New York polls crypto firms on security measures after Twitter hack

The New York Department of Financial Services found that crypto firms blocked the Twitter hackers’ crypto addresses within 40 minutes.

The New York Department of Financial Services, or NYDFS, has released a lengthy report analyzing the impact of July’s high-profile Twitter hack, which resulted in the theft of over $118,000 worth of Bitcoin (BTC). 

Far beyond the immediate material impact, the NYDFS states that the incident exposed deep cybersecurity weaknesses of a publicly-traded social media company valued at $37 billion and counting over 330 million active monthly users. The discovery has serious consequences in light of the platform’s ever-expanding influence on both financial markets and the political sphere. 

Two key sections of the NYFDS report, published on Oct. 14, tackle the Twitter hack’s impact on the department’s cryptocurrency licensees, and how these companies responded to protect their clients from the fraud. NYFDS also surveyed and compiled crypto firms’ recommendations on how to prevent a similar cyberattack from succeeding in the future.

The agency notes that in the third phase of the hack, the attackers took aim at the Twitter accounts of crypto companies, which included NYDFS-regulated entities. These “responded quickly to block impacted addresses, demonstrating the maturity of New York’s cryptocurrency marketplace and those authorized to engage within it. Their actions show that New York continues to set a high standard and attract only the most responsible actors.”

Coinbase, Gemini and Square, all of which provide wallet services and whose Twitter accounts were hacked, rapidly blocked the Bitcoin addresses posted by the hackers on Twitter. According to NYFDS’ survey, each of the companies blocked the relevant addresses within 40 minutes of their accounts being hacked. 

Fifteen surveyed crypto firms in total blocked transfers to the addresses, while seven did not. The report notes that some companies have different business models and do not directly handle custody and transfer services, which accounts for their inaction. 

Among those that do, Coinbase blocked around 5,670 transfers, valued at roughly $1,294,000; Square blocked 358, valued at roughly $51,000; Gemini blocked two, valued at roughly $1,8000; and Bitstamp blocked one, valued at $250.

The other focus of the NYFDS survey and report was to analyze which security measures the crypto firms took to protect their social media accounts following the hack, and gather key recommendations to cement security going forward. 

These included using strong and unique passwords, monitoring social media accounts for unauthorized posts, using multi-factor authentication but avoiding SMS-based MFA due to its susceptibility to hacks, and limiting employee access to social media accounts. 

Placing the hack in context, NYFDS notes that in 2019, millions of people worldwide lost over $4.3 billion to cryptocurrency scams — up from just $650 million in 2018. Exploiting the pandemic, scammers have already stolen over $380 million in the first half of 2020. One scammer tactic that intersects with the Twitter hack “impersonating Elon Musk on Twitter” has already cost victims almost $200,000 in Bitcoin. Such incidents have spurred the entrepreneur to warn his followers: