“I am giving back to the community,” began a tweet sent out by a number of high-profile Twitter users including Elon Musk, Jeff Bezos, Bill Gates and former Vice President Joe Biden. A hacker, or hackers, gained access to a significant number of the platform’s highest-profile users. And with that access, they executed a fairly basic double-your-money scam: Whatever you paid these suddenly-generous billionaires in Bitcoin, they’d pay twice as much back within 30 minutes.
The Bitcoin wallet -- the address people were asked to send their money -- listed in the tweets was soon receiving donations. Between 4PM ET, when the attack began, and 6PM ET, when Twitter locked down all verified accounts to deal with the crisis, more than $118,000 had been paid. That’s a small amount of cash given that Twitter believes the attack used social-engineering to trick a high-level employee.
Tough day for us at Twitter. We all feel terrible this happened.
We’re diagnosing and will share everything we can when we have a more complete understanding of exactly what happened.
💙 to our teammates working hard to make this right.
— jack (@jack) July 16, 2020
Bitcoin is a great currency to use for criminal transactions because it has no central bank or overarching authority to resolve disputes or combat fraud. One thing it does have in its favor, however, is that the ledger of all Bitcoin transactions is public, and searchable. Which means that, while difficult, it’s entirely possible to follow the source and destination of the money handed over.
In this, like with every other major Bitcoin scam, it’s relatively easy to trace the source of any transaction back to an exchange. That’s the place where people can turn their US dollars into Bitcoin (or back again), which can then be investigated by authorities. This is how the Department of Justice tracked down the Russian agents involved in the 2016 elections.
For the individual, or individuals, who have scored $118,000 as part of this audacious hack, what now? At the time of writing, all but $114 of that $118,000 haul has been transferred to other wallets. But those transactions are still just as visible as the current ones, so how can a person get that cash out of the system without getting a visit from the feds?
[THREAD] Here's what we know so far about today’s #Twitterhack & #Bitcoinscam. As of now, the scam’s main BTC address (bc1...0wlh) received ~$120k in donations in 375 transactions. No funds have been cashed out at exchanges yet. pic.twitter.com/Jg9og3CFCz
— Chainalysis (@chainalysis) July 16, 2020
Dominik Schiener is co-founder of IOTA, a distributed ledger technology that enables feeless micropayments. He said that while people believe Bitcoin is anonymous, it is really, at best, pseudonymous, since you need a real identity to collect your money. Schiener said that the easiest way to launder Bitcoin is with a Mixing Service, which works in a similar way to traditional money laundering, and is called a Bitcoin Tumbler. Essentially, a Tumbler takes coins from a variety of sources, both clean and dirty, and mixes them up. Then, it pays out small amounts -- the Bitcoin equivalent of small change -- until you’ve got clean cash.
4/ Unsurprisingly, the hackers used some of the funds from the different scam addresses to pay into their main collection address to make it seem like more people are participating and benefiting from the scam. pic.twitter.com/iT43Wasyum
— Chainalysis (@chainalysis) July 16, 2020
Unfortunately, that doesn’t necessarily mean that your ill-gotten gains are entirely free from their history. Schiener explained that, broadly, Bitcoin offers you security through obscurity -- the process of making things secure by making them hard to find, rather than anything else. Which means that any well-resourced and committed investigator could keep delving until they find you.
It’s worth noting, too, that operators of Tumbling operations are in the sights of various law-enforcement agencies. In February, the Department of Justice arrested a 36-year-old Ohio resident who ran Helix, a service that’s said to have laundered $300 million worth of Bitcoin.
So even if you’ve tumbled your Bitcoin, you’re still left with the risk that, when you suddenly withdraw a large sum of cash from an exchange, you’ll be caught. “Exchanges are a single point of failure,” said Schiener, since cashing out instantly ties you to a real-world bank account, name and address.
That’s why it’s equally plausible that, once you’ve tumbled your money, you would then use it not to buy USD, but a different cryptocurrency. For instance, taking your ill-gotten gains to a foreign crypto exchange that doesn’t have the same reporting requirements. There, you can buy a more privacy-focused token, like Monero, which has an obfuscated public ledger. All you do then is wait for a while and buy goods and services with your Monero, or cash out when the coast is clear.
Another way of laundering ill-gotten cryptocurrency is with gambling, visiting any crypto casino and putting it all on red, or black. Obviously there’s still a lot of risk involved, but then if you’re already committing to a high-profile Twitter hack, you’re clearly feeling lucky. It helps, of course, if you have connections to a gambling site, exchange or any other institute that will be able to facilitate your laundering. Otherwise you’re just hitting and hoping that you’ll be able to walk away with your cash at the end of it.
All that work and only 100k, that's nothing compared to what they could've got with some options for a few juicy tweets
— Newmie (@newmaniums) July 15, 2020
Of course, hackers gaining what is known within industry circles as “God Mode” access to any online platform is troubling. Moreso because Twitter can be used to move markets, make massive political declarations and get people fired. A number of people believe that, because of the sophistication of the hack, the intended goal was not to earn as paltry a sum as $118,000.
The value of the access to Twitter’s highest-profile accounts, and the ability to tweet as these major business people, would be priceless in the right hands. Imagine announcing, with Jeff Bezos’ voice, some imagined initiative that would tank Amazon’s stock. Or using the content of their direct messages to blackmail or otherwise intimidate another high-profile figure.
Ray Walsh, at ProPrivacy, said that the hackers were “either highly unimaginative or extremely restrained.” Essentially, he believes that this scam may have been a ruse, “simply a distraction from the real hack.” Selling admin access to Twitter on the dark net, for instance, would have likely been far more valuable while attracting far less attention.
Sometimes hackers come across valuable access they don't know how to properly monetize. Just because they only made $100k from having access to almost every Twitter account doesn't necessarily mean there's a deeper hidden motive. Some hackers just aren't creative.
— MalwareTech (@MalwareTechBlog) July 16, 2020
We shouldn't discount the possibility that all the noise, sloppiness, and visibility was intentional
— Jackie!✨bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh (@find_evil) July 16, 2020
The alternative explanation, of course, is that the hacker was great at gaining access but did it more for the kudos than any financial gain. But whichever way, whoever committed the hack has offered a timely wake-up call to Twitter’s security team. With the 2020 elections racing toward us, it’s probably smart for the company to lock the stable door before any more horses bolt.