Cyber Incident Victim: Indian Council of World Affairs
Date:
Jan 2022
Location:
India
Summary
The Indian Council of World Affairs' Twitter account was compromised alongside two other organizations in a coordinated cryptocurrency scam campaign. Attackers hijacked the accounts to impersonate Elon Musk, posting fraudulent Bitcoin giveaway promotions directing users to a Telegram link that solicited payments ranging from $945 to $472,967, falsely promising high returns. At least 31 victims transferred approximately 5.75 bitcoins ($273,848) to the attackers’ wallet. While ICWA managed to delete the scam content, the incident exposed vulnerabilities linked to shared account credentials and insufficient authentication controls, suggesting potential password compromise or lack of multifactor authentication. The breaches collectively undermined trust in the targeted organizations’ digital presence.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On January 3, 2022, the official Twitter accounts of the Indian Medical Association (@IMAIndiaOrg), Indian Council of World Affairs (@ICWA_NewDelhi), and Mann Deshi Bank (@MannDeshiOrg) were compromised in a coordinated cryptocurrency scam operation. The attackers first hijacked the Indian Medical Association's account at 01:55 Indian Standard Time, posting fraudulent messages impersonating Elon Musk that promoted a fake Tesla Bitcoin giveaway. Within minutes, hundreds of automated tweets directed users to a Telegram link advertising false cryptocurrency distributions of Bitcoin, Ethereum, Dogecoin, and Shiba Inu coins. Blockchain analytics revealed the scam required victims to send between 0.02 to 10 bitcoins ($945-$472,967) to a specified address under the false promise of receiving 10-100 times their investment. Fake discussion threads were created to simulate successful returns, with Blockchair confirming 31 victims transferred 5.75 bitcoins ($273,848) to the fraudulent wallet. The Indian Medical Association discovered their account was locked by Twitter due to suspicious activity but could not regain access despite submitting an unlock request, with their social media manager confirming three to four individuals shared the compromised password.
All three organizations' accounts displayed identical cryptocurrency scam content, indicating coordination by the same threat actor. While the Indian Council of World Affairs successfully deleted the fraudulent tweets from their account, the other two organizations remained compromised at the time of reporting. This incident followed a December 12, 2021 breach of Indian Prime Minister Narendra Modi's Twitter account that similarly promoted fake Bitcoin adoption policies. The Indian Medical Association, representing 334,000 physicians, faced operational disruption to its official communication channel. Forensic analysis showed the attackers exploited weak password management practices, with cybersecurity experts noting organizations frequently disable multi-factor authentication for shared social media accounts. Twitter's security systems automatically locked the IMA account upon detecting anomalous activity, but the platform's lack of organizational access controls—unlike Facebook or LinkedIn—complicated centralized account management for institutional users. No data exfiltration beyond the cryptocurrency theft was confirmed, with financial losses limited to the blockchain transactions traced to the scam address.