The Twitter hackers that conducted a coordinated attack on many verified accounts used one of the addresses involved in transactions to Coinbase and BitPay. The hack affected more than a dozen celebrity and institutional accounts on July 15. The analysis shows that it appears like the hackers were consolidating the stolen funds in an address that had earlier sent money to the mentioned destinations.
Based on research conducted by Whitestream blockchain analytics company, three of the transactions that originated from the “1Ai5” address lead to wallets that are heavily linked with Bitpay and Coinbase. Both of these firms provide merchant solutions. The legacy address was the first to be offered by these hackers; who switched to a Bech32 address when they were targeting the non-crypto accounts.
Nevertheless, the original address is currently the consolidation point of all the proceeds that were acquired through that mega crypto scam. Notably, the address received 14.75 Bitcoin (BTC), worth about $135,000.
Another three transactions are thought to be leading to BitPay and Coinbase. The first transaction involves a transfer of almost 1.2 BTC in May 2020 which was worth around $11,000 at the time. The other two transactions were sent two days before the hack and they are for much smaller amounts.
Interestingly, the latter transactions are highly sophisticated; as the change address is always seen as operating as a different type than any of the other inputs. This strategy makes it highly difficult to track; although possibly these hackers were just in the process of switching to a Bech32 address.
Whitestream said that the first transaction sent a small amount of funds to a BitPay-associated address, while the other two transactions were sent to Coinbase. The hackers’ address seems to be quite traceable for the companies which might expose their identity. It is nonetheless likely that the transactions are related to merchant usage which might make investigations more challenging.
It also remains a mystery why the criminals decided to use an old address to perform the attack; since it seems to offer unnecessary clues for future investigations. Additionally, since the hackers owned over $11,000 before the attack; such a big account compromise may have been used to publish the market-moving announcements.
The hackers likely would have managed to make much more money by entering heavily leveraged positions before the crypto scam tweets.
Twitter Employees Targeted
According to a lengthy publication by Cryptovibes on July 16, multiple accounts ranging from tech companies, crypto influencers, crypto exchanges, celebrities, politicians, entrepreneurs, and other leaders were progressively attacked by the scammers. These accounts published a well-known crypto scam that promised to double the Bitcoin funds; that anyone sent to a given address.
Twitter explained that this matter was due to a social engineering attack that was performed on high-rank employees using admin access. Using that admin panel tool; the hackers took control of the accounts by changing their passwords and recovery email locking the real owners out.
This resembles a BlockFi data breach that happened in May; where the criminals used a SIM swap attack to access internal customer records.