Case Study Title: The 2020 Twitter Hack: A Cyber Forensics Investigation

Introduction

The 2020 Twitter hack was one of the most significant cybersecurity breaches in recent

history. On July 15, 2020, attackers gained control of several high-profile Twitter accounts,

including those of Barack Obama, Elon Musk, Bill Gates, and others, using them to

perpetrate a bitcoin scam. This incident exposed vulnerabilities in social media platforms and

raised important questions about cybersecurity, the role of social media in society, and digital

trust. This case study explores the attack, its forensic investigation, and the lessons learned.

Background Information

In July 2020, Twitter was at the centre of a massive cyberattack. The platform is one of the

most influential social media services, used by global leaders, corporations, and millions of

individuals to communicate and share information. Given its influence, Twitter is a high-

value target for cybercriminals. The breach highlighted significant security gaps in social

media platforms, emphasizing the importance of securing systems against internal threats and

social engineering attacks.

Description of the Incident

The 2020 Twitter hack took place on July 15, 2020, and was one of the most prominent

cyberattacks of the year. The attackers compromised several high-profile accounts, including

those of celebrities, politicians, and major corporations. Among the compromised accounts

were those of Barack Obama, Joe Biden, Elon Musk, Jeff Bezos, Apple, and Bill Gates.

The hack unfolded as follows:

verified accounts began tweeting identical messages that promoted a Bitcoin scam.

The tweets stated that if followers sent Bitcoin to a specific wallet, the amount would

be doubled and returned to them as a gesture of goodwill. The messages were sent

from high-profile accounts, adding credibility to the scam.

 Bitcoin Scam Details: The tweets included phrases like "I am giving back to the

community," or "All Bitcoin sent to my address below will be sent back doubled,"

followed by a Bitcoin address. The tweets encouraged users to act quickly, claiming

the offer would only last 30 minutes. Attackers collected more than $100,000 in

Bitcoin by exploiting the trust associated with the prominent accounts.

 Twitter's Response: As the hack continued to affect more accounts, Twitter initiated a

widespread response, including locking down affected accounts and temporarily

disabling the ability for verified accounts to tweet. This measure aimed to prevent

further misuse while the internal security team investigated the breach.

 Sources of the Breach: The breach was later identified as a result of a social

engineering attack. The attackers successfully targeted Twitter employees who had

administrative access to internal systems. Through a series of phishing attempts, they

tricked employees into granting them access to the internal "admin tools" that allowed

control over Twitter accounts. The hackers used these tools to bypass multi-factor

authentication (MFA), change account settings, and post fraudulent tweets.

 End of the Attack: By late evening on July 15, Twitter had regained control over its

systems, and most compromised accounts were secured. The company later confirmed

that 130 accounts were targeted, 45 of which were used to send tweets. Twitter
 acknowledged that the attackers had accessed direct messages (DMs) from some

accounts.

This breach revealed significant weaknesses in Twitter’s internal security, particularly

regarding the access privileges of employees and the vulnerability of social engineering

attacks

Timeline of the 2020 Twitter Hack

 July 15, 2020, Early Afternoon:

o The first suspicious tweets promoting a Bitcoin scam appear from prominent

Twitter accounts. Elon Musk, Bill Gates, and others tweet messages asking

their followers to send Bitcoin to a specified address, promising to double any

amount received.

 2:00 PM (PST):

o Several more high-profile accounts, including those of Jeff Bezos, Apple, and

Uber, post similar tweets promoting the same Bitcoin scam. The rapid spread

of identical messages raises alarms among users and security experts.

 3:00 PM (PST):

o Twitter takes its first action, temporarily limiting the ability for verified

accounts to tweet while investigating the cause of the breach. The platform

also locks down the compromised accounts to prevent further fraudulent

messages.

 4:17 PM (PST):
 o Twitter's Support team posts an official statement acknowledging the breach.

They confirm that the issue is being actively investigated and assure users that

internal teams are taking steps to mitigate the attack.

 6:00 PM (PST):

o Twitter reveals that the attackers used social engineering techniques to

compromise the accounts. Employees with access to Twitter’s internal tools

were tricked into granting access to the hackers, allowing them to take control

of high-profile accounts.

