When Twitter hired Peiter "Mudge" Zatko as its head of security in November 2020, the company was still bruised from a teenage hacker stunt: a small group of attackers had taken over the verified accounts of Barack Obama, Joe Biden, Elon Musk and Apple to push a Bitcoin scam. The board wanted a serious security person, and on paper they got the most serious one available. Eighteen months later, in January 2022, Twitter fired him.
Six months later, working with the lawyers at Whistleblower Aid, he filed an 84-page complaint with the SEC, FTC and Department of Justice and then sat in front of the Senate Judiciary Committee under oath. He described a company that did not know what data it had, did not know who could touch it, and could not keep foreign intelligence services out of its own engineering systems.
"When an influential media platform can be compromised by teenagers, thieves and spies, this is a big deal for all of us."
Peiter "Mudge" Zatko @ Senate Judiciary Committee, opening statement, 13 September 2022
From L0pht to DARPA to Twitter
Mudge was not a corporate security hire who happened to find something. He was a public face of American hacking before most Twitter engineers had finished school. As a member of the Boston collective L0pht and later Cult of the Dead Cow, he sat at a Senate Governmental Affairs hearing in May 1998 and told the senators that the seven men beside him could take down the entire internet in roughly half an hour. The line is still quoted in cybersecurity textbooks because it turned out to be approximately right.
Peiter "Mudge" Zatko at DARPA, 10 February 2011
© Monica King / U.S. Department of Defense (public domain)
Between 2010 and 2013 he ran programs at DARPA, where he helped stand up the agency's Information Innovation Office and launched Cyber Fast Track, a small-grant programme that pushed money into independent security researchers without the usual federal contracting overhead. He then spent a stretch at Google's Advanced Technology and Projects group, then at Stripe, before Twitter's then-CEO Jack Dorsey personally recruited him after the 2020 takeover.
That biography matters because Twitter did not hire a compliance manager who mistook bad systems for fraud. They hired the person other security people quote, and he found the platform worse than he had expected. He has since told Senate investigators that what he saw inside the company convinced him it was a national-security problem and not just a corporate one.
The July 2022 disclosure
The complaint Whistleblower Aid filed in July 2022 ran to roughly 200 pages with exhibits. It went to the SEC, the FTC, and the Department of Justice, and it landed in the public domain a month later when CNN and the Washington Post got hold of it. The disclosure took aim at three things at once: the company's compliance with a 2011 FTC consent order on user data protection, its statements to investors about how it counted users and bots, and its internal access controls.
The access control claim was the one that had security professionals choking on their coffee. Zatko told regulators that roughly half of Twitter's employees were engineers, and that almost any one of them could push code to live production and read or modify the data of any user on the platform. There were no meaningful staging environments, no segregated dev systems, and the production environment was where engineers debugged. In any normal regulated company this would be a reportable incident; at Twitter it was the daily build process.
The complaint also alleged that executives had repeatedly misled the company's own board about how often Twitter's defences had failed, and that internal counts of bot accounts were not what the SEC filings implied. Twitter's response at the time was that Zatko was a disgruntled ex-executive whose narrative was riddled with inaccuracies. That is also a defence with a long history; the Theranos board said something similar about Tyler Shultz and Erika Cheung before the indictment.
Sworn before the Senate
On 13 September 2022 Zatko sat in front of the Senate Judiciary Committee and read a written statement under oath. The opening line set the temperature for the rest of the hearing.
"I am here today because Twitter's leadership is misleading the public, legislators, regulators and even its own board of directors. (...) It doesn't matter who has the keys if there are no locks."
Peiter "Mudge" Zatko @ Senate Judiciary Committee, 13 September 2022
Senators on both sides of the aisle treated him as credible, which was unusual for that committee that year. Chuck Grassley walked through the FTC consent decree allegations point by point. Richard Blumenthal pressed on national security. Tom Cotton asked the question about whether foreign intelligence services already had people inside the company.
"If you are not placing foreign agents inside Twitter, you're most likely not doing your job as a foreign intelligence agency."
Peiter "Mudge" Zatko @ Senate Judiciary Committee, 13 September 2022
He named at least one specific case: the FBI had warned Twitter's security team that an employee was acting as an agent for a foreign government. He raised the alarm internally, and he was fired. By the time the hearing ended, several senators were calling for a new privacy and security regulator to sit inside the Department of Justice. Compared with the broader canon of whistleblowers in the press, this hearing landed harder than most because the charge was not abstract harm: it was that a foreign intelligence officer might have a Twitter engineering login.
Caught in the Musk acquisition
The disclosure became public on 23 August 2022, in the middle of Elon Musk's lawsuit to walk away from his $44 billion offer to buy the company. Musk's legal team seized on the complaint within days. They argued in the Delaware Court of Chancery that Zatko's claims were a "material adverse event" that voided the deal, subpoenaed him for a deposition, and questioned him on 9 September 2022 about bot counts and security practices.
The Chancery judge ruled the new allegations could be added to the case but were unlikely to do the work Musk's lawyers wanted them to. On 27 October 2022 Musk closed the acquisition at the agreed price, fired the executives Zatko had named, and renamed the company X within months. What did not become public until later was that Twitter had already paid Zatko a confidential separation settlement of roughly $7 million in June 2022, weeks before he filed his complaint, on terms that left him free to speak to Congress and to federal regulators. The Wall Street Journal pieced that detail together that September from the limited disclosures the parties were willing to make.
The FTC follow-through
The FTC had been watching Twitter under the 2022 modified consent order that resulted from a $150 million privacy settlement earlier the same year. In March 2023 the agency confirmed it had opened an investigation into whether the post-Musk company was complying with that order. The investigation took the better part of two years.
In February 2024, FTC Chair Lina Khan sent the House Judiciary Committee a 50-page letter that became the most concrete public read on what had actually happened. The headline finding was that Musk had ordered staff to give an outside writer working on the "Twitter Files" series unrestricted access, telling them to grant the person "full access to everything at Twitter, no limits at all". Long-tenured information-security employees blocked the order on consent-decree grounds and routed the writers through narrower controls instead. The FTC concluded that no final violation had occurred, but it was close, and it documented the kind of internal pushback Zatko had said was missing.
Where Mudge ended up
Whistleblowers in the security and privacy domain rarely get to keep working in their field; the better outcomes for them look like Edward Snowden's exile, or a long stretch of consulting under a different name. Zatko has had a different aftermath. In September 2023 he joined the Cybersecurity and Infrastructure Security Agency as a part-time senior technical adviser to then-director Jen Easterly, working on the agency's secure-by-design programme that pushes software vendors to ship products that are not pre-broken on arrival.
On 7 August 2024 he announced his return to DARPA as the agency's Chief Information Officer, the same place where he had stood up the Information Innovation Office a decade earlier. He posted that he hoped to "make an even bigger dent in the universe this second time around". The trajectory is hard to find a parallel for: Senate witness in 1998 warning lawmakers about everyone else's bad code, Senate witness in 2022 warning lawmakers about his own employer's bad code, federal CIO two years after that.
The reason this case still matters for anyone running a whistleblowing programme is that the failure modes Zatko described are the canonical ones. A platform of any size collects sensitive data faster than its access controls can keep up. Engineers acquire production privileges that nobody in management can fully enumerate. Boards and regulators rely on the company's own security attestations, which are written by the same people whose budget depends on the answer being reassuring. The point of an internal channel is to produce the warning a year before someone has to fly to Washington with their lawyer.
