Why can't Twitter stop Elon Musk bitcoin scams? It's complicated

Verified Twitter accounts – including Google's G-Suite and Matalan – are getting hacked and pretending to be Elon Musk. The bitcoin scams are making thousands but why can't Twitter do anything about them?
Pascal Le Segretain/Getty Images/WIRED

It's easy to be Elon Musk. "I'm giving 5,000 Bitcoin (BTC) to all community," the promoted tweet begins, more often than not sent by a hacked verified account that's been edited to loosely appear to come from Musk. Send in a tiny slice of bitcoin, it promises, and the billionaire will send back a big chunk in return.

That particular scam has been running for weeks, though variations go back for months, raising plenty of questions: Who would fall for this? Why Elon Musk? Why can't Twitter stop it? And what's happening with the stolen money?

The answers are both simple and complicated. You'd have to be deeply foolish to fall for any advanced payment scam, but they continue to trap plenty of victims. Twitter should be able to stop seemingly identical scam messages with little effort, but the simple-looking scheme is actually seriously sophisticated, says Jordan Wright, principal R&D engineer at Duo Security, who along with data scientist Olabode Anise published extensive research into Twitter bitcoin bots over the summer.

The most recent pattern is similar: take over a verified account, change the display name to Elon Musk, alter the avatar to his photo, post the message and then pay to promote it into as many timelines as possible. The more eyeballs you get, the more chance there is that people will donate.

Variations on the theme have been running since March, though the promoted tweets and attacks against verified accounts appeared to start in October.

One of the first such messages was sent via the hacked account of Food Network host Tyler Florence, with the promise of bitcoin rather out of keeping with his usual culinary posts. A few weeks later, similar tweets were sent and promoted by hacked accounts from Matalan, Pantheon Books and more. A week later, another string of tweets with identical text were sent, this time from an account belonging to Capgemini, a French consultancy firm. Similar messages were sent days later from accounts belonging to US department store Target and Google's G-Suite.

The wording is almost always exactly the same, though the number of bitcoin promised differs and some posts feature typos — including misspelling "bitcoin". "I'm giving 5 000 Bitcoin (BTC) to all community!", reads the tweet promoted from Florence's account. "I decided to make the biggest crypto-giveaway in the world, for all my readers who use Bitcoin. I left the post of director of Tesla, thank you all for your support!" The message includes a bitcoin address to send a small payment to "verify your address".

Given the nature of the scam hasn't changed, how has Twitter failed to stop it? A Twitter spokesperson wouldn't share much detail on its scam-prevention efforts, but said that recent efforts targeting cryptocurrency scams mean "impressions have fallen by a multiple of ten", noting that is a "significant improvement on previous action." A Twitter spokesperson also said that it works to stay ahead of scammers, who frequently change their methods.

And Twitter has been trying to crack down on bitcoin scams promoted via fake Elon Musk accounts — it even caught out Musk himself, temporarily banning his account after he made a joke about selling bitcoin. For a time, it blocked accounts of anyone who changed their name to "Elon Musk", but no longer does so. Scammers even sought to dodge Twitter's algorithms by tweaking Musk's avatar in odd ways.

"It's a bit of a cat and mouse game," says Duo's Anise. "When it first started, they would post a spam tweet," explains Wright. "And that was pretty much the end of it. But over time, we started seeing them get more advanced, and they would have accounts dedicated to liking that tweet, trying to give it credibility… and now we're seeing it taken to the next level, with hijacked accounts replying to the tweet saying it worked for them, trying to give an air of legitimacy." That highlights how the scammers' tactics have slowly evolved, and since Duo's report this summer they have new techniques, including the use of Twitter's paid-for marketing tool, Promoted Tweets. "It's just another example of how this operation is evolving over time," Wright says.

Those constant changes keep Twitter on its toes, as do unnoticeable edits to the text. While the promoted scam messages look nigh-on identical, suggesting they'd be easy for Twitter to block, they aren't always the same. "One thing we've noticed over time is the accounts using white space in a different way, or characters that may not be normal ASCII characters but maybe unicode," says Anise. "So it can be difficult to do pattern matching on the text of a tweet. It may look very simple to the human eye, but it may be different in terms of trying to implement this programmatically." And getting it wrong could lead to false positives, such as accidentally banning the real Musk.

