There was little immediate evidence for who conducted the attack. One of the most obvious culprits for an attack of this scale, North Korea, has been documented to have used Bitcoin extensively in the past. But its nature — “effective, but also amateurish” in the words of one senior American intelligence official — led American intelligence agencies to an initial assessment that this was most likely the work of an individual hacker, not a state.
Had it been Russia, China, North Korea or Iran, said the official, who would not speak on the record because they were not authorized to discuss an intelligence investigation, the effort would have probably focused on trying to trigger stock market havoc, or perhaps the issuance of political pronouncements in the name of Mr. Biden or other targets.
Officials also noted that the breach did not affect the account of one of the most watched and powerful users of Twitter: President Trump. Mr. Trump’s account is under a special kind of lock-and-key after past incidents, the official noted.
Security experts said that the wide-ranging attacks hinted that the problem was caused by a security flaw in Twitter’s service, not by lax security measures used by the people who were targeted. Alex Stamos, director of the Stanford Internet Observatory and the former chief security officer at Facebook, said one of the leading theories among researchers was that the hacker, or hackers, had obtained the encryption keys to the system, which enabled them to essentially imitate or steal the “tokens” that grant access to individual accounts.
There were a range of other theories, he said, but all suggested that the attackers got inside Twitter’s system, rather than stealing the passwords of individual users. One American official called that a “scary possibility” in a world where national leaders, sometimes imitating Mr. Trump’s techniques, have adopted Twitter as a primary source of unfiltered communications.
“It could have been much worse. We got lucky that this is what they decided to do with their power,” Mr. Stamos said.
The hacker or hackers made some rookie errors. Mr. Stamos said that because the attackers had sent identical messages from the compromised accounts, they were easy to detect and delete. The decision to ask for money through Bitcoin, he added, showed that the attackers were most likely unable or unwilling to launder money or use their access for a more sophisticated scam.