A hack that saw many of the world's most famous Twitter accounts taken over to launch a bitcoin scam could actually have been cover for something even more damaging.
Twitter has admitted that the hackers may have conducted "other malicious activity" while they had access to the accounts, or that they could have accessed other information the site while they briefly had access to the company's platform.
The hack emerged overnight as many Twitter accounts with large followings – everyone from Elon Musk to Barack Obama – posted tweets telling people to send bitcoin to a specific address. The tweets falsely claimed that any money sent to the accounts would be repaid twice-over, as part of what the messages claimed was an effort to give back to fans.
Such cryptocurrency scams have been popular on Twitter in recent years, with some users such as Elon Musk being targeted by criminals who create fake accounts in their name and post similar messages, indicating that users should send bitcoin to receive some in return. But they have never been executed on such a grand or embarrassing scale.
Despite the spectacular nature of the attack, the scam itself was relatively unsuccessful. Public records show that the account received less than 13 bitcoins, worth just over $100,000 at today's prices.
The fact that such a major hack was carried out for relatively little reward, despite having what appears to be wide-ranging access to the Twitter platform, has led to some speculation that the cryptocurrency scam could actually be masking another, perhaps more damaging, attack.
In a series of tweets outlining what happened during the attack, Twitter admitted that the hackers appeared to have access to internal systems that seemingly allowed them to tweet from almost any account. It also noted that they may have used that same access to conduct "other malicious activity" or to steal information.
That information could have theoretically included accessing private direct messages, for instance, or compromising other less immediately obvious accounts or systems.
"We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools," the company wrote.
"We know they used this access to take control of many highly-visible (including verified) accounts and Tweet on their behalf. We’re looking into what other malicious activity they may have conducted or information they may have accessed and will share more here as we have it."
Security experts sounded alarm about the fact the attack was able to happen and noted that the scam could be a "distraction" from more substantial access.
"If the hackers do have access to the backend of Twitter, or direct database access, there is nothing potentially stopping them from pilfering data in addition to using this tweet-scam as a distraction," said Michael Borohovski, director of software engineering at security company Synopsys.