Coinbase, BitGo, and Binance might know the attackers behind the Twitter scam that perpetuated a bitcoin “giveaway” this week, as per one on-chain analytics firm.
Tracking Bitcoin Trails
Crystal Blockchain, a BitFury division that provides money laundering and on-chain compliance tools through its products, tracked bitcoin trails associated with the hacker’s addresses.
The firm believes trails leading to BitGo, Coinbase, and Binance might uncover the hackers behind the $120,000 scam that hit over 25 prominent Twitter accounts, such as Changpeng Zhao, Elon Musk, Kayne West, and U.S. Presidential candidate Joe Biden.
The hackers do not appear to be sophisticated Bitcoin users, said Crystal Blockchain. The below image shows the firm’s proprietary software tracking the BTC:
The hackers’ used a Bitcoin address, “bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh,” and started moving funds into other addresses once the scam was set in motion. Notably, for a scam to that extent, they used just address and did not attempt to use mixers or private currencies like Monero to conceal tracks.
Most of the 14.76 BTC on this address was received on July 15. However, it was first activated on May 3 this year. Half the bitcoin comes from address starting with “bc1qxy,” the remaining from other sources.
Some BTC Originates from Coinbase and BitMEX
Some of the received Bitcoin comes from Coinbase and BitMex exchanges, flagged Crystal Blockchain. Those addresses received direct transactions from the original hacker address that was broadcast on Twitter.
The firm noted that a 10 BTC Coinbase withdrawal occurred on the morning of July 15. This was followed by a 0.4 BTC transfer originating from that Coinbase address. Crystal Blockchain notes there might be a “possibility of the coins changing hands in the interval. However, this seems unlikely, considering there are no major entities in between.”
Forward to July 16, a tiny 0.0011 BTC ended up in “16ftSEQ4ctQFDtVZiUBusQUjRrGhM3JY,” which has confirmed to be a Binance deposit address. Crystal Blockchain said this was “three hops away from the original hacker address with no major entities in between.”
Meanwhile, the hackers are said to have used a proxy, as some of their transactions originated from different parts of the world. Bitcoin addresses generated by hackers are different as well; some are the Bech32 format, others are the older P2PKH and P2SH formats.
Crystal Blockchain concluded:
“If our analysis is correct, then several major crypto entities should be able to identify the hackers.”