting users to send Bitcoins to a specific wallet address and receive more Bitcoins in return once they had "verified" their addresses.

"͏͏I'm giving 10 000 Bitсoin (BTС) tо аll community͏!  ͏I left t͏he post of director of Tesla, thаnk yоu аll for your support!  ͏I decid͏ed to mak͏e the bigge͏st cryptо-givеaway in the world, for all my rеadеrs who use Вitcoin. Par͏ticipаtе in givea͏way - musk[.]fund" read the Promoted tweet.

Initial Promoted tweet I saw on my timeline. The tweet was still up here at the time of publishing, although it doesn't impersonate Elon Musk's Twitter account anymore.

Well co-ordinated Bitcoin scam

To re-inforce Twitter user's trust in the scam and that it works, the scammers appeared to have hacked other verified Twitter accounts which they used to comment on the Promoted tweet providing testimony that the "offer" (scam) works. Among those accounts we saw commenting, promoting, or also running the scam promotion were Moringa School (an accelerator in Kenya), Pathe (a European film distribution company whose website is also in need of SSL), the American Society of Interior Designers, and many others.

More notable, were the hacked verified government related Twitter accounts that were promoting and commenting on the scam. These included Colombia's Ministry of Transport and the National Disaster Management Agency of India.

Only a handful of accounts were used by the scammers to run the tweets containg the text similar to the Promoted tweet while more verified Twitter accounts were used to re-inforce and endorse the scam.

How the scam works

From what I observed last night when I first saw the Promoted tweet appear on my timeline, and also based on what others like Oliver Hough observed too is that it starts with the hacked (hijacked) verified Twitter account starting by impersonating Elon Musk's Twitter account by changing its profile photo and name. The impersonation continues in that the hacked account then starts retweeting tweets in the same order so as its timeline looks similar to that of Elon Musk's real Twitter account.

Once this is done, the account (like @marathonartists, a record label) to be used for promoting the scam then tweets the main "Ad" of the scam before promoting it. On the tweet is also a link to a musk[.]fund website which was created on 5 November 2018, a few hours before the scam started spreading on Twitter.

The musk[.]fund website itself further re-inforced that the "offer" (scam) is legitimate as it also had a (mock) "LIVE" feed of Bitcoin transactions, showing how people were sending Bitcoins and receiving many times more Bitcoins in return.

Also, when the website was still up on 5 November 2018, the TCP/IP address of the hosting server appeared to be based in Russia. It's a pity I didn't record it down at the time.

Verified promotion

Given how many people were scammed, over 28 Bitcoins in total, the Promoted tweet, as well as the hacked accounts, was reported hundreds of times to Twitter's support team. Despite this, Twitter did nothing. Instead, they commented publicly reminding users on how to secure their accounts.

But they missed the point completely.

A few hours in, the scammers had already made over 27 Bitcoins.

A Twitter veried badge, as they themselves state, is a sign of authenticity.

"The blue verified badge  on Twitter lets people know that an account of public interest is authentic. The badge appears next to the name on an account’s profile and next to the account name in search results. It is always the same color and placed in the same location, regardless of profile or theme color customizations."

This gives users the impression that, whatever a verified Twitter account tweets (at least going by Twitter's guidelines), is authentic. Thus, if a verified badge appears next to a profile photoand name of Elon Musk (despite what the username is), users are likely to believe, at least at first glance, that it really is Elon Musk tweeting. Then you also add the fact that a verified account is promoting the tweet, this even creates a stronger impression, among unsuspecting users, that the scam is truly a legitimate offer.

What was also odd is that Twitter didn't allow for the hacked verified accounts to be reported as "impersonation", my guess is that this is because a verified account has already been verified to be legitimate. Which means that Twitter, in its processes, didn't factor in the possibility that a verified account could be hijacked?

This whole scam is particularly worrying considering that it is not so long ago that Twitter, along with Facebook and Google, were hauled before the US Senate to explain how they accepted advertising money on their platforms to promote fake news that attempted to manipulate elections in the USA.


Cover image credit: Elon Musk on the Joe Rogan Podcast.