Scam Update: 90% of Twitter Hack Bitcoins — Laundering in Progress
Want to join in on the investigation? We’re offering our groundbreaking CISO Investigative Platform FREE to the public. Sign up now at https://anchain.ai/ciso
Last week we covered the largest cryptocurrency hack of 2020, placing the affiliated criminal wallets squarely in our sights. Only days later, nearly 90% and over $100,000 of the implicated funds are already on the move, with 51% (~$57,000) funneled through mixers and coin joins, and another 42% (~$47,000) laundered through a series of pass-through wallets, splits, and other maneuvers, illustrated below.
As things stand, we are privy to each and every transaction made by this criminally-implicated cluster of wallets, ready to alert the rest of the digital asset economy at the first sign of any attempt to cash out. This level of surveillance would be nigh-inconceivable in the legacy economy, enabling us to bring value to our clients and the community at large even after a scam or breach has occurred.
Turning Bitcoin into Cash: Crypto-Laundering Tools
Bitcoin’s value as a black market currency arises from a trifecta of key attributes:
- Pseudonymity — Wallets can be created without attachment to real-world entities
- Stability — Bitcoin exhibits by far the most long-term stability among cryptocurrencies
- Liquidity — Bitcoin is easily and conveniently exchanged for fiat currencies
By the same principles, criminal utilization of Bitcoin can be thwarted by mitigating the effects of pseudonymity, and limiting liquidity.
First, pseudonymity is resolved through a combination of known entities, AI, behavior-based machine learning, and circumstantial evidence, revealing the contextual landmarks with which a criminal wallet might interact and isolating a cluster of affiliated wallets.
Second, liquidity is limited through cooperation and communication with cryptocurrency exchanges, flagging the cluster of criminal wallets in order to prevent any attempts at liquidation.
Naturally, criminals attempt to thwart these controls using a variety of underhanded techniques.
Part 1: Mixers and Coin Joins
Two suspicious mixer transactions were identified by our proprietary machine learning model involving around 51.1% or $57,000 of funds moved by the Twitter hackers. By blending these criminally implicated funds with clean Bitcoins, the criminals hope to throw investigators off the trail.
Using the following systems of hops, the illicit funders entered the mixers:
Wasabi Mixer Transaction Trail:
bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh
->
1Ai52Uw6usjhpcDrwSmkUvjuqLpcznUuyF
->
3DA2babKUhP74pKitfzoXaoFNnpH38TqWQ
->
bc1qv00c2aw9hmfc4ur39w3l20tcc9q3gdx2u2qrf7
->
bc1qhk58nn6hnnanksynvrepjkyr7aq8at2ftl0hsl
->
bc1qj8mqa8zaseqk80zcz9twwwnhrcml03gg45tdt6
->
Entered Wasabi: da2de4a38eec8175e494b62efa6e17e1cef2dc23d51462081692e823159f9aca
We also identified the usage of an additional, unidentified coin join operation, the transactions comprising which are also provided below.
Coin Join Transaction Trail:
bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh
->
1Ai52Uw6usjhpcDrwSmkUvjuqLpcznUuyF
->
3ChjurNXe6eJrgvF3Hz4Hw4rEgSRkkCeN5
->
3QT7QEcs32an8iMMZ86evKBXUsqkKWDgoi
->
1EszBGs9Nays15vqrnyWn46VcnipKY77G3
->
Entered the Coin Join transaction: ca72bfacc95c5b95a69d888f8cab6ee1b92bd1b0f2b85bed0a60aa0023e08cc1
Part 2: Hops, Splits, and Jumps
In addition to the aforementioned mixer and coin join activity, we observed intriguing activity involving a further 32% of the total scam-implicated funds traveling and distributing through a network of wallets. Of particular note is an interesting pattern that emerges upon visualization, further confirming that the identified accounts are associated with the scam.
The accounts in question are:
- 3JMfBVJbaeh9pxMXMERS7wFDNqZZghb8fx
- 3KKfRzeaHQ4vPQTGcnpPXqpHCsP96GK9Sp
- 3NycH7LNSdmZ1R2ZgJaanMFAFRGuVQFy6Y
- 3JkFd23hsNqTACyaPL7EtNTegY6s23voA4
All of them were holding the same amount of BTC on Friday (around 8% each of the total scam, adding up to around 32%, which corresponds to around $36k).
The images below demonstrate the uncannily similar techniques utilized to break the funds up into a large number of holding wallets. Under ordinary circumstances, this would render them extremely difficult to track by conventional means, but using our AI-enriched visualization software the path couldn’t be more apparent.
Each screenshot exhibits the same basic characteristics, where the scam, starting with a single chunk, moves BTC around that eventually ends up in 3 final accounts:
- Two at the bottom of the image
- One (in the top right corner), which received money on July 17th from the 4 scam wallets and is now holding $15.5k → 1KCTT6Ksm89HhRnN8j5T3ENT5e7ZkHKtQc
As a result of these operations, the following accounts are currently holding BTC:
- 1KCTT6Ksm89HhRnN8j5T3ENT5e7ZkHKtQc ($15.5k)
- 1E43EVPwtzVxD8kY8YNR28HZeWdmypae8n ($3.37k)
- 14KKFyCnhewWKvJoZdK7D27MP2mYfHgqNA ($3.6k)
- 13eKAA8YWkw56cXXncJSmFLb6iSa687HeX ($3.42k)
- 152tsgvUn2cBsaXt5ovmeWjCPT69ubuqvM ($2.91k)
- 18dEZcpXqwgkkj6kukQg5Ui35ZUgahDJ7Z ($4.02k)
- 12ESqGmoWTUBPEUyoRWQF1W73GTotiJY1L ($4.05k)
- 1cNU2be3uLuZVc6JkSnsoJ8gxT7NtDJ1P ($2.92k)
- 1FNYygWtz7gj9EjU2m9MAWsWLcKp3AA6nK ($3.52k)
- 13eKAA8YWkw56cXXncJSmFLb6iSa687HeX ($3.42k)
Total amount: 5.0863 BTC, around $47k (42% of the total), which is more than the actual sum of the initial 4 addresses where we started the investigation from, since other accounts related to the scam sent money along the way.
What Now?
The effort expended to obscure the criminal origins of these funds is clear and obvious. By utilizing these known obfuscation tactics, the perpetrators hope to launder their funds sufficiently to move towards liquidation and, in fact, have already begun to do so. Our team observed liquidations attempts directly linked to criminally implicated funds as early as July 15 (Transaction ID: aad68b2a47c20f9bce6f8f846ae640453f1f8badbe16c96f5c6077e48e292903)
Utilizing our CISO investigative platform we are able to continuously monitor these wallets, but greater steps must be taken to ensure that these scammers are not permitted to cash out.
To join or follow our investigation, sign up for free at https://anchain.ai/ciso
For more information, contact us at info@anchain.ai
