Cyber Incident Victim: India's National Disaster Management Authority
Date:
Nov 2018
Location:
India
Summary
Hackers compromised the Twitter account of India's National Disaster Management Authority, using it to endorse Bitcoin giveaway scams by replying to malicious posts from other accounts without sharing direct links. The attackers promoted false claims of successful cryptocurrency transactions and referenced Elon Musk to enhance credibility. The organization regained control and deleted fraudulent content but did not issue a public statement. This incident reflects a broader pattern of verified account takeovers, including recent breaches at a major European film studio and retailer resulting in significant cryptocurrency thefts.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On November 6, 2018, hackers compromised the official Twitter account of India’s National Disaster Management Authority (NDMA), a government agency responsible for disaster response coordination. The attackers used the verified account to promote cryptocurrency giveaway scams, a prevalent social media fraud tactic at the time. Unlike typical account takeovers involving direct malicious link distribution, the hackers strategically engaged with existing scam posts from other accounts. They replied to these posts with endorsements designed to legitimize fraudulent Bitcoin schemes. One tweet from the compromised NDMA account falsely claimed, “I sent 0.30 BTC and got 6 BTC back,” while another referenced Elon Musk with the statement, “Elon, you are the best person I have ever seen in my life.” These replies targeted posts from fake accounts impersonating public figures like Musk, which were propagating fraudulent cryptocurrency giveaway links. The NDMA’s social media team regained control of the account and purged all malicious tweets, though the agency had not issued any public statement regarding the incident by the time reporting concluded.
This incident occurred amid a surge of verified account compromises targeting organizations globally. Just one day prior, attackers had hijacked Twitter accounts belonging to a major European film studio and retailer Matalan, netting over $150,000 in stolen cryptocurrency through similar scams. The NDMA breach highlighted attackers’ evolving tactics, leveraging institutional credibility to amplify fraudulent campaigns without directly hosting malicious links. While the financial impact specific to the NDMA compromise remained unreported, the incident disrupted the agency’s official communications channel during its operational period. The lack of disclosed technical details about the account takeover method or duration limited public understanding of the breach’s scope. Restoration efforts focused solely on account recovery and content removal, with no referenced enhancements to authentication protocols or cybersecurity audits. The episode underscored persistent vulnerabilities in social media account security among high-profile entities.