But obviously Twitter employees are main suspects
It's easier to prove that someone else did it than to prove that you didn't do it. A smart black-hat Twitter employee would set it up so that it frames some other user for the act they provided, using the plausible deniability of, "my account was compromised," wherein even in the event of any financial ramifications, they get to go mostly scot-free with the loot they were able to acquire.