Twitter Bitcoin Scam

Posted on
Twitter bitcoin scam

By Henry Hillman, Lecturer in Law at UWE Bristol.

On 15 July 2020, numerous high profile Twitter users’ accounts were hijacked to display messages promising to return double the Bitcoin sent to a published Bitcoin address. Compromised accounts included Barack Obama, Elon Musk, and Kim Kardashian,[1] as well as accounts linked to high profile cryptocurrency service providers such as Coindesk and Binance.[2] The nature of the compromised accounts meant that the incident very quickly became headline news, and Twitter acknowledged the issue publicly through its CEO[3] and support pages.[4] Needless to say, nobody who sent the Bitcoins to the scam address received any Bitcoins in return. Responsibility for the attack has been claimed by ‘Cryptoforhealth’ which was registered on Instagram at the same time as the scam tweets. The account posted a statement claiming the attack was for charity and that the “money will find its way to the right place.”[5]

As further details have emerged, Twitter has revealed that 130 accounts were targeted, 45 had their passwords reset, and the account information for 8 accounts was downloaded.[6] While the identities of the compromised accounts is clear from the accounts the scam address was tweeted from, it is not known whose data has been downloaded. Twitter has stated that no ‘verified’ accounts have had their data downloaded, meaning no account with the blue tick, assigned to high profile assure the account is genuine,[7] and, understandably, Twitter will not reveal any further details on who has had their data downloaded.

The claims purporting the charitable nature of the attack cannot be corroborated, and the real identity of the perpetrators is still not known. The ‘CryptoForHealth.com’ domain name was created on 15 July,[8] the same day of the scam tweets, using a fake address and phone number.[9]  The name ‘Anthony Elias’ was used to register the website, but no genuine identity can be traced.[10]

How?

The exact methods employed by the perpetrators of the scam will likely never be known, as it is not likely an organisation would want to provide the details of how to breach its security, for fear of similar attacks. Twitter has been relatively open in recognising the security breach so quickly, and providing a public update on 18 July 2020 stating that “attackers targeted certain Twitter employees through a social engineering scheme.”[11] Social engineering is a broad term, which refers to obtaining sensitive information from an individual or group of people in possession of the information, or with access to it.[12] This could be as simple as phishing, or more complex by duping an individual using other relevant information to gain trust. Twitter state that the “attackers successfully manipulated a small number of employees and used their credentials to access Twitter’s internal systems,”[13] in order to post tweets from high profile accounts. Given the number of affected accounts, and the complexity of two-factor authentication,[14] it is likely to have been a complex operation, but it cannot be ruled out that the perpetrators were the benefactors of a slice of good fortune in obtaining their ‘all access pass’ to twitter accounts.

Analysis

While such a scam has not made headline news before, the nature of it has many similarities to previous scams, both in Bitcoin and wider internet scams. There are issues with the term hacking, the simplicity of the scam proposition, and the behaviour of the Bitcoin address in the scam being similar to that of ransomware attacks, such as Wannacry.

While a technical point, it should be acknowledged that this is not a hack, Twitter’s security infrastructure was not breached due to a weakness exploited by the attackers. The reason the attackers were able to post tweets from compromised accounts was due to human error, if Twitter’s statements are to be believed.

The scam was a very simple one, which relied upon the fame of the account holders, and the influence they may have on their followers, to provide veracity to the address and encourage victims to send Bitcoins. If the aim was to make money then the tactics used once the attackers had access appear unsophisticated. The premise should not cause many to believe they will get their sent Bitcoins doubled, and only 12.8652 Bitcoins were sent to the address, equating to around £94,000 based on the value of Bitcoin around the time of the attack. The simplicity of the tweets may be why only 44 incoming transactions can be seen for the Bitcoin address published.[15] The second way in which the attack was crude was in the victim twitter accounts chosen, and the tweets being posted in short order. By selecting high profile victims, and tweeting from all of their accounts on the same day, the attackers were always going to be detected quickly. The attackers would have been naïve in the extreme not to realise their attack would be detected very quickly, this has led to the attack being described as a “smash and grab” exercise.[16] The crudeness of the tactics suggest acquiring Bitcoins could have been a secondary aim for the attack, with publicity being the main goal.

