A Belgian hacker redirected the links in Trump’s old tweets

In April 2012, years before launching his presidential campaign, Donald Trump posted a seemingly anodyne tweet. “I’ll be speaking tomorrow at the San Jose Convention Center (CA) for the first- ever National Achievers Congress,” the then-reality TV star wrote, alongside a link to the event’s website, nac2012.com. On the scale of aggressive self-promotion that Trump has displayed online in recent years, this tweet would barely register. Last month, though, it suddenly became a lot more interesting.

The text of Trump’s original tweet is still there today, but it now includes an amateur music video, as well. Titled “Trump’s Russian Congress,” the YouTube clip satirizes the president’s close ties to Russia and his alleged sexual exploits with Russian women. A man sings about Trump’s love for Russia over carnival music, as Photoshopped images of Trump and Vladimir Putin dance under a rain of money.

Trump would of course never tweet this video — and he didn’t. Days after the inauguration, a Belgian hacker who goes by the name Inti De Ceukelaire simply bought the nac2012.com domain and redirected it to the YouTube video, which he made himself. Since then, he’s purchased three other expired URLs that Trump has tweeted over the years, and others have done the same. Considering Trump’s penchant for tweeting links to dubious news sites, the hacker’s exploit raises questions about how easily Trump’s Twitter history could be manipulated over the coming four years.

In an email to The Verge, Inti De Ceukelaire said that he didn’t want to make a political statement by hijacking Trump’s old tweets; he was just upset after Trump described Brussels as a “hellhole” during last year’s Republican primary campaign. (The hijacked tweet was first reported by Het Laatste Nieuws, a Belgian newspaper.)

“I believe in democracy and even though I don’t agree with Trump, I accept the election results,” Inti De Ceukelaire said. “But even the president of the US has no right to insult our capital. That’s why it was time to make a little bit fun of him — just so we’re even.”

Inti De Ceukelaire says he hijacked the April 2012 post by extracting all of the links from an online archive of Trump’s tweets. He then wrote a “quick and dirty” program to check whether any of the links directed to a dead site, and manually checked whether any of the domains were available for sale. After purchasing the nac2012.com domain, he redirected it to his YouTube video and used Twitter’s card validator tool to re-scan the URL — effectively updating Trump’s tweet with the video embed.

Since then, Inti De Ceukelaire has purchased five other domains, and he redirected one — famedays.com — to a YouTube video about a convention for My Little Pony fans. Trump had included the link in a 2013 retweet of a Twitter user who was urging people to vote for Trump on the Fame Days website. (A Facebook page for Fame Days, which now appears to be defunct, describes the company as a “social media environment” where users can rank “the most popular individuals with a large following.”)

“That sounds cool!!!” Trump wrote in the tweet. Inti De Ceukelaire says he wasn’t sure of the tweet’s context after he bought the Fame Days URL, but he decided to redirect it to the My Little Pony video because “I just picked something which is not that cool.”

Domain squatters typically buy up URLs for financial profit or to troll others online, though some have used the technique to make political statements. As The Verge reported this week, a 22-year-old in France recently bought domains associated with Breitbart News in an attempt to limit the far-right website’s influence over the French elections. (It was previously reported that Breitbart was planning to launch a French site by January.)

Inti De Ceukelaire’s program revealed that many of Trump’s tweets could be vulnerable to similar tactics. Some dead links he tweeted have already been reclaimed, though apparently not for political purposes. A website for Linda McMahon’s 2012 senate campaign, which Trump tweeted in October of that year, now hosts a blog called “Linda’s Weight Training Site.” A bit.ly link that Trump described in 2013 as a “must read article” about former Arizona Sheriff Joe Arpaio now leads to times247.com — a site that purports to cover “latest trends in home entertainment and home automation.” (The site has been dormant on Facebook since 2015.) Inti De Ceukelaire says that he’s uncovered “dozens” of dead links that Trump has tweeted in the past, some of which are set to expire soon.

Trump has a history of publicizing conspiracy theories and sharing articles from obscure sources — which, unlike established media websites, are more likely to go defunct over time, Inti De Ceukelaire says. A 2014 tweet, for example, linked to what appears to have been an article on conservativenews.me, which was once a conservative blog and one of the unclaimed domains that the hacker purchased.

As president, that kind of behavior could pose risks. Using Inti De Ceukelaire’s approach, someone could take over a URL that Trump once tweeted and change it to spread malware. Inti De Ceukelaire acknowledges that it’s unlikely that many people would go digging through Trump’s old tweets, though he says it would only take a few retweets for the malicious link to spread. There’s also the risk that someone could seize a domain and change it to retroactively alter the meaning of Trump’s words.

Inti De Ceukelaire says he has no plans to hijack other tweets that Trump has posted, saying he simply wanted to bring attention to the issue. (He says he does bug bounty hunting for major web companies in his spare time.) A developer who says they were “inspired” by the hacker’s story recently published a tool on Github that allows Twitter users to check whether their archives contain any dead links. Still, Inti De Ceukelaire says there are “many” URLs in Trump’s timeline that could expire within the next four years, and he’s concerned that others may exploit them for more malicious purposes.

“I just wanted to prove that it’s possible and dangerous,” he said.