 Evening, July 15, 2020:

o Twitter takes additional steps to secure the platform, restricting a wider set of

accounts as a precaution. The scam tweets are removed, and the Bitcoin

addresses associated with the tweets are tracked by cryptocurrency analysts

and law enforcement.

 Late Night, July 15, 2020:

o Twitter restores access to the majority of affected accounts. However, further

investigation reveals that the hackers targeted 130 accounts in total,

successfully tweeting from 45 of them.

 July 16, 2020:

o Twitter releases a formal statement, explaining that attackers used social

engineering to gain access to internal tools, which allowed them to bypass

security protocols, including multi-factor authentication. They also confirm

that private data, including direct messages (DMs) from certain accounts, may

have been acces

Methods Used

The investigation into the Twitter hack involved a combination of cyber

forensic techniques and law enforcement collaboration. The key focus was to

determine how the attackers gained access to internal tools and exploited

vulnerabilities in Twitter’s security system.

1. Social Engineering Investigation

The attackers used social engineering to manipulate Twitter employees into

providing credentials that allowed access to Twitter’s internal tools. Social

engineering is a technique that exploits human psychology, tricking

individuals into revealing sensitive information. In this case, the attackers used

phishing techniques to impersonate Twitter’s IT department and gain the trust

of employees.

2. Analysis of Access Logs

Forensic experts examined Twitter’s access logs to track down unauthorized

access points. By analyzing these logs, investigators identified that the

attackers gained access to internal tools used by Twitter employees to manage

account settings, password resets, and other administrative actions. These logs

were critical in identifying the compromised accounts and tracking the actions

taken by the attackers.

3. Digital Forensic Tools and Techniques

Cyber forensic tools, including Splunk and EnCase Forensics, were used to

analyze server logs, track IP addresses, and monitor data flow in real-time.
 Investigators employed these tools to monitor how the hackers moved through

Twitter’s internal network and pinpoint the accounts they compromised.

 Splunk: A leading log analysis tool that helps organizations search, monitor, and

analyze machine data to detect anomalies and potential security threats.

 EnCase Forensics: This tool is widely used for forensic analysis of digital devices,

enabling the recovery and examination of deleted files, email communication, and

other key evidence.

4. Cryptocurrency Tracking

The attackers used Bitcoin as the means for their scam, which presented a

challenge due to Bitcoin’s pseudonymous nature. However, forensic experts

leveraged blockchain analysis tools such as Chainanalysis to trace the

movement of bitcoin transactions associated with the hack. While Bitcoin

transactions themselves are public, connecting a transaction to a specific

individual requires sophisticated blockchain analysis. This method helped

investigators trace funds to specific cryptocurrency wallets associated with the

attackers.

Findings

The forensic investigation uncovered several key pieces of evidence:

1. Employee Compromise: Investigators determined that the hackers targeted a small

number of Twitter employees with access to internal systems. Through social

engineering, attackers tricked employees into providing access to critical tools that
 manage account settings, password resets, and even multi-factor authentication

settings

2. IP Address Tracing: By analysing server access logs, investigators traced several

unauthorized IP addresses, leading them to the origin of the attacks. Many of the IPs

were traced back to SIM-swapping criminals, suggesting that the attack involved

multiple individuals

3. Cryptocurrency Movement: Blockchain analysis using tools like Chainalysis

revealed that the Bitcoin funds were quickly moved through various wallets in an

attempt to obfuscate their trail. However, law enforcement was able to freeze some of

the funds before they could be fully laundered

line Conversations**: Investigators discovered chat logs on underground

forums where the attackers had coordinated the hack. The logs revealed that

the hack was initially intended as a way to sell access to high-profile accounts

but later morphed into a Bitcoin scam due to time constraints

Implications: Broader Implications and Legal and Ethical Considerations

Broader Implications

The 2020 Twitter hack had far-reaching consequences that went beyond just financial losses

from the Bitcoin scam. The hack exposed significant vulnerabilities in social media platforms

and their internal security systems, especially when it comes to insider threats. The attackers

were able to access Twitter’s internal tools, which should have been protected by stronger

security protocols, raising concerns about how other major platforms might also be

vulnerable to similar attacks.

were those of influential global figures, including politicians, CEOs, and celebrities.

