Cyber Incident Victim: Indian Medical Association
Date:
Jan 2022
Location:
India
Summary
The Indian Medical Association's Twitter account was compromised along with two other organizations' accounts, leading to unauthorized posts promoting fraudulent cryptocurrency giveaways impersonating Elon Musk. Attackers directed victims to a Telegram link soliciting bitcoin transfers, resulting in approximately $273,000 stolen from 31 individuals. The breach involved shared password access among multiple account managers, with similar tactics used across all compromised accounts to disseminate crypto scam content.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On January 3, 2022, the official Twitter accounts of three prominent Indian organizations—the Indian Medical Association (@IMAIndiaOrg), the Indian Council of World Affairs (@ICWA_NewDelhi), and Mann Deshi Bank (@MannDeshiOrg)—were compromised in a coordinated cryptocurrency scam campaign. The Indian Medical Association, representing over 334,000 physicians, confirmed its account was hacked and locked by Twitter after the platform detected suspicious activity. Attackers first posted fraudulent content on the IMA account at 0155 hours Indian Standard Time, impersonating Tesla CEO Elon Musk to promote a fake "airdrop event" offering 5,000 Bitcoin. This was followed by hundreds of automated tweets directing users to a Telegram link advertising fraudulent cryptocurrency giveaways for Bitcoin, Ethereum, Dogecoin, and Shiba Inu coins. The scam required victims to send between 0.02 to 10 Bitcoin ($945 to $472,967) to a specified wallet address under false promises of 10x returns within minutes. Blockchain analytics revealed 31 victims transferred 5.75 Bitcoin ($273,848) to the attackers' address before the scam was disrupted.
The incident exposed vulnerabilities in shared social media account management, as three to four IMA staff members had access to the same Twitter password without multifactor authentication. Twitter automatically locked the IMA account during the breach, but the organization remained unable to regain access despite submitting an unlock request. Only the Indian Council of World Affairs successfully deleted the scam tweets from their compromised account. Forensic analysis indicated all three breaches likely originated from the same threat actor, based on identical scam content and tactics resembling a December 2021 compromise of Prime Minister Narendra Modi’s Twitter account that promoted similar fake Bitcoin giveaways. The attackers exploited basic security weaknesses, including predictable passwords and disabled OTP-based authentication, to hijack high-profile accounts. Financial losses were confirmed through blockchain transaction records, though the full reputational damage to the affected organizations remained unquantified at the time of reporting. Twitter’s lack of organizational access controls compared to platforms like Facebook was cited as a contributing factor in the account takeover.