A number of high-profile Twitter accounts were hacked simultaneously on Wednesday by attackers who used the accounts — some with millions of followers — to spread cryptocurrency scams.

Apple, Elon Musk, and Joe Biden were among the accounts compromised by a broad-based hack that remained mysterious hours after it took place. Those accounts and many others posted a message promoting the address of a bitcoin wallet claiming that the amount of any payments made to the address would be doubled and returned — a known cryptocurrency scam technique.

In the hours following the initial scam posts, Kim Kardashian West, Jeff Bezos, Bill Gates, Barack Obama, Wiz Khalifa, Warren Buffett, YouTuber MrBeast, Wendy’s, Uber, CashApp and Mike Bloomberg also posted the cryptocurrency scam.

While we’re still learning more about how the hack went down, we can report that the hacker used an internal Twitter admin tool to gain access to high-profile accounts. The story was soon verified by Twitter’s own account of what happened. On Wednesday night, the company tweeted that a “coordinated social engineering attack” on employees gave hackers “access to internal systems and resources.”

A hacker used Twitter’s own ‘admin’ tool to spread a cryptocurrency scam

Before the scope of the incident became clear, the hack seemed to focus on cryptocurrency-focused accounts. In the initial wave of scam messages, @bitcoin, @ripple, @coindesk, @coinbase and @binance were hacked with the same message: “We partnered with CryptoForHealth and give back 5000 BTC to the group,” followed by a link to the website.

The linked site was quickly taken offline. Kristaps Ronka, Chief Executive Officer of Namesilo, the domain registrar used by scammers, told TechCrunch that the company had suspended the domain “on the first warning” it had received. Hacked accounts shifted to sharing multiple bitcoin wallet addresses as the incident proceeded, making things more difficult to track.

Twitter first noticed the situation at 2:45 p.m. PT Wednesday afternoon, referring to it as a security incident.

We are aware of a security incident involving Twitter accounts. We ‘re investigating and we’re taking action to repair it. We’ll refresh all of them shortly.

-Twitter Help (@TwitterSupport) July 15, 2020

At first, some of the compromised accounts seemed to be back under the control of their users, as tweets were quickly removed. But then Elon Musk’s account tweeted “hi” after his initial scam tweet was deleted. The “hi” tweet has also disappeared.

The users of Twitter started seeing error messages on the site as the situation went on. TechCrunch reporter Natasha Mascaren saw this error (see below) as she tried to create a threaded tweet. TechCrunch reporter Sarah Perez saw a similar error while attempting to post a regular tweet. Both of them have checked accounts.

While problems persisted, several authenticated users of Twitter also announced that they were unable to post. Around 3:15 p.m. PT, the official Twitter Support account confirmed that “[Users] may not be able to Tweet or reset your password while we’re reviewing and addressing this incident.” By Wednesday night, Twitter said that most tweeting should be back to normal but “may come and go” functionality as a company “continue to work on a fix.”

Most of the accounts will be able to Tweet again. As we continue working on a fix, this feature may come and go. We are trying to get things back to normal as soon as possible.

-Twitter Help (@TwitterSupport) July 16, 2020.

Who’s been hacked
Early on, it was apparent that this was not the case of a single account being hacked, as we have seen in the past, but something else entirely. Even Apple, a company known for its robust security, has somehow been the victim of the scheme.

Many high-profile accounts were quickly hijacked in quick succession on Wednesday afternoon, including @elonmusk, an eccentric Twitter-obsessed tech figure with a notoriously engaged fanbase. A scam tweet posted to the Tesla and SpaceX founder ‘s account clearly instructed users to send bitcoin to a certain address under the pretext of “doubling every payment”—a proven cryptocurrency scam technique. Musk ‘s account seemed to remain in trouble for some time after the initial message, with follow-up reports stating that followers sent money to a suspicious address.

Some Democratic political figures have also been hacked as part of the cryptocurrency scam, including Barack Obama, Joe Biden and Mike Bloomberg. A campaign official told TechCrunch that Twitter had “immediately” locked the former vice president ‘s account after it had been hacked and that the campaign remained in close contact with Twitter on the subject. At the time of writing, no account belonging to Republican leaders seems to have been compromised.

Wiz Khalifa ‘s account was also hacked, as was the Twitter account of famous YouTuber Mr.Beast, who frequently posts gifts, making his bitcoin address re-post especially likely to push followers to the scam.

The hack also hit legendary investor Warren Buffet, a prominent and tough critic of cryptocurrencies like bitcoin. “I don’t have a cryptocurrency, and I never will,” Buffet told CNBC in February.

Uncommon hack, common scam

Although the scale of Wednesday’s Twitter hack is unparalleled on the social network, the types of scams promoted by hacked accounts are that. Scammers take over high-profile Twitter accounts using broken or leaked passwords and post messages that encourage users to post their cryptocurrency funds to a specific address under the guise of doubling their “investment.” In reality, it’s simple theft, but it’s a scam that works.

The main blockchain address used on the scam site had already collected more than 12.5 bitcoin — about $116,000 in USD — and it’s going up by the minute.

Binance spokesperson said to TechCrunch: “The security team is actively investigating the situation of this concerted assault on the crypto industry.” Many other companies impacted by account hacks did not react immediately to a request for comments.

It’s not immediately clear how the breaches of the account took place. Security analysts, however, found that the attackers had completely taken over the victim’s accounts and even modified the email address associated with the account to make it harder for the real user to regain access.

Scammers also respond to high-profile accounts, such as celebrities and public figures, to hijack the conversation and hoodwink unsuspecting victims. Usually, Twitter shuts down these accounts pretty quickly.

A Twitter spokesperson, when approached, said the company was “looking into” the matter, but did not comment immediately.

This story has been evolving. Stay tuned to updates.

Below is the link to screenshots of some of the accounts that have been hacked.

https://techcrunch.com/wp-content/uploads/2020/07/Screen-Shot-2020-07-15-at-5.05.55-PM.png?w=1500&crop=1