Bug bounty programs typically have stringent rules, disqualify many valid reports, and take a long time to pay out. Not surprising to me that they'd cash out in this manner - especially if they got access via a token which expires: they wouldn't have much time to plot on how to monetize the access.

I suspect this was a small operation - a national intelligence organization could have caused orders of magnitude more havoc with this sort of access. Smaller groups don't have the infrastructure to capitalize on such chaos.

Also for example, if they’re a US student, they could lose access to benefits and loans as a result of reporting the income.

Not everyone believes that the existence of Twitter, in its current state as an amplification medium for the ever increasing polarisation in this world, is actually a force of good.

Helping them out with a security report might be the last thing on their mind.

Companies will routinely downgrade the severity of your exploit so they can pay you less.

Cons: trying to deal with 103k in bitcoin

After this they became paranoid of the bug being fixed within hours and tried to monetise it in the quickest, easiest and safest way possible.

If Twitter uses the same 2FA internally as they do for customers it'd be pretty easy to take over a support account if you know of the location of an employee.

It's not uncommon for hackers to have these weird imbalances in skill and understanding.

Imagine if every verified account related to finance started tweeting “cash out your accounts NOW.”

You could easily, easily cause some pretty massive panic.

Besides public state and company size, Twitter is also new media. And all media is information warfare. (Hmm, that sounds a bit strong, especially considering the toxicity that is the platform itself; I mean the term generically speaking.)

Most of the adults are asleep and there are any number of things you could write to trigger some sort of shitstorm from POTUS.

"...from the accounts of Gemini, Binance, KuCoin, Coinbase, Litecoin's Charlie Lee, Tron's Justin Sun, Bitcoin, Bitfinex, Ripple, Cash App, Elon Musk, Uber, Apple, Kanye West, Jeff Bezos, Michael Bloomberg, Warren Buffett, Barack Obama and CoinDesk."

Unless we hear from account holders that their credentials weren't stolen, there's no reason to believe that only those were hacked that sent tweets.

You can prove you have 'blackmail materials' just by proving you own the bitcoin wallet.

Someone (or someones) had to configure a message for each victim, they had to write the script to send all the tweets simultaneously, they probably had to test the script, they had to execute it. To me, that says they had enough time to think about what they were doing and weren't racing a very short expiration clock.

If I were at twitter I might try to investigate by looking for accounts that they might have used to test their script. If you could look for something like multiple accounts tweeting the same thing within 1 minute, in the past couple weeks, you could turn up some candidates for test accounts. You could further refine that by checking the messages sent, follower counts, etc. Maybe the hacker will leave behind clues on the script test account.

1) You submit transaction to the mempool. It may take a couple of minutes for a miner that "liked" your transaction to include it in a block. While in this stage, the receiver technically does not have anything yet, thus impossible to use them in any way.

2) The transaction get put inside a block. Generally, most vendors would say the transaction is "unconfirmed", although technically it is now in the ledger. There is a small chance that due to inconsistencies and network latency the block gets orphaned and the replacing block does not include the transaction. If you are a vendor and start shipping products immediately after your money is put into the ledger, you open yourself to a range of possible attacks. For this reason most wait two or three more blocks, just to be sure.

To answer your question: After a block gets created and the scammer receives his crypto, albeit still in an unconfirmed (read as "young") block, they can start using it however they decide to. Small chance that their actions get reverted exists tho.

I would say “taken” is fair; but “stolen” isn’t exactly right.

Plus there is no way it will be that much.

a) fix the bug if it‘s in their APIs

b) roll out a framework to be able to respond quickly in the future. Like a regex on their edge servers.

In my understanding once you remove all the layers of abstraction as some point it's a bunch of databases and data stores. Someone has to manage them. Why wouldn't a breach of those users be able to do whatever they want?

And a higher level, someone is writing the code to implement such a stringent access system. Why wouldn't a breach of those users (or a rogue employee) be able to accomplish bad things?

That would be good from a security perspective, but it would cost additional training, require more support staff, increase response time between request and resolve, make the system more complex and possible fragile, and take development resources away from profit centers.

Most companies has likely, at best, the same security at their internal support center as their accounting department, and given how common CEO fraud is, it mean social engineering will likely continue to be a major attack vector for a long time.

Same as when a journalist in the UK got a temp job in BT's office in Edinburgh and looked up the queens unlisted phone numbers at Balmoral - lead to a major security incident and massive changes.

Unlikely since the tweets appeared from "Twitter Web App"

They also can't be stupid enough to not understand that using a single address that is blocked in most web wallets now is completely dumb.

Are there better options?

$7k vs $100k, you choose.

The resources needed to do this. Compromising and paying Twitter staff, the practical, technical know how (and it's cost), and that no real attempt to profit from this has been made?

I don't think that sounds like a financially motivated crime at all. As a crime it has more in common with the proverbial 'horse head on the bed', than a sophisticated heist. I think this was done to shake confidence in the perceived invincibility of Silicon Valley and FANG like companies particularly.

But then any number of well resourced 'political' actors would love to send that message to the large tech companies...

- Bitcoin is used for scams

- Bitcoin hacks

- Bitcoin used for illegal activity

All the meanwhile, more people become aware and interested.

These sort of events prime the "nocoiners" to read and understand that little bit more.