[2020-07-16] Major US Twitter accounts hacked in Bitcoin scam

[NotATether]

Twitter was hacked today, and a bunch of verified accounts are now posting tweets to a bitcoin scam. They all use the same address, bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh. So many accounts have been hacked to promote this scam, that someone registered the domain https://bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh.com/ to warn people not to send any bitcoin to that address.

These scammers already made at least $118K in bitcoin out of this heist.

Quoted article is below:

Billionaires Elon Musk, Jeff Bezos and Bill Gates are among several high-profile individuals targeted by hackers on Twitter in an apparent Bitcoin scam.

The official accounts of Barack Obama, Joe Biden and Kanye West also requested donations in the cryptocurrency.

"Everyone is asking me to give back, and now is the time," a tweet from Mr Gates's account said. "You send $1,000, I send you back $2,000."

The tweets were deleted just minutes after they first were posted.

All verified Twitter accounts marked with a blue tick have now been stopped from posting any tweets, and there are reports that password reset requests are also being denied.

Twitter said it was looking into the incident and would issue a statement soon.

Source: Major US Twitter accounts hacked in Bitcoin scam


Edit: as I discovered this has already been posted here let me add a few thoughts and speculations about this incident:

- They are posting the same single BTC address, which already has 363 transactions, so this indicates a very tiny percentage of people who read those tweets acted on these scam giveaways. This can also be attributed to the fact that most of the people reading those tweets don't even know what bitcoin means.
- Several of the transactions are small amounts up to $50 which is a good sign because this means people are testing this service, which obviously doesn't work. Though I also saw very large inputs being sent.
- One of the transactions sent to that address has strange vanity addresses sent as pay-to-many, with very small outputs.

Code:

1JustReadALL1111111111111114ptkoK
1TransactionoutputsAsTexta13AtQyk
1YouTakeRiskWhenUseBitcoin11cGozM
1BitcoinisTraceabLe1111111ZvyqNWW
1WhyNotMonero777777777777a14A99D8
1forYourTwitterGame111111112XNLpa

It looks like the person who created these transactions was trying to call out the scammers for using bitcoin to carry this out since it's traceable.


Here's more info I found about this incident: https://news.ycombinator.com/item?id=23851275. The doubler scam tweets are now deleted but I managed to find a copy of one tweeted by Elon Musk on Hacker News.

Feeling greatful, doubling all payments sent to my BTC address!

You send $1,000, I send back $2,000! Only doing this for the next 30 minutes.

The scammers knew their messages would be deleted by twitter quickly so they wrote 30 minutes to induce a psychological feeling in readers that this giveaway won't happen again. The average user isn't looking at every high-profile account at once so their goal must have been to put a single verified person's giveaway tweet in as many people's feeds as possible. The least people should have done to protect themselves from this is to realize that Musk and the other profiles who were hacked can't monitor and bounce back everyone's transactions in such a short period of time.

They're also getting a transaction once every 5-10 minutes. But some exchanges have already blacklisted the address in question, so you can no longer send money to that address. Poloniex and Coinbase are known to have done this, but silently, other exchanges must have blacklisted it without an announcement as well. Apparently there is a second address being posted in fake giveaways as well: https://www.blockchain.com/btc/address/bc1qwr30ddc04zqp878c0evdrqfx564mmf0dy2w39l

I'm watching this unfold in real-time on twitter and it's so sad to see people succumbing to the temptation of a giveaway, sending 1 (whole!!!) BTC and then replying on their thread why it's not working. Check this thread for example: https://twitter.com/CashApp/status/1283522007695597570. Why would they do such a stupid thing?

This will be my last edit for now until more information is reported about this.

[hatshepsut93]

- One of the transactions sent to that address has strange vanity addresses sent as pay-to-many, with very small outputs.

Those aren't vanity addresses, they're way too long to be such, instead they are "bitcoin eater" addresses - it's just a text with a valid checksum, there's no known public and private key for it. The message is pretty clear - whomever sent it encourages scammers to use Monero because Bitcoin is traceable. I personally doubt that the scammers will be traced, with enough mixing it would be impossible, unless the scammers will make some mistake.

[amishmanish]

This is gotta be one of the most high profile recent cases of hackers using bitcoin in one way or another. I think Bitcoin will have a storm coming its way in the near future for two reasons. One for the obvious one that the hacked profiles are of the likes of Gates and Musk. Second that, what the hell were the hackers thinking. Jack Dorsey is on of the more prominent mainstream supporters of bitcoin. You go ahead and screw his site..??!!

