The tweet itself was nothing remarkable: “The $STONKS airdrop is now live!,” it read, along with an emoji of an upward-trending market chart and a link to a website where you can “find out how many $STONKS tokens you’re eligible to claim.” Millions of similar scams circulate on the web every day, enticing the most gullible among us to give away their personal financial details in hopes of a cryptocurrency windfall. The only remarkable thing about the tweet—at least from my perspective—was that it was being retweeted by an account that, until this past Saturday, had been mine.
As a little-known professor writing little-read articles about federal and state tax law, I am far from the highest profile person to have had his Twitter account compromised. Hackers have commandeered the Twitter presences of—among many others—Joe Biden, Barack Obama, Kanye West, Bill Gates, and even Elon Musk, who now owns the cesspool-cum-social media site. A 2021 study by Security.org estimated that 22 percent of U.S. adults have been victims of “account takeovers.”
Most of those people are ultimately able to get their accounts back. In the celebrity cases, the takeover is usually countermanded in a matter of minutes or hours. I, alas, won’t be so lucky.
I realized that I could no longer log into Twitter using my password or email address when I went to check the site after reading a New York Times Magazine cover story about—ironically enough—how Twitter “broke our brains.” I appealed to Twitter Support for aid. Two days later, on Monday night, I received a response informing me that Twitter was “unable to verify” that I actually am the account owner. “We know this is disappointing to hear, but we can’t assist you further with accessing your account,” the message continued—seemingly acknowledging that it is indeed my account while also doubting that same fact. With at least 70 percent of the company’s pre-Musk staff now gone, I truly believe Twitter’s no-reply email address when it tells me that it just doesn’t have the bandwidth to help further.
And so @danieljhemel—the handle from which I once tweeted tax commentary to 9,000 or so followers—will now be the plaything of cryptocurrency scammers until they tire of it.
At least I’m in good company—because really, Twitter’s 300 million-odd regular users were all hacked months ago. So, too, were the billions more who get their news from Twitter-dependent journalists (which is to say, most of us in advanced economies). The social media site at the base of our informational food chain has been hijacked by a cryptocurrency hawker, and we’ll probably have to live with the fact that we can’t get it back.
I don’t know how I was hacked, though I certainly bear responsibility. When Twitter disabled two-factor text message authentication in March for everyone except subscribers to the Twitter Blue premium service, I didn’t bother to download an authentication app or set up a physical security key. I don’t think I fell victim to an obvious phishing attack, but I used the same password for Twitter as for several other nonfinancial sites. In retrospect, I was a soft target for hackers.
In retrospect, we were all soft targets. Hundreds of millions of us came to rely on Twitter directly—and billions more indirectly—without much of a collective strategy for safeguarding the screws to our information ecosystem. The password that we used for Twitter was the same one we used for other Web 2.0 platforms: free-market capitalism. We failed to activate anything like two-factor authentication—any fallback mechanism in the event that self-regulation malfunctioned.
To the extent that anyone thought about it, our security strategy was something like this: For-profit firms will have powerful incentives to maintain our informational infrastructure because if they don’t, they’ll bear reputational damage that loses them users and advertisers, which—in turn—will cause their stock prices to tank. Managers will be motivated by stock-based compensation—and mandated by state corporate law—to maximize shareholder value, which means (among other things) that they’ll invest in security and customer service. Government regulators won’t hold the platforms accountable, but Wall Street will. And for a time, the strategy worked. While Twitter had a reputation as a hellsite in its early years, the social media network had come of age by the beginning of this decade and began to police misinformation and harassment more aggressively—even banning one of its most loyal users, then-President Trump, from the site in 2021 for inciting a violent insurrection.
In a sense, the strategy worked too well. The high-powered incentives generated by a frothy stock market proved so potent that they produced the world’s first triple-centibillionaire, whose net worth—at peak—was more than six times Twitter’s market capitalization. When Elon Musk offered to buy Twitter at a 38 percent premium over its most recent closing price, the board’s fealty to the goal of shareholder value maximization led it to sell out. As someone who owned a modest amount of Twitter stock at the time, I wasn’t about to complain about my gains. And I’d become so addicted to the site that even when it started to sink, I stayed aboard the ship.
Since the sale was officially consummated in October, the plutocrat who pledged to make Twitter our “digital town square” has transformed the site into a speech environment that more closely resembles Tiananmen—one where journalists have been suspended for reporting too harshly on the man in charge. But unlike the most rigidly controlled authoritarian regimes, the site is a source of near-constant chaos. It turns out that Web 2.0 platforms still require warm bodies to make them run smoothly, and Musk has been unable or unwilling to retain human beings who can respond appropriately and with alacrity when an account is hacked.
Now, it doesn’t much matter to the world when a tax professor’s Twitter handle is requisitioned by cryptobots. The more worrisome possibility is that a truly important account—for example, one belonging to the Federal Aviation Administration or the BBC or some country’s foreign ministry—will be commandeered for a prolonged period by bad actors who spread misinformation more malicious than a “$STONKS” scam. (Musk has further exacerbated the problem by removing Twitter’s characteristic blue checkmarks from verified accounts unless the account owner antes up $8 a month—making the site an even less trustworthy information environment.) Hopefully in the case of a more dangerous instance of impersonation, the rump staff at Twitter Support will be more helpful than it was to me. Then again, this is a company that currently auto-replies to all press inquiries with a poop emoji. I asked Twitter to comment on my tale of woe, and the response—as expected—was a picture of feces.
I’m tempted to think that the Twitter problem is sui generis. The other companies that own key elements of our information infrastructure are too large to be swallowed up by a single titan. Microsoft, the owner of LinkedIn, has a market capitalization above $2 trillion; Google’s parent Alphabet hovers above $1 trillion, and Facebook parent Meta, even after its recent troubles, still is worth more than $500 billion—over 10 times what Musk paid for Twitter. The bird site’s vulnerability lay in the fact that it was critical to a community of influencers but not so valuable as to be invulnerable to a takeover.
But then I look back at @danieljhemel, the account that was once mine, and see thousands of retweets for posts celebrating a $STONKS airdrop. Most of those are no doubt bots—or Twitter accounts like mine that have been taken over by bots—but the bots proliferate because hackers know they can scam some people into handing over their bank account information or crypto wallet keys. Who, I ask myself, could be so credulous that they would see a picture of an upward trending chart and put their faith in the notion that the market will make it work out just fine?
And then I realize: That’s us.