On July 15th, the Twitter accounts of Barack Obama, Joe Biden, Elon Musk, Bill Gates, Apple, and Uber all tweeted the same Bitcoin scam within an hour — and the mechanism, now confirmed, was not exotic: attackers social-engineered Twitter EMPLOYEES (phone spear-phishing) into internal admin tools, and those tools could post AS ANY ACCOUNT. The haul was a laughable ~$120k in BTC; the demonstrated capability — tweet as a president-elect, as a head of state, as the SEC’s favorite CEO (#140), during a market day or a crisis — was priceless, which is exactly the asymmetry that should terrify everyone (the attackers were, mercifully, teenagers after pocket money rather than a state after a war pretext; alleged mastermind: seventeen years old). The staff-file lessons, all archive reruns at maximum blast radius: internal tools are production (#123’s dropdown, #032’s Joyent — the admin panel is the most privileged deploy surface you own and the least reviewed); support-staff access is the perimeter (#161’s inside-the-VPC call); and “god mode” tooling needs the same guardrails as capacity removal (#102) — scoping, approvals, session recording, and alarms on volume. We audited our own admin panel Thursday. Findings: three actions with no audit log. Fixed by Monday. The industry’s collective admin-panel audit this week may be the hack’s real payload.
The sports restart is HERE: the Premier League’s Project Restart reaches its final week (piped crowd audio, cardboard fans), and F1’s delayed season is underway in Austria with strict team bubbles and paddock protocols holding — zero positives inside the perimeter so far, a closed-system result the #182 file notes with genuine admiration. Designed quarantine works; the control group is, unfortunately, everywhere else.
TIL: SIM-swap and phone-spear-phishing mechanics — the attack chain ran through telecom and human layers our threat models politely ignore. The org chart is attack surface (#151, Conway’s law of security).