On 15 July 2020, around 130 Twitter accounts belonging to high-profile individuals were compromised in a large-scale attempt at cryptocurrency fraud. The compromised individuals, some of whom have tens of millions of Twitter followers, included former President Barack Obama, Tesla CEO Elon Musk and Amazon's Jeff Bezos. This blog will look at how this hack was carried out and what the future implications for extradition and prosecution might be.
The affected accounts sent out tweets encouraging users to deposit money into a bitcoin wallet in return for double the amount back. An analysis of the cryptocurrency wallet promoted by the accounts shows that they received almost 13 bitcoin, or approximately USD $117,000.
Further to this immediate financial motive, this hack allowed those with access to the accounts to view direct messages and other private information contained within the Twitter accounts. This information could be extremely valuable to a variety of groups, including nation-state actors, blackmailers and other cyber criminals. It is possible we are yet to see the full consequences.
This has resulted in the FBI launching an investigation into this incident and the US Senate Commerce Committee demanding that Twitter brief the Committee by 23 July 2020. It is likely that if those responsible are identified they may face extradition from their home countries and prosecution in the US.
The exact method behind the attack is not yet known. However Twitter claims to have detected a coordinated social engineering attack against their employees that have access to internal systems and tools. This is likely how the attackers initially gained access to the verified accounts.
Cybercriminals were then able to takeover these accounts via SIM swapping where hackers reroute the victim's phone number to a new SIM. This allows the hacker to exploit weaknesses in two-factor authentication by intercepting any one-time passwords sent via text and phone calls to the victim's phone, and subsequently log into their social media accounts.
The United States is more and more actively pursuing those who are involved in cyber-crime. Indictments have been used against state-sponsored attackers, as a means of deterrence and it seems that the US is now moving this strategy into more traditional deterrence of crime. In 2018 three members of the cybercrime group known as FIN7 were indicted after targeting US companies, and Marcus Hutchins, a British security researcher, was arrested in 2017.
In addition, the US has sought to prosecute individuals for cybercrime where the hacking took place on US servers but the individuals were located in a different jurisdiction, Gary McKinnon and Lauri Love being two high profile examples.
A link to the UK
Security researcher Brian Krebs claims that in the days leading up to the Twitter scam, some actors in the SIM swapping community were selling the ability to change an email address tied to any Twitter account.
There is speculation within the information security community that the individual behind the attack is based in the UK.
If the above sources are correct and the individual responsible is based in the UK, then it is possible the US may seek their extradition so they can be prosecuted. If this happens there are a number of factors which will determine whether this request will be granted, one of which is whether the US is the correct forum. This issue is particularly important for cyber-crime because it transcends international borders: the computer used for hacking can be located in one, or even multiple locations, but be used to target a computer or server the other side of the world.
To determine which, if any, jurisdiction should take priority in prosecuting individuals for cybercrime is far from straightforward. To refuse an individual's extradition the Court needs to be satisfied that the prosecution in the requesting jurisdiction is not in the interests of justice. The factors to take account of include the place where most of the loss or harm occurred, the interests of any victims, whether the UK prosecutor believes that the UK is not the most appropriate jurisdiction for proceedings to be brought and the requested person's connections with the United Kingdom.
The Courts consider that the place where most of the harm or loss took place would usually be a very weighty factor when determining to grant the request for extradition. In the past, where such requests have been refused, one of the key factors has been their connection to the UK or human rights grounds.
Mishcon de Reya has specialist teams who have extensive experience in both cybercrime and extradition.