Cyber Incident Victim: News24
Date:
Mar 2023
Location:
India
Summary
A major Indian news channel's Twitter account was compromised by hackers promoting a fraudulent cryptocurrency airdrop involving XRP, utilizing phishing links and imagery of Ripple's CEO to deceive followers. The breach targeted the account's 1.4 million subscribers with false claims of token distributions, mirroring prior incidents involving high-profile Indian entities like the Prime Minister's account and national organizations, which had previously disseminated similar crypto scams featuring fabricated endorsements. While the full impact remains unclear, such schemes typically aim to steal funds through malicious links, with some fraudulent posts persisting on the account at the time of reporting.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On March 20, 2023, the Twitter account of Indian news outlet News24 was compromised by attackers who used it to promote a fraudulent cryptocurrency scheme. Hackers posted phishing links falsely advertising an XRP airdrop, a distribution of Ripple-affiliated tokens that did not exist. To lend credibility to the scam, the unauthorized tweets included an image of Ripple CEO Brad Garlinghouse alongside instructions urging followers to click the malicious links. These posts remained visible on News24's account for an unspecified period following the breach, indicating either delayed detection or difficulty regaining control. With 1.4 million followers, News24's account provided criminals access to a substantial audience, raising concerns that an unknown number of individuals may have interacted with the links and suffered financial losses. The incident continued a pattern of high-profile Twitter account takeovers targeting Indian entities to facilitate cryptocurrency fraud.
This breach mirrored prior compromises of prominent Indian institutional and governmental accounts. In late 2021, hackers seized control of Prime Minister Narendra Modi’s Twitter profile, which boasted over 87 million followers, to falsely announce India’s adoption of bitcoin as legal tender alongside claims of a 500 BTC government distribution. Approximately one month after that event, attackers similarly compromised the Twitter accounts of the Indian Medical Association, Indian Council of World Affairs, and Mann Deshi Mahila Bank, posting fabricated endorsements from Elon Musk promoting cryptocurrency schemes. While the News24 compromise shared operational similarities—including fraudulent cryptocurrency offers targeting followers through hijacked institutional accounts—specific technical details about the breach method, internal detection timelines, or account recovery measures were not disclosed. The historical pattern suggested coordinated exploitation of Indian organizations' social media presences for fraudulent financial solicitations, though attribution and direct links between incidents remained unconfirmed. The persistent visibility of fraudulent tweets on News24’s account underscored ongoing challenges in rapid containment following account takeover incidents.