Elon Musk Bitcoin Scammers Hijack Verified Status Accounts

Written by

Scammers are back on Twitter impersonating their favorite celebrity, Elon Musk, in a bid to convince people to invest in their phony Bitcoin scheme.

This time, the scheme raises serious questions over how easy it is to hijack and alter verified accounts on the social network. In this case, two US lawmakers with verified status, Frank Pallone and Brenda Lawrence, reportedly had their accounts taken over, alongside corporate accounts such as those belonging to film production firm Pathe UK.

The scammers then changed the display name to ‘Elon Musk,’ using one non-standard character to avoid setting off any alarms at Twitter HQ.

The error-strewn tweet itself read: “I’m giving 10 000 Bitcoic (BTC) to all community! I left the post of director of Tesla, thank you all for your suppoot! I decided to make the biggest crypto-giveaway in the world, for all my readers who use Bitcoin. Participate in giveaway…”

A further message then asks users to send anywhere between 0.1 and 2 BTC to a payment address below to receive from 1 to 20 BTC in return.

One report suggested over 400 people had already sent virtual currency to the address, netting the scammers in the region of $180,000. However, others claimed that fraudsters in these situations typically fill their wallets with funds to make the ‘giveaway’ look more legitimate.

Either way, it raises more questions about Twitter’s ability to police fraud on its site.

While those who had their account hijacked could have largely prevented this by turning on two-factor authentication, the changing of verified status display names should have raised the alarm, according to experts.

"The nature of this scam brings to light some seemingly obvious issues with Twitter's verified account system. The thieves hacked verified accounts and switched the name to Elon Musk to get attention and credibility,” explained Comparitech privacy advocate, Paul Bischoff.

“If the purpose of the blue check mark is to assure a person's handle matches their real identity, then why is it possible to change a verified account's display name? Changing the name should immediately invalidate the verified status."

Reports in March claimed that Twitter was planning to ban most crypto-currency advertising in a bid to head off rising levels of fraud.

What’s hot on Infosecurity Magazine?