Twitter Hack Autopsy: Coinbase, Binance, BitGo May Know Hackers ID

Published at: July 16, 2020

The hackers who conducted the massive Twitter hijacking on July 15 do not appear to be sophisticated Bitcoin (BTC) users, as they left trails leading to and from major exchanges that presumably hold the keys to their identities.

Address bc1qxy summary. Source: Crystal Blockchain.

The Bitcoin address that hackers used to solicit illicit donations is bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh. A couple of hours into the hack, the perpetrators started moving Bitcoin into other addresses. The Bitcoin trail they are leaving behind suggests that they are not terribly sophisticated when it comes to blockchain technology. They are reusing the same addresses, they are not covering their tracks from and to exchanges sufficiently enough. They have barely used any mixing services.

According to the on-chain evidence we collected, several major exchanges should have their identities. 

Coinbase & BitMex

We will focus on an address one hop away from the original — 1Ai52Uw6usjhpcDrwSmkUvjuqLpcznUuyF. This address received 14.76 BTC, most of it on July 15; however, the address was first activated on May 3. Approximately half of the BTC came from bc1qxy, the rest from various other sources.

Coinbase & BitMex trail. Source: Crystal Blockchain.

Some of the incoming Bitcoin originated from Coinbase and BitMex exchanges. Two addresses identified as belonging to Coinbase by Crystal Blockchain, 37p3PS1hKqzYhiVswbqN6nxbwyUoTZvf1E and 32V6a7K46pSb1XQNGdrmdE2wjgndVfJPet, are two hops away from 1Ai52, the same address that received direct transactions from the original hacker address. 

What appears to be a 10 BTC Coinbase withdrawal occurred in the morning of July 15. A couple of hours later, 0.4 BTC originating from the presumed Coinbase withdrawal ended up in 1Ai52U. Since it is not a direct route, there is a possibility of the coins changing hands in the interval. However, this seems unlikely, considering there are no major entities in between.

What appears to be a BitMex withdrawal from 3BMEXqT4yGBFiVBeJFHF4Ak5PyhqTnidKP is three hops away from 1Ai52. On April 27, 14.18 BTC was moved from that address, by May 3, it ended up in 1Ai52U.

BitGo, Luno, Binance

The hackers also used the address 1NWJd7BfJLJrEcfGiGfFqbhyaiusWwaZS1 to move the funds from the original address. The former has also received a small amount of BTC from 14kWuX37tgLdYZDSudHuch35NtuGgJqqnz, which, in turn, received BTC from several addresses that appear to belong to BitGo. — The same transaction 89a4ba84043d043d212216718dae4ac3b74e6d08fd4575edab532c1c188dd961 sent small amounts of BTC to several other exchanges, including Bittrex, Luno and Binance (BNB).

BitGo, Bittrex, Binance & Luno trail. Source: Crystal Blockchain.

Binance

On July 16, 0.0011 BTC ended up in 16ftSEQ4ctQFDtVZiUBusQUjRrGhM3JY identified as one of Binance’s deposit addresses. It is three hops away from the original hacker address with no major entities in between.

Binance trail. Source: Crystal Blockchain.

Final observations

The hackers appear to be using a proxy as transactions originate from different parts of the world. The Bitcoin addresses generated by hackers come in different formats, some are of the newest Bech32 format, others in the older P2PKH and P2SH formats. If our analysis is correct, then several major crypto entities should be able to identify the hackers.

Tags
Related Posts
Dorsey & Co Were Aware of Security Issues With Twitter Users Since 2015
Numerous unnecessary employees at Twitter allegedly have the ability to reset users’ accounts and modify their security settings. This is a problem that Jack Dorsey, chief executive officer, and the company’s board were warned about all the way back in 2015. According to Bloomberg, Twitter has over 1,500 workers with the abilities to reset accounts and review user breaches. This led to speculation that the hack on July 15 could have been prevented if timelier actions were taken. Security concerns addressed The report clarified that such credentials gave limited access to most of the workers involved in the social network’s …
Bitcoin / July 28, 2020
Experts Concerned Over Twitter’s Ability to Tweet on Behalf of Users
Cybersecurity experts are warning that the Twitter hack on July 15 shows that the social network needs to strengthen its security in order to avoid a worse black swan scenario with serious consequences. In the most recent incident, attackers launched a crypto giveaway scam by posting phishing messages through the hijacked profiles of celebrities and high-ranked political personalities worldwide, collecting over 13 Bitcoin (BTC) from the victims. The attack could have been worse Ilya Sachkov, CEO of threat intelligence firm Group-IB, believes the attack demonstrated a “huge problem of low financial literacy and bad cyber hygiene.” He told Cointelegraph: “This …
Technology / July 21, 2020
Crypto Custody Market Overview — Who Are the Biggest Players?
Cryptocurrency custody providers seem to be springing up all over the global digital landscape in 2019, and the crypto platform Coinbase emerging as the leader in the sector. At their very core, custody platforms are designed to serve as independent storage/security units that are aimed primarily at institutional investors. These solutions, more often than not, tend to make use of a combination of various hot and cold storage technologies. Also, while cryptocurrency exchanges and regular wallet systems conventionally utilize private keys (and other such security protocols) to protect an individual’s holdings, these alphanumeric phrases can be quite difficult to remember …
Bitcoin / Aug. 27, 2019
Bitfinex hack recovery spurs crypto community responses
On February 1, there were movements of around $2.5 billion from the 2016 Bitfinex hack wallets. After reviewing the transactions, Cointelegraph reported that around 90,000 Bitcoin (BTC), worth $3.6 billion, consolidated into one wallet address. More than a week later, the hackers were caught. The United States Department of Justice seized $3.6 billion in crypto and arrested two suspects connected to the 2016 hack. Alleged hackers Ilya Lichtenstein and Heather Morgan were apprehended after federal authorities exercised their ability to “follow the money through the blockchain” according to the DoJ. While some of the funds were partially recovered in 2019, …
Bitcoin / Feb. 9, 2022
Financial future or false promises? Crypto firms go big on ads in 2022
Advertisements are in abundance everywhere we go — from billboards seen throughout road trips to commercials displayed every fifteen minutes or so during television shows. It’s also the case that most advertisements today display messages from major internet-based brands like Amazon, which was ranked as the largest advertiser in the United States in 2020. Telecommunication providers and payment giants like American Express have also been listed as some of the biggest advertisers in the United States. These companies typically spend billions of dollars per year on marketing messages aimed to inform, persuade and remind consumers about their products and services. …
Adoption / March 14, 2022