LOL, This is quite funny though. You also cannot help but wonder that what kind of levers this incident will lead to being pulled in favor/ opposition of bitcoin now. I so wish that the message posted by the hackers had only been "We believe in bitcoin and you should too". What a bull-run that would have been? You pull of something so spectacular and then waste it away to get money which you won't be able to use anyway.

[bitcoinisbest]

This is just creating a very bad name for the crypto community as this will fumes many people and few government as well and those who are yet to decide to make it legal or not just gets this type of chances and then will say for the safety of the people they will not make it legal etc. This has been a massive hacking because it involved a lot of high profile people and also who knows it may further add few other names in coming times.

[figmentofmyass]

i got a text this morning from a nocoiner asking me my thoughts about "the big bitcoin hack" that happened yesterday. i lol'd.

i'm not thrilled about the optics, tbh. hacking obama and biden and other high profile accounts and associating that with a bitcoin scam? awesome news!

i'm just thankful they left trump's account alone. he would probably take it as a personal affront otherwise, and launch into some anti-crypto directive.

So many accounts have been hacked to promote this scam, that someone registered the domain https://bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh.com/ to warn people not to send any bitcoin to that address.

this saved ~zero people from getting scammed.

[Husires]

New report Twitter Hacker Is a BitMEX Trader, On-Chain Data Suggests

Headlines:

None of the roughly 13 bitcoin (BTC) acquired through Wednesday’s Twitter hack have been laundered, according to chain analysis conducted by Samourai Wallet.

“Confirmed, no signs of mixing. Majority of funds spent 1 or two hops and [are] now parked,” Samourai said in a Twitter DM to CoinDesk. “Really curious what their cash-out plan is.”

Samourai says that the hackers only used three Bitcoin addresses and did not send any money through the mixing service.

“Always a possibility the address is an unlabeled mixer, but I don’t see any hints, and one-time use addresses are very common in general and not a definitive pattern for mixers,” Ergo told CoinDesk.

Everything from the first address is being spent to this address 1Ai52Uw6usjhpcDrwSmkUvjuqLpcznUuyF, which looks to have been first funded via BitMex

[NotATether]

So we got some new information about this incident. Pulling info from the wikipedia article about this:

- The hacker(s) of all those accounts sold hacked twitter accounts on the OGusers forum. OGusers prohibits selling hacked accounts and they were since banned from there.
- A source claims that one hacker, with the discord alias "Kirk", pulled off the whole heist and he was originally selling hacked twitter accounts at OGusers as I said above, then switched to making several scam tweets.
- He had a customer who went by the twitter alias PlugWalkJoe, a SIM swapper who hacked Jack Dorsey's account last year. It seems he had nothing to do with this recent hack.
- Conflicting anonymous sources telling the media they paid an employee at twitter for access to admin tools, and others saying the employees were simply social-engineered.
- Not very relevant but in case you were wondering, Trump's account wasn't hacked because it had extra, unknown to the public security protections, which were put in place after that account was hacked back in 2017.

Meanwhile the world is chasing after this hacker, at least the one who collected the stolen bitcoin:

- FBI is making an investigation of this
- UK's National Cyber Security Centre is also making an investigation
- Justin Sun, the guy behind Tron, put a 1 million dollar bounty on their heads

With all these people chasing after him and how high profile this case is, it's not unreasonable to think that Kirk will be caught in a matter of days. Though there was a scam domain cryptoforhealth.com associated with this, it doesn't look like one person could have made it by himself. It's always possible there's a group of people behind this.

Let's combine this with information we already have:

The hacker *might* control the cryptoforhealth.com domain that was tweeted as part of the scam. That domain, which is now offline, doesn't have any clues or helpful information when I browsed the archived version.

None of the roughly 13 bitcoin (BTC) acquired through Wednesday’s Twitter hack have been laundered, according to chain analysis conducted by Samourai

Some of that money has now been sent to a Wasabi wallet. I think the transactions splitting up the money are the hackers dividing the money among themselves and one of them took his share to a Wasabi wallet. Maybe law enforcement won't be able to catch all the hackers, because these blockchain transactions aren't linked to any personal information but there's a high chance of getting the one who accessed the twitter tools.

[InvoKing]

Same content is already been discussed in another topic in this sub as mentioned by OP.
Used to report those kinds of infringement but since it contains additional informations i will not do it this time. I will just ask to lock this topic.

[NotATether]

InvoKing, I'll unlock it if newer significant developments happen to this story.