Twitter Hackers Leave Trail With Bitcoin Wallet Money Shifts
(Bloomberg) -- Whoever is behind the security incident involving some of the most prominent business and political leaders on Twitter -- a scam that raised about $120,000 worth of Bitcoin -- is shifting the spoils around online accounts, creating the beginnings of a digital paper trail that investigators are scouring for clues.
Hackers gained access to the Twitter accounts of executives including Amazon.com Inc. Chief Executive Officer Jeff Bezos and Tesla Inc. Founder Elon Musk, asking users to direct Bitcoin to one of three different accounts, said Tom Robinson, co-founder of Elliptic, which helps law-enforcement agencies track Bitcoin-related crime.
Bitcoin offers users a degree of anonymity, making it a popular vehicle for criminal behavior. But investigators can glean valuable information in cases where the cryptocurrency is moved to accounts, or wallets, that have carried out transactions with certain U.S. exchanges or services. That’s because U.S. exchanges typically take pains to verify user identity.
“Sharing this information fast with the authorities worldwide and with companies from the ecosystem, will help us stop the stolen funds and find more info about the attackers,” said Itsik Levy, co-founder of Whitestream, a Bitcoin researcher.
The attackers received just over 400 payments, valued at $121,000, according to Elliptic. The largest payment came from a Japan-based exchange, and totaled about $42,000.
Soon after they were initially collected in the three accounts, the funds started moving around. About $65,000 of the $120,000 quickly moved to other Bitcoin addresses, one of which has been active in the past and has transacted with a U.S. exchange, Robinson said.
Of the amount moved, about $60,000 was directed to a Bitcoin address that has been active since May, Whitestream said. That address had interacted with Coinbase Inc., the largest U.S. crypto exchange, as well as payment processors BitPay and CoinPayments, Whitestream said.
BitPay confirmed that a small purchase was made in May by one of the hacker addresses. “Available details are being shared with appropriate parties including law enforcement,” a spokesperson for BitPay said. Coinbase declined to comment, and CoinPayments didn’t return requests for comment.
The money that was initially collected in three Bitcoin addresses has now been moved to 12 new addresses, according to Elliptic.
The U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCEN) issued an advisory Thursday saying crypto exchanges and other financial institutions should report any suspicious activities related to the hack as soon as possible. New York Governor Andrew Cuomo said the New York Department of Financial Services will investigate the incident, and, according to Reuters, the Federal Bureau of Investigation is also on the case.
Discovering the perpetrators could still take time and prove challenging.
“It depends on what they do next, it depends on how they try to cash out,” Robinson said. If they try to use a regulated exchange in the U.S., finding them will be easy. But if they try to cash out through one of the hundreds of small, unregulated exchanges, that could be harder, he said.
“They are obviously sophisticated in that they didn’t send these funds directly to an exchange to cash out,” Robinson said.
Cyber researchers investigating the hack surmised that those behind the attack were motivated more by notoriety and bragging rights than by financial gains. Had they been looking for a quick profit, they could have made millions of dollars with ease, said Roi Carthy, CEO of the Tel Aviv-based security research firm Hudson Rock.
“Why go through all of the effort of stealing these credentials, just to make a few bucks,” Carthy said. “If they really wanted to profit, they could have shorted Tesla and used access to (Elon) Musk’s account to torpedo the stock price. There are so many better ways to scam crypto than what they did.”
About a quarter of the funds the hackers acquired came from accounts tied to North America, and more than 50% from accounts in Asia, according to Elliptic.
While Bitcoin is supposed to be difficult to track, a number of tracing firms have sprung up to help law enforcement. Exchanges and other providers have begun collecting more information on their customers. So law-enforcement agencies have been able to track stolen Bitcoins many times in the past.
Aside from prominent political and business leaders, the attacks also affected many crypto companies like the Gemini exchange. The hacked accounts promised to double the amount of money sent to their Bitcoin address.
Coinbase has begun blocking its users’ payments sent to the hackers’ accounts. “We are essentially blacklisting addresses as we see them posted in the scam tweets,” said Elliott Suthers, a spokesman for Coinbase.
Gemini also blocked the attackers’ accounts, according to a Gemini spokesperson.
Another reason Bitcoin is an attractive target for scammers is that it can be used worldwide. While Bitcoin’s price dropped at the beginning of the Covid-19 pandemic, it has since recovered, and is up roughly 30% since the beginning of the year.
©2020 Bloomberg L.P.