Had the attackers pursued a different objective, such as spreading misinformation or

manipulating financial markets, the consequences could have been far worse. This

incident underscored the broader potential for social media platforms to be used as

tools for political interference or market manipulation.

 Public Trust in Social Media: The hack severely impacted public trust in the security

and reliability of Twitter and other social media platforms. Users rely on these

platforms for communication, official announcements, and news, and breaches like

this raise questions about whether these platforms can safeguard personal data and

prevent malicious activities.

 Impact on Regulatory Discussions: Following the hack, there was increased

discussion about the need for tighter regulations around social media and

cybersecurity. Governments and regulators began considering whether social media

platforms should face stricter oversight to ensure they have robust internal safeguards

and reporting mechanisms in place for such breaches. The incident intensified calls

for legislative frameworks around data protection and cybersecurity practices, similar

to the General Data Protection Regulation (GDPR) in Europe.

Legal and Ethical Considerations

The Twitter hack also raised several legal and ethical issues:

 Legal Consequences for the Attackers: The U.S. Department of Justice charged

several individuals involved in the attack, including a 17-year-old mastermind from

Florida, who faced multiple charges of fraud, hacking, and identity theft. Legal action

taken against the hackers highlighted the challenges of prosecuting cybercrimes,

of Social Media Platforms**: There were questions about Twitter's ethical

responsibility in preventing such attacks. Despite being a global platform used by

millions, Twitter was criticized for not having adequate internal security measures in

place. Ethical considerations also revolved around Twitter’s response to the hack, as

many argued that the platform’s temporary suspension of verified accounts caused

disruption for users and organizations that depend on it for communication.

 Ethical Use of Internal Access: Another ethical issue concerns the access that certain

employees had to the internal tools that allowed hackers to control high-profile

accounts. Twitter faced scrutiny over whether too many employees had privileged

access to such sensitive tools and whether the company was implementing proper

background checks and security training for its employees.

Conclusion

The 2020 Twitter hack was a stark reminder of the vulnerabilities inherent in social media

platforms and the crucial need for strong cybersecurity measures. Through a carefully

executed social engineering attack, the hackers exploited Twitter’s internal systems,

highlighting the importance of securing not just external systems but also internal controls.

On the cyber forensic side, the case demonstrated the power of digital forensic tools in

tracking the movements of attackers within networks, identifying compromised accounts, and

tracing cryptocurrency transactions. Key lessons learned from this incident include:

1. Strengthening Internal Security Protocols: The hack emphasized the importance of

limiting access to internal tools and ensuring that employees with such access undergo
 thorough security training. Implementing least-privilege principles (where employees

only have access to the tools necessary for their specific role) is essential.

2. Improving Employee Awareness of Social Engineering: Given that social

engineering was the primary vector for the attack, organizations must invest in

comprehensive employee training on how to identify phishing attempts and other

social engineering tactics.

3. The Role of Cyber Forensics: The forensic investigation involved analyzing access

logs, tracking cryptocurrency movements, and monitoring online communication

between hackers. This reinforced the need for platforms to have strong forensic

capabilities to respond quickly and effectively in the event of a cyberattack.

Ultimately, the incident prompted widespread reflection on the need for stronger security and

the ethical responsibility of social media companies to protect their platforms from misuse.

References

1. Chainalysis. "How Blockchain Analysis Helped Track the Twitter Hack's Bitcoin

Transactions." August 2020.

2. ZDNet. "Inside the Twitter Hack: How Attackers Used Social Engineering to Pull Off

the Biggest Cyberattack of 2020." July 2020.

3. The New York Times. "Twitter Hack Investigation: How a Teen Mastermind

Orchestrated the Attack." July 2020.

4. Kaspersky. "What is Social Engineering?" Available at:

[Link]
5. The U.S. Department of Justice. "Florida Teen Arrested for Masterminding Twitter

Hack of High-Profile Accounts." August 2020.

6. TechCrunch. "What We Learned from the Twitter Hack and its Impact on

Cybersecurity." July 2020.

7. Forbes. "The Legal Fallout from the 2020 Twitter Hack: Prosecution and Regulation."

September 2020.

BY –

DIVYA PANWAR

[Link]. (H) Forensic science

5th semester

JULY