The discussions in the coming days and weeks surrounding yesterday's large-scale compromise of verified Twitter accounts, including those of Joe Biden, Barack Obama, and Bill Gates, will likely be about how the attackers gained access to so many high-profile accounts at once. The sheer breadth of digital landscape this breach covered in such little time shocked the world and is sure to stoke concerns about who can access the means of disseminating information—or disinformation—to the masses. 

However, while examining Twitter's internal security practices and controls is an important focus, it's also worth looking at the #Twitterhack from an external angle. Who were these actors, and why did they go through so much trouble to access those accounts? What did their cryptocurrency scam campaigns look like outside of the Twitter spotlight?

RiskIQ's Passive DNS data gives us our first clue. It shows us that domains belonging to these attackers were registered months or years ago, which means pretending to be famous brands and people to trick victims into giving up their cryptocurrency has been their MO far before the fall of the blue checkmarks. Hacking Twitter was simply their latest—albeit their most successful—tactic to access a massive pool of potential victims and lend credibility to their phishing scheme. Before hacking verified accounts, this group may have been leaning on other dependable vehicles for scam victim acquisition, such as fake social media accounts, spam emails, and scam ads. 

Next, tying together the phishing domains belonging to the attacker shows us the overall scope of the attack and which brands were getting impersonated. The Twitter hack itself made the most headlines, but RiskIQ researchers observed only one attacker-owned domain tweeted from a hacked verified account. However, from that one domain, we mapped out hundreds more that attackers didn't use on Twitter. They were likely using these in other attack vectors. 

You can reference an updated list of domains owned by these attackers via this Pastebin. The security community is already using this list as a basis for their investigations into this attack:

Just in case my last tweet got lost in the thread storm, @RiskIQ's list of domains apparently tied to this scam gives us a pretty good idea of who was targeted here. https://t.co/GfP9WyreRO

— briankrebs (@briankrebs) July 15, 2020

Researchers at @RiskIQ are tracking a list of all web domains (~400) tied to the widespread #cryptocurrency scam that also hit Twitter today, revealing how vast and dedicated infrastructure these fraudsters are maintaining and it's not seasonal.https://t.co/x0IsVCHnKu#infosec

— The Hacker News (@TheHackersNews) July 16, 2020

Uncovering so much attacker infrastructure is possible with RiskIQ's massive crawling infrastructure, which has been absorbing and analyzing the internet for over a decade. RiskIQ technology defines the web's identity and composition by fingerprinting everything that fits together to create the internet as we know it—each component, connection, service, IP-connected device, and more. With this Internet Intelligence Graph, our researchers could link together the attacker-owned domains and add a new layer of context to the attack. 

Researchers at RiskIQ Labs are using our internet-wide telemetry to maintain an updated list of domains tied to this campaign. So far, RiskIQ researchers have linked nearly 400 domains to the attack but will continue to update the Pastebin and analyze each element of this threat campaign.