Plus, it's worth noting that such scams have roped in a few hundred victims — though some of whom are quite possibly authorities, security researchers and curious journalists investigating the activity, as well as the scammers themselves (we'll get to that). With the recent US mid-term elections and other digital threats to democracy, Twitter may simply have had bigger concerns.

Read more: What's driving Elon Musk?

While the number of victims is relatively small, it's surprising that anyone would fall for such poorly written, clearly dubious messages. Musk is not going to give you money, and he knows how to spell "bitcoin." Paul Seager, a senior lecturer in Social and Forensic Psychology at the University of Central Lancashire, says there's multiple reasons why such scams remain successful — and the rough wording and misspellings actually help. "It wards off people that are sophisticated," he says. "They'll look at it and know it's a scam. It's the people who lack sophistication who will then follow it up."

In other words, if you think the messages are too stupid to work, they weren't written for you. "You'd think nobody would ever fall for that, and most of us wouldn't because we'd look at the spelling mistakes and bad grammar and never be drawn into it," he says. "The language gets rid of sceptical people."

Another reason the scam works is the use of Elon Musk's name. While it also garners the headlines that mean most tech watchers have seen media coverage of these scams, for others it gives a degree of solidity and trustworthiness, says Seager. Musk has more than 23 million followers on Twitter.

On the other hand, the recent controversy surrounding Musk's behaviour — smoking a joint on camera, getting in trouble with the SEC — makes him an ideal candidate for other reasons. "It's plausible some people were looking to take advantage of him," says Seager. "Maybe people thought he was just having a meltdown and this was a chance to take advantage of him."

That casts a bit of guilt on the victims themselves, but Seager notes that anyone willingly sending off a slice of bitcoin to a mysterious account aren't likely struggling to make ends meet. "People don't just have bitcoins — it tends to be the more wealthy people who invest in it… and if they lose it, it doesn't mean anything." People may be falling for these scams because the money doesn't feel real to them in the first place.

And where are those bitcoins going? One of the charms of the digital currency is how trackable it is — so much for anonymous payments. Anyone can take the bitcoin address published by the scammers and drop it into a tracking website, such as Blockchain.info, and see not only which accounts have paid into it but where the money was moved. The address used for the Matalan message saw 401 transactions over a couple of days earlier this month, gathering a total value of 28 bitcoin worth about £120,000 at today's value. The bulk of that, about 21 bitcoin, was shifted on November 7 to another account. Over eight further transactions, bits and pieces have been shaved off, with 16 bitcoin remaining at this address. Authorities will presumably be keeping close watch to see where it heads next.

It's possible to launder bitcoin via tumblers or mixers (accounts used to obscure payments), and some of the apparent victims are inexplicably using such techniques to pay into the scams. That would make it difficult for Musk to verify an address and respond with a bitcoin payment, not that he was ever going to.

That suggests not all the payments into the accounts are victims but perhaps the scammers themselves or other dodgy sorts laundering their ill-gotten gains. One notable tumbler paying into the scammer addresses is the infamous "5oC" account, which analyst Benjamin Strick notes turns up in everything from WannaCry to jihadi groups and even ransom payments. It's turned up in previous bitcoin scams, he noted, including one from April this year that promised to double your bitcoin stash.

Using the "5oC" address to make a payment is an "extreme" level of protection, he notes. "To find a tumbler for instance, you would go through Tor to an onion site to deposit," he says. "The service is synonymous with the dark web and any 'vendor/buyer guide' to trading on the dark web will recommend using a mixing service."

So while the scams appear so simple that it's almost unbelievable anyone falls for them and that Twitter can't stop them, they actually feature sophisticated psychology and trickery to avoid Twitter's traps and make use of tracking evasion techniques associated with the dark web. That said, as complex as the scam may actually be, it's simple to not get caught out: if you run a verified account, enable two-factor authentication, and if you have bitcoin, rest assured no-one will give you more for free.

This article was originally published by WIRED UK