Twitter Hacked—Insiders Compromise Social Media Giant - Ciphertrace

On July 15, Twitter accounts for multiple high-profile cryptocurrencyA cryptocurrency (or crypto currency) is a digital asset des... More exchanges, public figures, and various entities were taken over by hackers promoting a BitcoinThe term "Bitcoin" can either refer to Bitcoin the network, ... More Doubler scam.

Shortly after 12pm PST, the Twitter accounts for AngeloBTC, Binance, Binance CEO Changpeng Zhao, CoinDesk, Coinbase, Gemini, Kucoin, and Tron Founder Justin Sun were taken over by most likely the same individual. Each of these accounts posted or retweeted the following:

“We have partnered with CryptoForHealth and are giving back 5000 BTC to the community.

See more here : http://cryptoforhealth.com”

Figures 1a and 1b: Example tweets from Bitfinex and Kukoin accounts.

These tweets have since been deleted and the cryptoforhealth website is now offline.

The website claims to be running a 5,000 BTC giveaway under the condition that if an individual sends 0.1 BTC to 20 BTC to the contribution addressIn a cryptocurrency context, an address is a cryptographic k... More, then CryptoForHealth will send twice the amount back. This is a typical Bitcoin Doubler scam, which results in the sender losing all of their Bitcoin. The address that is given by the scammers is bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh.

After the initial wave of Tweets, multiple other accounts were compromised including Jeff Bezos, Uber, Barack Obama, Joe Biden, and Elon Musk. These compromised accounts reference the Bitcoin Doubler Scam directly and included the BTC deposit address rather than redirecting victims to a website. As a result, the amount of Bitcoin in the provided address started to skyrocket.

Figures 2a and 2b: Screen shots from Democratic Presidential Candidate Joe Biden and Israeli Prime Minister Benjamin Netanyahu’s compromised twitter accounts promoting the scam.

The full list of addresses can be found below.

The majority of bitcoin went to bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh. As of 6:30 pm PST, this address had received 12.86204920 BTC and had sent all but 0.00859729 BTC. bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh, totally roughly $125,000 USD from over 430 victims at the time of this report:

1Ai52Uw6usjhpcDrwSmkUvjuqLpcznUuyF (7.40 BTC)

bc1qjjcc4ylp9yfn04m34wzlscp5q2rpyu89rmqslf (4.29 BTC)

bc1q5w26m2g5ja4jzplpj7p93enf6r4yjcnc5yea6s (0.76 BTC)

bc1q6l86kvwg4kr75w5ac9j30dn8363kcr8rde35dn (0.54 BTC)

bc1q4089hk7vu47qlwcf4tjthwgw8l7yz72hpkg3k4 (0.54 BTC)

Figure 3: An example of the hacker consolidating multiple UTXOs (all representing payments from different victims) into new BTC addresses.

The funds have not attempted to move to any cryptocurrency exchanges or other fiat off-ramps at the time of this report. CipherTrace will continue to monitor the hacker’s address for movement.

Cause of the Twitter Breach

Twitter Support believes the cause of the breach was “a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.” Twitter is looking into what other malicious activity the hackers may have conducted or information they may have accessed. Twitter claims to have taken significant steps to limit access to internal systems while they continue their investigation and will continue to update the public on their findings.

https://twitter.com/TwitterSupport/status/1283518038445223936

Crypto Users Grow More Diligent About Scams

While the exploitation of trust markers like multiple verified twitter accountsTwitter may verify accounts that it determines to be an acco... More was a smart move to fool users into thinking the Bitcoin Doubler scam was legitimate, the amount the hacker pocketed was minuscule when compared to the vast reach of the compromised accounts. This could be attributed to two main factors: proper AML practices at exchanges prevented new users from sending their coins to the hackers while the scam was at its peak, and crypto users are becoming more informed when it comes to common crypto scams.

It is likely that most victims of the scam already had accounts open at crypto exchanges because it would be nearly impossible to open an account at a reputable exchange and deposit and transfer funds in one day, even through ACH transfers.  Exchanges where users could open accounts at more quickly would typically request fiat deposits in wires, not ACH. These accounts would not be able to trade any crypto until the wires clear, which could take up to three days.  This likely prevented the hacker from exploiting those that were not already holding cryptocurrency or maintaining accounts at exchanges.

The limited amount of funds actually received by the hacker, despite compromising prominent crypto-related twitter accounts, also demonstrates crypto users’ ability to recognize common scams. Bitcoin Doubler scams are commonly propagated over social media by criminals. The violation of multiple trusted crypto-related accounts is a new twist, but many weren’t falling for it. In total the Twitter hacker was able to steal $125,000 USD from over 430 victims—most of which came after many high profile, non-crypto related accounts were compromised. It is likely that these users were less familiar with the prominence of similar crypto scams.

List of Hacked Accounts

Crypto Related Accounts:

• Binance
• Bitfinex
• CashApp
• Charlie Lee
• CZ
• Gate.io
• Gemini
• Justin Sun
• Kucoin
• Ripple
• Tron

Non-crypto Related Accounts:

• Apple
• Barack Obama
• Benjamin Netanyahu
• Bill Gates
• Elon Musk
• Jeff Bezos
• Joe Biden
• Kanye West
• Kim Kardashian West
• Mike Bloomberg
• Twitter Support
• Uber

*Twitter Hack Update—Scammed Funds Traced to Exchanges and Mixing Services