In July 2020, Twitter suffered a high-profile breach orchestrated by Joseph James O'Connor ('PlugwalkJoe') and accomplices, who exploited **SIM-swapping and social engineering** to gain access to internal admin tools. The attackers hijacked verified accounts of prominent figures (e.g., Barack Obama, Bill Gates, Jeff Bezos) to post fraudulent Bitcoin scam tweets, netting over **$100,000 in hours**. Beyond financial fraud, the breach enabled unauthorized access to **private direct messages (DMs)**, extortion of victims, and threats against celebrities. The incident exposed critical vulnerabilities in Twitter’s **identity verification and internal controls**, eroding user trust and prompting regulatory scrutiny. While no large-scale data leak of user credentials occurred, the reputational damage was severe, compounded by the platform’s role in facilitating high-profile scams. The UK’s **£4.11 million ($5.39M) asset seizure** from O’Connor—via civil recovery orders—highlights the breach’s financial and legal fallout, including cross-border enforcement actions. The attack underscored risks of **insider tool abuse** and **account takeover (ATO) via telecom exploits**, though no ransomware or systemic outages were reported.
Source: https://www.theregister.com/2025/11/17/cps_41m_crypto_twitter/
Twitter cybersecurity rating report: https://www.rankiteo.com/company/twitter
"id": "TWI2632126111725",
"linkid": "twitter",
"type": "Cyber Attack",
"date": "7/2020",
"severity": "60",
"impact": "2",
"explanation": "Attack limited on finance or reputation:"{'affected_entities': [{'customers_affected': 'High-profile users '
'(celebrities, politicians, '
'executives) + scam victims',
'industry': 'Technology/Internet',
'location': 'Global (HQ: San Francisco, USA)',
'name': 'Twitter (now X Corp)',
'size': 'Large (thousands of employees, 300M+ users in '
'2020)',
'type': 'Social Media Platform'},
{'customers_affected': '100+ (estimated from $100K scam '
'proceeds)',
'location': 'Global',
'name': 'Victims of Bitcoin Scam',
'type': 'Individuals'},
{'industry': ['Entertainment', 'Politics', 'Business'],
'location': 'Global',
'name': 'Extortion/Threat Targets',
'type': 'Celebrities/High-Profile Individuals'}],
'attack_vector': ['SIM-Swapping',
'Social Engineering',
'Compromised Internal Tools (Twitter Admin Panel)'],
'customer_advisories': ['Twitter Support Notifications to Affected Users '
'(2020)',
'Scam Victim Restitution (Ongoing)'],
'data_breach': {'data_exfiltration': 'Yes (messages accessed, likely '
'downloaded)',
'personally_identifiable_information': 'Yes (linked to '
'SIM-swapping)',
'sensitivity_of_data': 'High (private communications of '
'celebrities/politicians)',
'type_of_data_compromised': ['Private Direct Messages',
'Account Authentication Tokens',
'Contact Information']},
'date_detected': '2020-07',
'date_publicly_disclosed': '2020-07-15',
'description': 'British prosecutors secured a civil recovery order to seize '
'£4.11 million ($5.39 million) in crypto assets from Joseph '
"James O'Connor (aka 'PlugwalkJoe'), linked to the July 2020 "
'Twitter breach. The attack involved SIM-swapping and social '
'engineering to hijack high-profile accounts (e.g., Barack '
'Obama, Bill Gates, Jeff Bezos) and solicit Bitcoin via '
"fraudulent tweets, netting over $100,000. O'Connor also "
'accessed private messages, extorted victims, and threatened '
'celebrities using compromised Twitter admin tools. He was '
'sentenced to 5 years in the US (2023) for conspiracy, wire '
"fraud, and money laundering. The UK's civil recovery order "
'targets additional assets under proceeds-of-crime '
'legislation.',
'impact': {'brand_reputation_impact': "Severe (Twitter's security practices "
'questioned, high-profile victims)',
'customer_complaints': 'Likely high (scam victims, affected '
'account holders)',
'data_compromised': ['Private Direct Messages',
'Account Credentials',
'High-Profile User Data'],
'financial_loss': '$100,000+ (from Bitcoin scam) + £4.11 million '
'($5.39 million) seized in crypto assets',
'identity_theft_risk': 'High (SIM-swapping enabled account '
'takeovers)',
'legal_liabilities': ['US Sentence: 5 years + $794,000 forfeiture '
'+ restitution',
'UK Civil Recovery Order: £4.11 million '
'seizure'],
