.png)
Twitter Bitcoin Hack 2020: Vishing Compromises Obama, Biden, Gates Accounts
Breach Summary
The Twitter breach of July 2020 compromised the accounts of the highest-profile individuals in the world — Barack Obama, Joe Biden, Elon Musk, Bill Gates, Jeff Bezos, Apple, and dozens of others — through a targeted vishing attack on Twitter employees that provided access to internal administrative tools. The attack demonstrated that the most sophisticated social engineering can succeed against even technology-forward organizations with substantial security investment.
What Happened
Three individuals were charged in connection with the hack: Graham Ivan Clark, a 17-year-old Florida resident who coordinated the attack; Mason Sheppard (Chaewon), 19, from the UK; and Nima Fazeli (Rolex), 22, from Florida. Clark pleaded guilty to 30 felony counts and was sentenced to three years in prison. The attack lasted several hours before Twitter identified the compromise and restricted the compromised admin tools. Twitter CEO Jack Dorsey described it as a coordinated attack on Twitter employees through social engineering.
Attack Vector Detail
The attackers called Twitter employees by phone, impersonating Twitter's IT support team. Using information gathered through OSINT about Twitter's internal systems and processes, the callers convinced employees that they were legitimate IT staff conducting system maintenance. Multiple employees provided their credentials to what appeared to be a legitimate internal IT portal. Using those credentials, the attackers accessed Twitter's internal admin tools, which allowed them to view account information and reset account credentials for any Twitter user.
With access to the admin tools, the attackers took over the accounts of high-profile individuals, posted Bitcoin scam messages, and collected approximately $120,000 in cryptocurrency from followers who believed the posts were genuine. The attackers also accessed direct messages for 36 accounts and downloaded full Twitter data for 8 accounts.
Breach Pattern Timeline
July 14-15, 2020
Three teenage attackers — Graham Ivan Clark (Florida, 17), Mason Sheppard (UK, 19), Nima Fazeli (Florida, 22) — conduct social engineering attacks against Twitter employees. Use vishing (voice phishing) impersonation to convince Twitter customer support employees to log into Twitter's internal admin tools and provide attackers with remote control.
July 15, 2020
Through compromised employee admin access, attackers reset email addresses and passwords for ~130 high-profile Twitter accounts. Take over accounts of Barack Obama, Joe Biden, Elon Musk, Bill Gates, Jeff Bezos, Apple, Uber, Coinbase, Cash App, and others.
July 15, 2020 (afternoon)
Compromised accounts post identical Bitcoin scam tweets: 'I'm giving back to my community... double the amount sent to my BTC address.' Scam generates ~12.86 BTC (~$118K at the time) before Twitter intervention.
July 15, 2020 (evening)
Twitter takes unprecedented action: temporarily blocks ALL verified (blue checkmark) accounts globally from tweeting while incident response continues. Demonstrates the scope of the compromise.
July 31, 2020
FBI arrests Graham Ivan Clark (alleged ringleader) in Tampa. Subsequently arrests Mason Sheppard and Nima Fazeli.
August 2020
Florida state prosecutors charge Clark as adult on 30 counts of organized fraud and computer crimes. Federal charges follow.
March 16, 2021
Graham Ivan Clark accepts plea agreement: 3 years in juvenile prison + 3 years probation. Mason Sheppard and Nima Fazeli prosecuted in U.S. and U.K. respectively.
July 2020 - 2025
Twitter (later X) implements enhanced employee training, phishing-resistant MFA for admin tool access, and stricter customer support privilege controls. Twitter 2020 hack becomes foundational case study for: (1) social engineering against employee admin access as enterprise breach vector, (2) high-profile account-takeover risk on social platforms, (3) the need for principle-of-least-privilege on customer support tooling.
Total impact: ~130 high-profile Twitter accounts compromised by 3 teenagers (Obama, Biden, Musk, Gates, Bezos, Apple, etc.), $118K crypto scam, all verified accounts globally blocked from tweeting during incident, foundational precedent for vishing-against-employee-admin-tools attack pattern that Scattered Spider would replicate at scale 2022-2024.
Executive Lessons
The Twitter hack demonstrated that insider access and social engineering against internal employees can bypass every external security control an organization deploys. The attackers' ability to reset verification for and access accounts belonging to sitting US presidential candidates, sitting presidents, and the world's richest individuals through a single compromised internal tool reinforced that privileged internal access requires its own security tier — least privilege, monitoring, and separation of duties.
Related Reading
Private Equity Implications
For PE portfolio companies with customer-facing platforms that include internal administrative tools, the Twitter breach illustrates that privileged administrative access to customer accounts requires enhanced authentication controls — not just standard employee MFA — and that employees with access to those tools are specific vishing targets. Privileged administrative tool access should be treated as equivalent to domain administrator access in terms of authentication and access control requirements.