Namefi

Domain Mayday EP03: The 2020 Twitter Bitcoin Account Takeover

On July 15, 2020, attackers phoned their way into Twitter, hijacked the verified accounts of Obama, Biden, Musk, Gates, Apple and Uber, and ran a Bitcoin doubling scam — netting about $118,000. A deep-dive on how control of an online identity was stolen, and what it teaches about owning a name.

Published on June 17, 2026By Namefi Team
  • domains
  • security
  • dns
  • domain-security
Domain Mayday EP03: The 2020 Twitter Bitcoin Account Takeover

For a few hours on a Wednesday afternoon, the most trusted voices on the internet all started saying the same thing: send me Bitcoin, and I'll send you back double.

Barack Obama said it. Joe Biden said it. Elon Musk said it. Bill Gates, Jeff Bezos, Kanye West, Apple, Uber — the blue-checkmarked, identity-verified accounts that hundreds of millions of people had been trained to believe — all posted the same crude crypto scam, almost word for word. None of those people typed a single character. Their accounts did, because someone else was holding the keys.

This is Domain Mayday EP03. The first two episodes were about names — who owns them, who can take them. This one is about the same question wearing a different costume. A Twitter handle, a verified badge, a domain name: each is a claim of identity that the rest of us take on trust. And on July 15, 2020, attackers proved how little it takes to seize that claim — not with malware or a zero-day, but with a phone call.

The trust that lives in a handle

A verified account is a trust shortcut. When @BarackObama posts, you don't re-verify that it's really him; the handle plus the badge is the verification. That shortcut is enormously valuable — and enormously fragile, because all of the trust accumulates on the account, while control of the account can sit somewhere else entirely.

It's the same structure as a domain name. whitehouse.gov is trusted not because every visitor inspects the certificate chain, but because the name itself carries authority. Control that name — at the registrar, at the DNS, at the admin panel — and you inherit all the trust people poured into it, instantly, whether or not it was ever yours.

The 2020 Twitter hack is the cleanest demonstration we have of that gap between trust and control. New York's financial regulator, which investigated because regulated crypto firms were among the victims, put it bluntly: the attack was "a cautionary tale about the extraordinary damage that can be caused even by unsophisticated cybercriminals."

July 15, 2020: the takeover

Vivid colorful concept art of a single glowing master key unlocking a vast wall of identical generic blue verified badges, each badge popping open in sequence

It happened fast and in daylight. Per Wikipedia's reconstruction, "On July 15, 2020, between 20:00 and 22:00 UTC, 130 high-profile Twitter accounts were compromised."

The New York Department of Financial Services (DFS) report lays out the choreography. The attackers warmed up on crypto first: "The Hackers first manipulated Twitter accounts connected to well-known cryptocurrency companies and individuals," seeding direct messages and tweets that pointed to a Bitcoin wallet. Then they escalated: "The Hackers then raised the stakes significantly and targeted verified Twitter accounts with millions of followers."

The list of who got hit reads like a guest list for the most-trusted accounts on the platform. Wikipedia notes the "supposedly compromised accounts included those of well-known individuals such as Barack Obama, Joe Biden, Bill Gates, Jeff Bezos...and companies such as Apple, Uber, and Cash App."

The message was identical and absurdly simple. From Apple's account, as recorded by Wikipedia: "We are giving back to our community. We support Bitcoin and believe you should too! All Bitcoin sent to our addresses will be sent back to you, doubled!" The same offer, repeated through dozens of the world's most credible mouths at once.

Not every account was used. Of the 130 touched, the regulator found, "Overall, 130 Twitter user accounts were compromised during the Twitter Hack. Of those, 45 accounts were used to send tweets." Forty-five megaphones was more than enough.

What was actually lost

In raw dollars, the haul was small. The DFS report states the "Hackers stole approximately $118,000 worth of bitcoin through the Twitter Hack." Wikipedia notes that a single scam wallet "received over 320 deposits with a value of over US$110,000 before the scam messages were removed." For a breach of this magnitude, $118,000 is almost embarrassingly modest.

But the dollar figure badly understates the loss. What actually fell that afternoon was the integrity of the verified handle as a trust signal. For two hours, a blue checkmark proved nothing. The platform's entire identity layer — the thing that let you believe a tweet came from the person whose name was on it — was demonstrably, simultaneously controllable by a teenager. Twitter's response was telling: it temporarily froze the ability of many verified accounts to tweet at all. The only way to stop the trusted accounts from lying was to silence them.

That is the real cost of an identity takeover. The money is a footnote. The damage is that "this account = this person" stops being true, and everyone downstream who relied on that equation is exposed.

How it happened: a phone call, then an admin panel

Vivid colorful concept art of a telephone handset cast like a fishing line, its hook snagging the dashboard of a glowing internal control panel covered in switches and toggles

There was no exploit. The DFS report is emphatic: "The Twitter Hack did not involve any of the high-tech or sophisticated techniques often used in cyberattacks – no malware, no exploits, and no backdoors." Instead, "The Hackers used basic techniques more akin to those of a traditional scam artist: phone calls where they pretended to be from Twitter's Information Technology department."

This is vishing — voice phishing. The attackers "called several Twitter employees and claimed to be calling from the Help Desk in Twitter's IT department," and "claimed they were responding to a reported problem the employee was having with Twitter's Virtual Private Network." Twitter itself later described it as a "phone spear phishing attack" that relied on "a significant and concerted attempt to mislead certain employees and exploit human vulnerabilities."

