Performing an initial investigation to follow the funds related to the Twitter TWTR hack that happened on July 15 to Elon Musk, Jeff Bezos, Barack Obama, Joe Biden, Kanye West, Bill Gates and numerous other celebrities and executives of large technology companies, it is evident the many of those funds already hit reputable exchanges that might freeze the funds.
During the Twitter hack, the fraudsters, posing as celebrities, falsely informed users that they have decided to partner up with a mysterious organization called “CryptoForHealth” in order to ‘give back to their community.’ The scam has been covered extensively by several news outlets including Forbes contributors like Jasse Damiani, that reviewed the initial steps just after the hack.
As different celebrities were sharing and resharing those posts that turned out to be fraudulent, some of their followers decided to open up their own wallets and pay as well. More than $130,000 later, most of the posts had been removed, the website of CryptoForHealth shut down. Twitter stepped in to forbid some users to tweet, but it is high time to recover the funds to the victims or at least specify to which exchanges they have been sent.
Despite a common misperception as Bitcoin represents a pseudo-anonymous network, transactions performed on it are both visible to the general public and traceable. Addresses can be directly connected to particular exchanges.
As scammers are still moving funds between cryptocurrency wallets, investigators from all over the world have stepped in with the goal to identify types of exchanges and freeze the funds on different accounts.
From the initial review, it is evident that much of the funds have been transferred to Binance. In a recent statement to TechCrunch, Binance Security Team informed that they have been aware of the situation and launched an investigation, which is visible to the crypto community as their team marked several cryptocurrency wallets as fraudulent.
Earlier today, an article released by Cointelegraph revealed that addresses used by the hackers had previously been linked to Coinbase and BitPay, common names in the cryptocurrency exchange and merchant sphere.
“According to our initial analysis the funds have reached many exchanges, but the core of the funds originated from the main Binance address. It is now clear that scammers were sending funds back and forth between different cryptocurrency addresses in an attempt to confuse law enforcement agents, wash them. Once completed fraudsters have sent a large parts of the funds to an address belonging to Binance yet again, which has been rather quickly discovered and flagged by the exchange.
Secondary besides Binance, it seems though that multiple exchanges like Bittrex, as well as MercadoBitcoin in Brazil have received funds from this scam already,” said Sven Martinsson, the Founder & CEO of VALEGA Chain Analytics – a Blockchain Investigations and analytics firm working out of Finland.
Even though the investigation remains novel, due to the transparency of the open blockchain of Bitcoin, it is possible to follow different transactions to a different account at cryptocurrency exchange platforms. Being personally engaged in one such ‘crypto exchange platform,’ competent and motivated compliance team members have a portfolio of tools and processes to stop such transactions in case they are being spotted. The fraudsters seem to know that so that there is a race for the fraudsters to try to exchange the funds to fiat currencies as soon as possible and Blockchain investigators to mark as many wallets as quickly as possible to freeze those funds.
Even though the identity of the scammers remains yet unknown, there are tools in place which allow for visualizing transactions between different accounts and exchanges that use the publicly available data and connect wallets to crypto exchanges.
Here are a couple of examples of how the fraudsters anticipated to hide their tracks. Everything starts on the left side in the middle of the graph, which represents the first address to which the scammers asked users to pay. Each additional connected line of dots represents their effort to hide their tracks and mix funds between different wallets and exchanges.
A more comprehensive description has been placed below each picture which represents a print screen out of a Blockchain Analytics Software.
Zooming in closer to different dots allows us to directly view the cryptocurrency wallet address which has been used. It is connected to a particular wallet provider or a platform (with strong but not utmost certainty). In order to review where funds were directed and how much was sent.
Investigations performed by compliance teams take time as they are most likely performed by individuals who are working for different exchange platforms or geographies, so sometimes the funds are able to be transferred to an account before they are being flagged as fraudulent. Red accounts have been already marked as fraudulent.
Following each transaction and the connected spiderweb of transfers between cryptocurrency addresses helps to spot a time period in which fraudsters will try to wash funds with a legitimate exchange. As stated below, fraudsters launched a transfer to MercadoBitcoin in Brazil as well as Bittrex.com already.
This review is just a snapshot of the current stage of transfers performed by the fraudsters as of the afternoon of July 17th. It does not display traces in full to avoid obstructing justice or investigations. Even though it has been a Twitter hack and not a Bitcoin hack, the pseudo-anonymity of bitcoin and visibility of each transaction with tools like the wallet explorer does prove that the Crypto community is not helpless and knows more and more with each transaction the fraudsters perform. It is important to underline that it was not Bitcoin that got hacked, it was Twitter. Bitcoin was just the chosen means of payment.
Sven will release a collected investigation free of charge to anyone who can identify themself as an investigator in the process.
The transaction investigation remains ongoing. For security reasons and not to interfere with investigations, this is just a teaser to provide insights into different tactics of criminal networks. Exchanges in question have the appropriate means to stay compliant and do their reporting accordingly. This is NOT an attempt to defame or point any fingers and the statements are assumptions, not yet evidence. It remains a visualization of investigation that affected many users and the account holders on Twitter.
For transparency purposes – The contributor of this post is a Head of Compliance in one of the leading Cryptocurrency Exchanges in the Nordics called ‘Safello’.
He serves as a board advisor to Valega Chain whose team has launched an investigation to follow the stolen funds on his request. Statements about how Blockchain Analytics Tools work have been performed on the example of Valega Chain Analytics and should not be generalized to other Blockchain Analytics Tools as all of them have their own criteria, tools, and internal processes.