John McAfee plotted over unencrypted Twitter DMs, alleges DOJ

Self-described “leading digital security expert” John McAfee appears to have made the age-old mistake of believing his Twitter direct messages were private. 

Currently in a Spanish prison, awaiting extradition to the U.S. on charges of tax evasion, the renowned cryptocurrency shill was charged Friday by the U.S. Department of Justice with the additional charges of fraud and money laundering. Working against the noted bath salts fan is the fact that, as detailed in the accompanying complaint, the FBI got ahold of McAfee’s unencrypted Twitter DMs in which he discussed, in detail, his various schemes. 

At the heart of Friday’s charges are two allegations. First, that McAfee engaged in multiple pump and dump schemes to drive up the price of specific altcoins and cryptocurrency tokens — without first revealing that he owned them, and in some cases outright denying that he did — in order to sell  at an inflated price. Second, McAfee is accused of promoting initial coin offerings without disclosing that he was being paid to do so by the companies in question. 

(Something similar tripped up Steven Seagal in Feb. of 2020.)

According to the DOJ complaint, McAfee’s preferred pumping method of choice was Twitter – which brings us back to his direct messages. 

Unlike, say, with the messaging app Signal, messages sent via Twitter direct message are not end-to-end encrypted. This means that, as we saw with 2020’s Twitter hack, hackers, Twitter employees, and law enforcement officers with a warrant to do so can all access the content of those messages. 

Which, if you’re the “world’s leading security expert” like McAfee and using Twitter as an integral part of your (allegedly) criminal scheme, might be worth keeping in mind. And yet. 

The complaint relies on, at multiple points, McAfee’s own words — as etched in “private direct messages (‘DMs’) sent to or from MCAFEE’s verified Twitter account” — to build its case against him. 

From my review of DM communications recovered from the Official McAfee Twitter  Account, I have learned that on or about December 17, 2017, the founder of Issuer-1 sent MCAFEE a DM asking MCAFEE to promote ICO-1 so that ICO-1 was not lost ‘in the ocean of ICOs[.]’ MCAFEE responded that he would agree to promote ICO-1 by ‘tweet[ing] [a] reasonable numbers of tweets, which have a huge impact on the Cryptocurrency market’ in  exchange for substantial compensation.   

Many of McAfee’s tweets referenced in the complaint are still visible on Twitter. 

While McAfee’s apparent willingness to blithely chat about (alleged) crime over direct message, combined with his self-purported security prowess, may seem like a comical contradiction, it points at a larger problem. Namely, the security of Twitter direct messages. 

In July, following the major Twitter hack that saw the accounts of Elon Musk, Joe Biden, and Barack Obama pushing bitcoin scams, the Electronic Frontier Foundation laid out why Twitter’s failure to end-to-end encrypt direct messages is such a monumental problem for all kinds of Twitter users — not just would-be crypto kings.  

SEE ALSO: Someone paid $2.6 million in fees to move $134 worth of crypto and oops

“Twitter direct messages (or DMs), some of the most sensitive user data on the platform, are vulnerable to this week’s kind of internal compromise,” wrote the EFF. “That’s because they are not end-to-end encrypted, so Twitter itself has access to them. That means Twitter can hand them over in response to law enforcement requests, they can be leaked, and — in the case of this week’s attack — internal access can be abused by malicious hackers and Twitter employees themselves.”

The “world’s leading security expert,” it would seem, could learn a thing or two from the EFF blog.