Skip to content
Naked Security Naked Security

Why is Elon Musk promoting this Bitcoin scam? (He’s not)

While scrolling through my Twitter feed I saw a Bitcoin scam so unabashed that it got me thinking.... do such scams really work?

Bitcoin scammers subvert Twitter verified accounts and ad promotions to impersonate celebs and fool victims. While scrolling through my own Twitter feed this past Sunday, I saw one such scam pop up. It was so unabashed that I had to take a screenshot of it.

How could something so obviously fake have a prayer of working? Surely Twitter has protective measures in place to stop such ‘promotions’ from running. I didn’t think these tweets would last online for more than a few minutes.
As I found out the next day, this scam actually ran for almost 12 hours before Twitter caught on and put an end to it. And 12 hours was plenty of time for the scammers to separate a few victims from their Bitcoins.

What’s going on here?

If you’ve ever used Twitter before, you’ve undoubtedly seen “promoted” tweets. Promoted tweets are basically adverts – users pay to promote their tweets or accounts in the hopes of having them be seen by more Twitter users. If a Twitter account only has a few hundred followers, spending a small amount of cash to promote a tweet can have that tweet shown to thousands, if not hundreds of thousands, of people.
A verified account has a blue checkmark next to the account name, and it’s a bit of a status symbol on the platform. That checkmark means that the account has passed some kind of vetting process known only to Twitter. It’s shorthand for saying this account is authentic and trusted, and tweets from a verified account tend to have a social cachet and greater visibility across the site in general.
So if a scammer manages to get their hands on a verified account, and then promotes a tweet from that verified account, this signals that the tweet is coming from a real, vetted, trustworthy account, and the normal “this is a scam” red flags tend to get ignored.

Hasn’t this happened before?

In light of this, you’d think that Twitter would be much more watchful of verified accounts and the kind of activity it posts or promotes. Sadly, you’d be wrong, as scams via verified accounts using promoted tweets aren’t a new phenomenon. In fact, we wrote about them just a few months ago, and they’ve been going on in various forms since at least the beginning of the year.
Cryptocurrency scammers keep at their old tricks because they work.
The key component needed for this scam to work is a verified account. It’s not at all clear how an account becomes verified or how Twitter even chooses the accounts it verifies, so a scammer’s easiest path is to take over an existing, presumably abandoned or neglected account. With credential reuse (still) sadly rampant, it’s a good bet that the credentials for this Twitter account were breached elsewhere, or just frightfully easy to guess or socially engineer.
Note that two-factor authentication does exist for Twitter but it’s not required for a verified account, and it’s likely that the hijacked account in this and other cases didn’t have it enabled.
In the case of this scam specifically, the verified account’s handle (Knip) was unchanged, however the display name (next to “Promoted by”) was changed to “Elon Musk.” Scammers from earlier in the year changed the handle too, but doing that now removes the verified status.
The Knip hijacked account belonged to a Swiss life insurance broker app, and the account was last active with legitimate activity in July. After several months of silence, suddenly this somewhat dull account interested only in life insurance takes a shine to Elon Musk, retweeting a number of his older posts in quick succession and then making and promoting a new tweet promising Bitcoins to anyone who sends them a small initial Bitcoin deposit in return.


One can’t help but wonder how a few of the behavioral red flags didn’t set off any warning bells at Twitter. This verified account was inactive for a few months and then suddenly sprang to life, tweeting about cryptocurrency and asking for deposits. The display name was changed and the avatar was reset. In isolation, just one of these behaviors might not mean much, but in series, they paint a picture of an account that’s likely up to no good.

The payoff

Did anyone fall for this? Was 12 hours enough time for a promoted tweet from a verified account to earn any money?
A quick lookup of the scammer’s Bitcoin address the day after the scam ran shows that while the promoted tweet was live, 17 deposits were made, some were just tiny $10 USD transactions, but others were for several thousand dollars.
So in less than one day, with just 17 people giving them money, the scammers made 1.623 BTC, which at the time of this writing is worth over $10,000 USD. Easy money.
Whoever owns this wallet has already started to make withdrawals, their first one was worth $3000 alone.

Don’t allow your account to become easy prey

There’s no response yet from the original account Twitter account owner, though they’ve been flooded with tweets from the many, many people who spotted this as a scam and took the time to report it to Twitter support. No doubt the insurance app whose account was hijacked is not enjoying the headache of having to deal with the fallout.
If you manage a Twitter account, whether verified or not, there are several measures to take to make it much harder for something like this to happen to you:

    • Make sure you turn on Twitter’s two-factor authentication. It supports a number of 2FA options, including SMS and generated tokens from authenticator apps.
    • If you or your organisation use a Twitter account, make sure the contact information stays current and working. Employees come and go and priorities change, but it’s crucial that an account tied to you or your company remains under your control, and that you can be reached if there’s any funny business happening to your account, even if you decide to #QuitTwitter.
    • Our usual password pleas: Use a strong password and make sure it’s unique (a password manager can help with this).

(No video? Watch on YouTube. No audio? Click on the [CC] icon for subtitles.)


2 Comments

re: your 5th para – “tend to have a social caché”, I suspect you meant ‘cachet’
Below with grateful thanks to Merriam-Webster
“How do you pronounce cachet?
Two words in English that share a common French root also have important differences in pronunciation and meaning.
Cache means “a place where things are hidden,” a meaning that entered English in the 1700s. It can also mean cache memory, or “a part of a computer’s memory where information is kept so that the computer can find it very quickly.” This word is pronounced \CASH\.
Cachet has several meanings. It can mean “prestige,” “medicine prepared so that it can be swallowed,” or “an official seal,” the oldest meaning of the word in English, first used in the 1600s. It is pronounced \cash-AY\.
Both words derive from the French verb cacher (“to hide”), which is pronounced \cash-AY\. In French, cache is pronounced \CASH\—just as in English. The adjective “hidden” in French is spelled with an accent mark on the e—caché—and is pronounced \cash-AY\. The e without accent mark is silent.”

Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!