The behaviour of the Bitcoin address published in the tweets follows a predictable path. The Bitcoins received were not kept in the address for very long, quickly being moved to various addresses, which in turn moved the Bitcoins on again. With patience the Bitcoins can be traced, as distributed ledger technology means all transactions are published on the blockchain, but the owners of the addresses remain unknown. These practices are similar to those employed by ransomware attackers once the ransoms are paid to their respective addresses. The biggest weakness from publishing a criminal Bitcoin address is that investigators have a starting point from which to follow transactions. This issue can be addressed by using ‘mixer’ services. These services allow users to disguise which addresses Bitcoins are being sent to by completing the transaction as part of a group of transactions. Bitcoin transactions can have numerous input address and numerous output addresses, a mixer service will gather large numbers of inputs and send them all in one transaction to the outputs, but it will not be possible for investigators to know which senders correlate to which recipients.

Conclusions

This incident will fade out of the public consciousness very quickly, and it is unlikely the full details of how the attack was conducted will ever be made public. It is also unlikely that any Bitcoins sent to the scam address will be retrieved, and equally unlikely that the attack was a charitable one. For investigators, it provides an opportunity to view the behaviour of the attackers and it also serves as a very public lesson in basic financial intelligence; do not send your money to random locations on the internet, and if a deal sounds too good to be true, in invariably is.


[1] BBC News, ‘Major US Twitter accounts hacked in Bitcoin scam’ (16 July 2020) <https://www.bbc.co.uk/news/technology-53425822> accessed 20 July 2020.

[2] Cameron Winklevoss, ‘Twitter Status’ (Twitter, 21:18 BST 15 July 2020) <https://twitter.com/winklevoss/status/1283493640287989760?s=20> accessed 20 July 2020.

[3] Jack Dorsey, ‘Thread’ (Twitter, 02:18 BST 16 July 2020) <https://twitter.com/jack/status/1283571658339397632?s=20> accessed 20 July 2020.

[4] Twitter Support, ‘Thread’ (22:45 15 July 2020) <https://twitter.com/TwitterSupport/status/1283518038445223936?s=20> accessed 20 July 2020.

[5] BBC News, ‘Twitter hack: FBI investigates major Twitter attack’ (17 July 2020) <https://www.bbc.co.uk/news/technology-53439585> accessed 21 July 2020.

[6] Twitter, ‘An update on our security incident’ (18 July 2020) <https://blog.twitter.com/en_us/topics/company/2020/an-update-on-our-security-incident.html> accessed 20 July 2020.

[7] Twitter, ‘About verified accounts’ <https://help.twitter.com/en/managing-your-account/about-twitter-verified-accounts> accessed 20 July 2020.

[8] Whois Domain Tools, ‘Whois Record for CryptoForHealth.com’ (created 15 July 2020, last updated 21 July 2020) <https://whois.domaintools.com/cryptoforhealth.com> accessed 21 July 2020.

[9] Samuel Haig, ‘Who Owns the ‘CryptoForHealth’ Domain Behind the Twitter Hacks?’ (CoinTelegraph, 16 July 2020) <https://cointelegraph.com/news/who-owns-the-cryptoforhealth-domain-behind-the-twitter-hacks> accessed 21 July 2020

[10] BBC News, ‘Twitter hack: FBI investigates major Twitter attack’ (17 July 2020) <https://www.bbc.co.uk/news/technology-53439585> accessed 21 July 2020.

[11] Twitter, ‘An update on our security incident’ (18 July 2020) <https://blog.twitter.com/en_us/topics/company/2020/an-update-on-our-security-incident.html> accessed 20 July 2020.

[12] F. Mouton, L. Leenen, and H.S. Venter, ‘Social engineering attack examples, templates and scenarios’ (2016) 59 Computers & Security 186 at p187.

[13] Twitter, ‘An update on our security incident’ (18 July 2020) <https://blog.twitter.com/en_us/topics/company/2020/an-update-on-our-security-incident.html> accessed 20 July 2020.

[14] Twitter, ‘How to use two-factor authentication’ <https://help.twitter.com/en/managing-your-account/two-factor-authentication> accessed 20 July 2020.

[15] BitInfoCharts, ‘Bitcoin Address bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh’  <https://bitinfocharts.com/bitcoin/address/bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh> accessed 21 July 2020.

[16] Joe Tidy, ‘Major US Twitter accounts hacked in Bitcoin scam’ (BBC News, 16July 2020) <https://www.bbc.co.uk/news/technology-53425822> accessed 21 July 2020.