On July 15, 2020, Twitter, one of the world’s largest social media platforms, fell victim to an audacious attack. Verified accounts belonging to Barack Obama, Elon Musk, Jeff Bezos, Bill Gates, Apple, and even Bitcoin exchanges were compromised in a social engineering, account hijacking, and crypto fraud cybercrime case.
The attack
On July 15, 2020, around 3:30 PM EDT, a wave of tweets appeared from high-profile, blue-check-mark accounts, each promising to “give back to the community.”
“I am giving back to my fans. All Bitcoin sent to the address below will be sent back doubled! If you send $1,000, I’ll send $2,000 back!”
The message included a Bitcoin wallet address — and it worked. Within hours, over 130 accounts were targeted, and $117,000 worth of Bitcoin was transferred to the scammers’ wallets. The attack forced Twitter to temporarily lock all verified accounts, a move that paralyzed news outlets, public figures, and major corporations for hours.
The investigation
Initial speculation pointed toward a sophisticated hacking group or state-sponsored actors. Instead, the culprits turned out to be teenagers operating primarily from the U.S. and the U.K.
The mastermind was Graham Ivan Clark, a 17-year-old from Florida, who gained access to Twitter’s internal admin tools by socially engineering employees. He convinced Twitter staff that he was part of the IT department and obtained credentials that allowed him to reset passwords and take control of high-profile accounts.
Clark was later arrested and charged with 30 felony counts, including communications fraud and unauthorized computer access. Two co-conspirators, Nima Fazeli and Mason Sheppard, were also charged for their roles in brokering access and managing stolen accounts.
The weakest link
The hack wasn’t purely technical; it was a masterclass in social engineering. The attackers exploited trust and internal access rather than external vulnerabilities. Once inside, they used Twitter’s own administrative tools to bypass two-factor authentication and post directly from verified accounts.
This incident highlighted a well-known truth: in cybersecurity, people remain the weakest link. Even companies with billions in security investments can be undone by a convincing phone call or Slack message.
The role of cryptocurrencies
The scam relied on Bitcoin’s anonymity to attract quick, irreversible payments. Because crypto transactions are pseudonymous, once funds are sent, recovery is virtually impossible.
Blockchain forensics later tracked the flow of funds across multiple wallets, some of which were quickly frozen by crypto exchanges. Still, the case exposed how easily cryptocurrency can be weaponized in social media scams.
When the hackers hijacked celebrity Twitter accounts in July 2020, they were testing the limits of cryptocurrency traceability.
- Step 1: The Bait
The scam tweets all pointed to a single wallet address. Within hours, that address received over 400 transactions, totalling roughly 12.86 BTC (about $117,000 USD at the time). Because all Bitcoin transactions are public, blockchain analysts could immediately start tracing where the funds went.
- Step 2: Blockchain Forensics
Investigators from Chainalysis, Elliptic, and the FBI’s Cyber Division tracked the Bitcoin using transaction graph analysis, essentially following each transfer as the scammers attempted to “wash” the coins through various wallets and mixers. They discovered that the funds were split across dozens of wallets within hours. Some Bitcoin was sent to exchanges like Binance and Coinbase. These exchanges’ compliance teams detected suspicious activity and froze the accounts. A portion of the Bitcoin was converted to privacy coins (e.g., Monero), but it was too late, as the blockchain trail was already mapped.
- Step 3: Linking Wallets to Real Identities
Although Bitcoin is pseudonymous, every wallet is tied to a public key.
The turning point came when the hackers advertised stolen Twitter access credentials on a hacker’s forum known as OGUsers. Those posts included contact handles used on Discord and Coinbase accounts. Investigators matched these to real-world names, leading to Graham Ivan Clark (Florida), Nima Fazeli (Florida), and Mason Sheppard (U.K.).
- Step 4: Recovery and Restitution
When police raided Clark’s home in Tampa, they seized several hardware wallets and crypto recovery phrases. Authorities were able to recover a portion of the stolen Bitcoin, which was later included in restitution orders for victims. While exact totals remain confidential due to Clark’s juvenile status, sources close to the investigation estimate that 20–30% of the stolen Bitcoin was ultimately recovered.
The impact of the scam
Twitter’s CEO at the time, Jack Dorsey, publicly apologized and called it “a tough day for us at Twitter.” The incident eventually led to major reforms in Twitter’s internal operations, including limiting access to administrative tools, strengthening employee identity verification, and expanding security training for insider threat mitigation.
The case also prompted discussions in Congress about social media accountability, insider risk management, and the role of cryptocurrencies in cybercrime.
The scariest part, however, was that, for a few hours, hackers controlled the digital voices of world leaders and billionaires. What would have happened if the tweets had contained geopolitical misinformation instead of a scam wallet address?
The sentence
Graham Clark was sentenced to three years in a juvenile facility after pleading guilty in 2021. He was also banned from using computers without supervision.
His plea agreement included restitution to victims from any seized crypto assets.
However, exact repayment details were never made public due to juvenile court confidentiality. Given that most victims lost small amounts (typically under $1,000), it’s likely that refunds were partial and distributed from recovered assets held by authorities.
Twitter was not held accountable for the restitution of the fraud, primarily because the scam occurred outside the platform’s financial systems, and Bitcoin transactions happened entirely on the blockchain, not through Twitter or a payment processor.
Lessons learnt
For individuals and organizations:
- Enable multi-factor authentication (MFA) and enforce hardware keys for admin roles.
- Educate staff on social engineering and internal phishing awareness.
- Restrict privileged access with zero-trust principles.
- Monitor unusual account activity and implement rapid suspension protocols.
Most of all, this case became a showcase for how transparent blockchain really is, despite the perception of total anonymity.
“The myth that Bitcoin is untraceable was shattered by this case. If you know what you’re looking for, the blockchain tells a story.”