'operational_impact': 'Temporary loss of control over high-profile '
'Twitter accounts, reputational damage to '
'Twitter',
'payment_information_risk': 'Cryptocurrency wallets compromised',
'systems_affected': ['Twitter Internal Admin Tools',
'Celebrity/High-Profile Accounts (e.g., '
'Barack Obama, Bill Gates, Jeff Bezos)']},
'initial_access_broker': {'backdoors_established': 'Twitter Admin Tool Access',
'data_sold_on_dark_web': 'Unconfirmed (but private '
'messages likely '
'monetized)',
'entry_point': 'SIM-Swapping (Mobile Carrier '
'Compromise)',
'high_value_targets': ['Celebrity Accounts',
'Politician Accounts',
'Executive Accounts'],
'reconnaissance_period': 'Weeks/Months (target '
'selection, carrier '
'research)'},
'investigation_status': 'Closed (US criminal case concluded; UK civil '
'recovery order executed)',
'lessons_learned': ['SIM-swapping remains a critical vector for high-impact '
'account takeovers',
'Internal admin tools require stricter access controls '
'and monitoring',
'Celebrity/high-profile accounts need additional '
'protection layers',
'Cross-border collaboration is essential for prosecuting '
'cybercriminals',
'Cryptocurrency tracing enables asset recovery '
'post-conviction'],
'motivation': ['Financial Gain', 'Extortion', 'Reputation Damage'],
'post_incident_analysis': {'corrective_actions': ['Twitter implemented '
'stricter access controls '
'post-breach',
'Enhanced MFA requirements '
'for employees',
'US/UK law enforcement '
'collaboration on '
'cybercrime asset recovery',
'Public awareness campaigns '
'on SIM-swap risks'],
'root_causes': ['Inadequate MFA for Twitter '
'employee accounts',
'Mobile carrier vulnerabilities '
'(SIM-swap exploits)',
'Overprivileged internal admin '
'tools',
'Lack of behavioral monitoring for '
'anomalous access']},
'recommendations': ['Implement hardware-based MFA for all employees '
'(especially those with admin access)',
'Monitor for SIM-swap indicators (e.g., sudden carrier '
'changes)',
'Segment internal tools to limit lateral movement',
'Conduct regular red-team exercises targeting social '
'engineering vectors',
'Establish cross-jurisdictional legal frameworks for '
'asset recovery'],
'references': [{'date_accessed': '2023-11-20',
'source': 'The Register',
'url': 'https://www.theregister.com/2023/11/20/twitter_hacker_uk_asset_seizure/'},
{'date_accessed': '2023-06-23',
'source': 'US Department of Justice',
'url': 'https://www.justice.gov/usao-sdny/pr/uk-national-sentenced-five-years-prison-hacking-twitter-accounts-and-conducting-sim'},
{'date_accessed': '2023-11-14',
'source': 'UK Crown Prosecution Service',
'url': 'https://www.cps.gov.uk/cps/news/cyber-criminal-loses-ps41m-profits-twitter-hack'}],
'regulatory_compliance': {'fines_imposed': ['$794,000 forfeiture (US)',
'£4.11 million asset seizure '
'(UK)'],
'legal_actions': ['US Criminal Conviction (2023)',
'UK Civil Recovery Order '
'(2023-11-14)'],
'regulations_violated': ['Computer Fraud and Abuse '
'Act (US)',
'Wire Fraud (US)',
'Money Laundering (US/UK)',
'UK Proceeds of Crime '
'Act']},
'response': {'communication_strategy': ['Public Statements by Twitter',
'Victim Notifications',
'CPS Press Release (2023-11-14)'],
'containment_measures': ['Account Lockdowns',
'Revoking Admin Access',
'Password Resets'],
'enhanced_monitoring': 'Likely (post-breach security upgrades)',
'incident_response_plan_activated': 'Yes (Twitter locked '
'affected accounts, '
'investigated internally)',
'law_enforcement_notified': 'Yes (FBI led investigation, CPS '
'handled UK asset recovery)',
'remediation_measures': ['Enhanced MFA for Employees',
'Internal Tool Access Restrictions'],
'third_party_assistance': ['US Law Enforcement (FBI)',
'UK Crown Prosecution Service (CPS)',
'Spanish Authorities (extradition)']},
'stakeholder_advisories': ['Twitter Security Updates (2020)',
'FBI Cyber Division Alerts',
'CPS Proceeds of Crime Announcement'],
'threat_actor': "Joseph James O'Connor (aka 'PlugwalkJoe') and accomplices",
'title': 'Twitter Celebrity Account Hijacking and Cryptocurrency Scam (2020)',
'type': ['Account Takeover',
'Social Engineering',
'Cryptocurrency Scam',
'Extortion',
'SIM-Swapping'],
'vulnerability_exploited': ['Weak Multi-Factor Authentication (MFA) on '
'Twitter Employee Accounts',
'Social Engineering of Mobile Carriers',
'Insider Tool Abuse']}