Several major Twitter verified accounts were compromised this morning as part of yet another Bitcoin scam. This time around, Target claimed it was handing out 5,000 bitcoins in “the biggest crypto-giveaway in the world,” and unsuspecting users saw the ad in their timelines as a promoted tweet.
Like Monday’s fake Elon Musk Bitcoin scam, Target’s tweet invited users to exchange a small portion of bitcoins in exchange for a large sum. In previous instances, scammers would simply hack into verified Twitter accounts, change around the name and profile picture in order to impersonate Musk, and write an ad that would appear on unsuspecting Twitter users’ timelines as a promoted tweet. This time around, scammers were able to access Target’s main Twitter account, send out a promoted tweet, and reply to the scam with several other hacked verified accounts to make the giveaway appear legitimate.
Compromised accounts included Universal Music Czech Republic, the Body Shop, the University of Toledo’s Athletics Department, and Under Armour Baseball Japan, which tweeted out-of-character comments like “Yes, this is a good innovation, thanks for distributing bitcoins!” Scammers even accessed the United Nations Refugee Agency in Serbia, with the government agency saying “Great innovation, now I can pay for my purchases using Bitcoin, thank you Target.com!”
The hacked tweets were deleted shortly after the ad appeared, although the fake giveaway gained over 80 retweets and 490 likes before it was removed.
Twitter users were quick to point out that Target’s hack is an ongoing problem on the website. Cryptocurrency scams have plagued the service over the past year, to the point where even Musk has praised the scammers for their “mad skillz.” Today’s hack remains one of the most advanced iterations yet, and it suggests Twitter doesn’t have the problem under control.
And now @Target.
This isn't just Target's problem. This is @Twitter's problem. They clearly haven't got a handle on these cryptocurrency scams.
— Graham Cluley (@gcluley) November 13, 2018
- How to scan multiple pages into one PDF document (and for free)
- The best apps for shooting and editing selfies
- How to leave a group text message once and for all
We’ve reached out to Target and Twitter for comment.
Update 4:35pm CT, Nov. 13: In a statement to the Daily Dot, a Twitter spokesperson explained that impersonating another in order to deceive users is a violation of Twitter rules and that the site has “substantially improved” how it handles cryptocurrency scams.
“We’ve been in close contact with Target this morning and can also confirm that their account was inappropriately accessed for approximately half an hour, after which we swiftly locked the account so Twitter could thoroughly investigate the issue,” a Twitter spokesperson told the Daily Dot. “We also identified a number of other accounts that were inappropriately accessed in relation to this scam and have moved quickly to also take action against them. We will continue to closely monitor the situation.”
Target also confirmed that its account was “inappropriately accessed” this morning.
“The access lasted for approximately half an hour and one fake tweet was posted during that time about a bitcoin scam,” a Target spokesperson told the Daily Dot. “We’re in close contact with Twitter, have deleted the tweet and have locked the account while we investigate further.”