The convincer was research, not technical skill. As security journalist Brian Krebs documented, the attackers leaned on profile data — names, roles, personal details pulled from LinkedIn and prior data leaks — to sound like real colleagues. Once an employee believed the caller, that employee handed over credentials, and the credentials opened the door to the prize: Twitter's internal account-management tooling.

That tool is the crux of the whole story. Krebs reported that "within Twitter's admin tools, apparently you can update the email address of any Twitter user" — change the email, trigger a password reset, and the account is yours, badge and all. The DFS report points to the structural failure that made one cracked employee so catastrophic: "Twitter did limit access to the internal tools, but over 1,000 Twitter employees still had access to them." A thousand-plus people held a master key to every identity on the platform, and the company had no chief information security officer to mind it — Twitter "had not had a chief information security officer ("CISO") since December 2019, seven months before the Twitter Hack."

There was a marketplace underneath all of this, too. Before the celebrity scam went out, the crew was busy selling stolen short, "OG" handles. Krebs noted that prior to the Obama/Biden/Musk/Gates blast, "several highly desirable short-character Twitter account names changed hands," because in that community "short-character profile names confer a measure of status and wealth" and "can often fetch thousands of dollars when resold." Names with scarcity value, stolen and flipped on a forum — a pattern any domain investor will recognize instantly.

The aftermath and the arrests

The unraveling was nearly as fast as the hack. Within two weeks, prosecutors moved. Krebs reported the charges: "Mason 'Chaewon' Sheppard, a 19-year-old from Bognor Regis, U.K., also was charged in California with conspiracy to commit wire fraud, money laundering and unauthorized access to a computer," and "Nima 'Rolex' Fazeli, a 22-year-old from Orlando, Fla., was charged in a criminal complaint in Northern California with aiding and abetting intentional access to a protected computer."

But the alleged ringleader was younger still. "17-year-old Graham Clark of Tampa, Fla. was among those charged in the July 15 Twitter hack," and as a minor he was charged by Florida's state attorney rather than federal court. He "was hit with 30 felony charges, including organized fraud, communications fraud."

The following March, Clark took a deal. CyberScoop reported he "admitted to being behind a scheme that saw him steal more than $117,000 by taking over the Twitter accounts of numerous public figures." Public radio station WUSF reported the sentence: "three years in a juvenile facility to be followed by three years of probation," which it noted was "the maximum allowed under the state's youthful offender law."

A fourth figure surfaced later. Wikipedia records that "in April 2023, 23-year-old Joseph James O'Connor, a British citizen with the online handle PlugwalkJoe, was extradited from Spain to New York to face charges," and was later sentenced to five years in federal prison.

What this teaches about controlling online identity

Strip away the celebrity names and the crypto, and the 2020 Twitter hack is a pure lesson in the difference between having an identity and controlling one. A few principles fall out of it:

  1. Trust accumulates on the name; control lives in the back office. Hundreds of millions of people trusted @BarackObama. None of that trust protected the account, because the account's control surface was an internal admin panel a thousand-plus employees could reach. Whoever controls the back office controls the identity, no matter whose name is on the front.

  2. The weakest link is almost never the cryptography. No exploit, no malware, no backdoor — just a convincing phone call. Identity systems fail at the human and process layer far more often than at the math layer. A perfect lock on a door that any helpful employee will open on request is not a lock.

  3. A single point of total control is a single point of total failure. One reusable internal tool that could change the email on any account meant one compromised employee equaled platform-wide takeover. Concentrated, reversible, opaque control is the vulnerability.

  4. Scarce names are targets. The same crew that hijacked presidents also quietly sold off short "OG" handles for thousands of dollars. Valuable names attract theft, and a name's worth is exactly what makes its control worth stealing.

  5. Recovery should not depend on the platform's mercy. When the trusted accounts started lying, Twitter's only lever was to freeze them. Identity owners had no independent way to prove "this is really me" or to reclaim control — they were entirely dependent on a centralized operator's internal tooling and goodwill.

The Namefi angle

Colorful illustration of verifiable, tamper-resistant ownership of an online identity — secured by a green shield, a green Namefi token, and continuity

A domain name is an online identity with exactly the same trust-versus-control gap that Twitter's verified handles had — and often the same kind of opaque back office. For most domains, "ownership" lives in a registrar account, defended by a password and a support team. A convincing phone call, a social-engineered support rep, an email change pushed through an internal panel — the 2020 Twitter playbook maps almost one-to-one onto a registrar account takeover. The trust the world has poured into your domain doesn't protect it if control of that domain sits behind a help desk that can be talked into anything.

Namefi exists to close that gap. The core idea is that control of a domain should be verifiable and owner-held, not a setting in someone else's admin tool. By representing domain ownership as a tokenized, on-chain asset that stays compatible with DNS, Namefi makes the question "who controls this name?" answerable cryptographically rather than by a support agent's judgment under pressure. There's no single internal panel that a thousand employees can reach to silently reassign your name; the proof of control lives with the owner, and transfers are auditable rather than improvised.

The 2020 Twitter hack worked because identity and control had been quietly pried apart — the name said one thing while a hidden admin tool decided another. The lesson for anyone who depends on a name is to make control as legible and as owner-anchored as the trust the name carries. A handle, a badge, a domain: each is only as secure as the back office behind it. Namefi's bet is that the back office should be a verifiable ledger you control, not a phone line someone else can be tricked into answering.

Sources and further reading

About the author(s)

Namefi Team
Namefi Team • Namefi
TwitterLinkedIn

Namefi is a collective of engineers, designers, and operators who obsess over building tools that make managing your onchain domain names effortless.

Related guides