skip to Main Content

Twitter Hackers Arrested—Blockchain Analysis Traces the Bitcoin to Teenage Hackers


Three Charged for Role in Twitter Hack

On July 31, three individuals were charged for their alleged roles in the July 15 Twitter hack— Mason Sheppard, aka “Chaewon,” 19, from the United Kingdom; Nima Fazeli, aka “Rolex,” 22, from Florida; and a juvenile whose identity is sealed.

According to San Francisco FBI Special Agent in Charge John F. Bennett, “Upon opening an investigation into this attack, our investigators worked quickly to determine who was responsible and to locate those individuals.” Special Agent Bennett adds, “While investigations into cyber breaches can sometimes take years, our investigators were able to bring these hackers into custody in a matter of weeks.”

A large contributor to this speed is blockchain analytics. By attempting to cash out at regulated exchanges, blockchain analysis tools like CipherTrace Inspector were able to assist investigators in determining which accounts at which exchanges belonged to the hackers. Investigators were then able to subpoenas these exchanges for the know-your-customer (KYC) data associated with the accounts—such as ID, birthday and address—revealing their true identities.



Scammed Funds Continue to Move to P2P Marketplaces

On 7/20/2020 at 10:06 PM PST, 0.2 BTC was sent to a peer-to-peer marketplace in TX c5422d2da844c89db9ae620d9dfaf1ba07a92049378e8117b59d3715b206282c.

Twitter hacker moved funds to a P2P marketplace on the same peel chain used to deposit into a crypto casino


An overview of the Twitter hacker’s flow of funds as of 7/21/2020, highlighting the exchanges, P2P marketplaces, gambling sites, and mixing services the funds have passed through



Scammed Funds Traced to Exchanges, P2P Marketplaces, and Gambling Sites Over Weekend

Over the weekend, the twitter hacker continued to move funds to exchanges, peer-to-peer marketplaces, mixing services, and gambling sites in an attempt to cash out and further obfuscate funds. CipherTrace will continue to monitor the situation and update the effected entities that have received scammed funds.

On 7/18/2020 at 11:16 AM PST, 0.0959 BTC was sent to a peer-to-peer marketplace in TX f8e380571e3ff47241030b5f619d7b75504263614b322376443ecc44a3b0e7e3

Twitter hacker consolidated funds from three different addresses before depositing funds into to a peer-to-peer marketplace, exchange, and privacy enhanced WasabiWallet


On 7/18/2020 at 6:43 PM PST, 0.1 BTC moved to an India-based exchange via TX ff0c4d2146c205ea9a01cee11909f59fc5ac81b69e283f3b0ee95717ff8d87b1. The next morning, 7/19/2020 at 6:05 AM PST, 0.0858 BTC moved to a US-based exchange via TX 34e27f78f76656b743a2b18ba3c02a52c03a0b4b8d6924a22bb2bd8d5c749a8c.

Twitter hacker moved funds to exchanges based in the US and India

On 7/19/2020 at 12:23 PM PST, 0.15 BTC moved to a prominent US-based exchange via TX f5b27d96fd008fa78aa3e9d3ab3aa75552dab10a0aed97fc301750956ac8bf1e. Then, at 1:27 PM PST, 0.04 BTC was moved to an exchange based in Turkey via TX 1cf7ac2aa8e9a31183138a3c89369ec8af2d3142e0346911bbd3406b3da4d305

The Twitter hacker moved funds to exchanges based in the US and Turkey through peel chains


On 7/19/2020 at 12:39 PM PST, 0.018 BTC moved to a crypto gambling site via TX 7a662dcc4ed06007682ee8193f9119480841c1fd1329b74de9555c633b8e89ff.

The Twitter hacker moved funds to a crypto casino



CipherTrace has been following the flow of Bitcoin from the Twitter Hack and the corresponding Bitcoin scam that unfolded earlier this week. So far, there have been 11 outbound transactions from the scammer’s wallets. Theses transactions are listed below:













Ten of the outbound transactions have consolidated into new addresses, as seen in figure 1 below, which gives a full overview of the scammers laundering pattern. CipherTrace has also identified specific examples of transactions going into regulated exchanges and mixing services.

An overview of the Twitter hacker’s flow of funds as of 7/17/2020

The 11th outbound transaction from the hacker is shown below. This is mostly a consolidation of some of the smaller Bitcoin payments sent after most of the tweets had been removed and the majority of victims had already made deposits into the hacker’s addresses. These smaller amounts were most likely sent by users trying to dust the account in one form or another to monitor the flow of funds or tag the address with crypto-graffiti.

The 11th outbound transaction from the Twitter hacker took place July 16 at 4:25 PST.

Twitter Hacker Sends Victims’ Funds to Exchanges

So far, the majority of Bitcoin sits in unattributed addresses, which are most likely private wallets. However, CipherTrace has traced portions of the Bitcoin into exchanges and other wallet services, specifically those with privacy-enhanced features. The first movement into an attributed entity was to Binance via TX aad68b2a47c20f9bce6f8f846ae640453f1f8badbe16c96f5c6077e48e292903. CipherTrace believes this address to be an old Binance cold wallet, which hasn’t sent a transaction out since November 2018. CipherTrace believes that this transaction was not made to cash out funds, but rather to troll.

The Twitter Hacker sent funds into old Binance cold wallet to troll investigators

Additionally, there was a movement of Bitcoin into a Singapore-based cryptocurrency exchange via TX c0600d91c4ce931800e49b9dae54b6597a910092b3d4999244f5cc611c3ef0ae. It should be noted that prior to entering this exchange, the Bitcoin was commingled with multiple other UTXOs that did not originate from the scam. Additionally, 1 hop prior to the deposit into this exchange, the Bitcoin passed through address 1Bn9LVWBW9xhKH1dFA9uWMM46RTc5Qror5, which has nearly 10,000 transactions. CipherTrace could not with certainty determine what entity or individual that this address belongs to, however, it sent Bitcoin originating from the theft into the Singapore-based exchange. At a minimum, 1.08945 BTC originating from the theft entered the 1Bn9LVWBW9xhKH1dFA9uWMM46RTc5Qror5—roughly 8.5% of the scammed funds.

The hacker moved funds into a Singapore-based exchange

CipherTrace has notified the exchange in question of the deposited funds.

Twitter Hacker Sends Funds to Mixing Services

Yesterday, July 16, at 8:39 PM PST, there was a deposit of 2.89 Bitcoin (roughly 22.5% of the scammed funds) into Wasabi wallet that directly originated from the theft. Wasabi is a non-custodial, open-source wallet that utilizes CoinJoins for enhanced privacy. Mixing through a Wasabi wallet will begin when an hour has elapsed in queue, or 100 users have signed up for the round. While the wallet sets a target of roughly 12 hours for it to be on the blockchain, users can adjust the mining fee to attract a quicker confirmation. All Wasabi traffic is tunneled through TOR—the same encrypted network used to access the dark web.

Today, July 17, at 1:15 PM PST, the hacker moved 0.1022 BTC into ChipMixer. ChipMixer acts as a tool for users to obfuscate their funds by either splitting, merging, betting, or withdrawing “chips”—pre-funded tokens in the sum of the value of the originally deposited funds. 

Through proprietary clustering algorithms, CipherTrace is easily able to identify these mixing services.

The hacker deposited funds directly linked to the hack into a privacy enhanced Wasabi wallet


The hacker deposited funds directly linked to the hack into ChipMixer

Read Part 1 of our analysis here:

Back To Top