Twitter’s Tax Day Disaster: The Beginning (and End) of Mainstream Crypto Scams

Elon Musk. Bill Gates. Joe Biden. Apple. Uber. Binance.

It seems nigh-inconceivable that any hacker or hacker group, however sophisticated, could boast of such an all-star cast on their criminal resume.

In a mere handful of hours, however, nearly 400 transactions totaling over $112,000 poured into a scammer’s wallet from all over the world, each and every one irreversible by nature.

In the same amount of time hundreds of millions of internet denizens, many of them largely unfamiliar with digital assets and cryptocurrency as a whole, received their first taste of the ecosystem’s most undesirable face.

The first transaction to hit the scam wallet

Within the span of just three hours over a dozen high-profile accounts with a combined 139,000,000 followers fell prey to the scam, serving as vehicles for the fateful Bitcoin wallet address that would ultimately receive the swindled funds. Several of those accounts were exploited multiple times over, as fraudulent posts reappeared only minutes after being removed.

Yet by all traditional measures the scam could only be called inelegant in its execution to be kind, its language and transparently malicious intentions evocative of the infamous Nigerian prince scams that have plagued senior citizens since the 80s.

If you’ve come here wondering whether or not the perpetrator will be brought to justice, wonder no longer. He is caught, cornered, the same blatant methodology that attracted hundreds of millions of potential victims to his scam concurrently guaranteeing the scrutiny of authorities and security firms like AnChain.AI who now monitor the affiliated wallet addresses around-the-clock. As soon as he moves to liquidate his illicitly acquired funds, the crackdown will begin.

So What Actually Happened?

Starting July 15th, 2020 at 12:03 pm PST and proceeding for several hours, a number of high-profile celebrities and corporations had their Twitter profiles hacked and plastered with the a Bitcoin address, each post accompanied by a vague and generic message about giving back to the community amidst COVID-19 and promising 100% returns on any Bitcoin sent to the aforementioned wallet.

This is a typical coordinated crime, utilizing ATC (Account TakeOver) to spread the message as broadly as possible. Individual ATC happens quite often, but it’s rare to see this many high profile celebrities’ Twitter accounts get compromised by the same group, and at almost the same time. Yet the seeming sophistication of this preceding operation is rendered all the more striking when juxtaposed with the bumbling nature of the scam itself, a painfully run-of-the-mill Advance-fee scam, in which victims are promised large returns in exchange for a small up-front payment.

Nevertheless, the scammer received over 400 transactions totalling over $112,000 USD in the ensuing hours, though the scam’s viral nature attracted skeptics almost immediately, curtailing inbound transactions. From leading tech companies to politicians to athletes to CEOs, in three hours the scam had covered the full breadth of Twitter influence, as illustrated in the timeline below.

Where Did The Money Go?

In addition to receiving these ill-gotten funds, the scammer wasted little time in moving the spoils of his efforts around. While no attempt at liquidation has been observed to this point, there is little doubt that the transaction activity that took place in the hours following the scam’s launch are in preparation for exactly that.

The step-by-step transactions are mapped below.

  • Within the first few hours, known customers of Binance, Bitflyer, and Xapo had wired Bitcoins into the scammer’s wallet. In all likelihood, they represent the first victims of the scam.
A detailed visualization of the scam wallet’s transaction history.

As of this moment, the funds have all been sent out of the original wallet, distributed across several different wallets, the most concentrated of which are listed below:

  • Around 38% is sitting here: 3ChjurNXe6eJrgvF3Hz4Hw4rEgSRkkCeN5
  • Around 16% is sitting here: 3Ke8ZDBe4EB7NMvH4n34kSqRaMqTnyqYHz
  • Around 8% is sitting here: 3JMfBVJbaeh9pxMXMERS7wFDNqZZghb8fx
  • Around 8% is sitting here: 3KKfRzeaHQ4vPQTGcnpPXqpHCsP96GK9Sp
  • Around 8% is sitting here: 3NycH7LNSdmZ1R2ZgJaanMFAFRGuVQFy6Y
  • Around 8% is sitting here: 3JkFd23hsNqTACyaPL7EtNTegY6s23voA4

Who Was Behind The Hack?

While it is too early to draw conclusions about who exactly masterminded this hack, we can still observe some intriguing patterns in their behavior over the course of its execution.

After initial investigation, the following observations stand out:

  • This incident is a highly-coordinated crime by a sophisticated hacker or group of hackers.
  • Cryptocurrencies, the ideal financial vehicle for digital crime, are being employed, and some traditionally effective obfuscation tactics, such as using a brand new wallet, distributing funds across multiple wallets, and waiting to liquidate, are being employed.
  • While we await Twitter’s ongoing internal investigation, we cannot be certain of the methodology behind this attack. Various tactics could have been exploited, based on our team’s APT cybersecurity experience: social engineering and phishing; MFA Multi-Factor Authentication hack; SSO Single Sign-On hack; password management tool vulnerability; 0day exploit; etc.
  • Our threat intelligence shows the scammer seems to be somehow associated with cryptoforhealth.com, an affiliation that served as a key component in the scam’s early phases before being dropped as it moved on to mainstream targets.https://web.archive.org/web/20200715192340/http://cryptoforhealth.com/
The inclusion of cryptoforhealth.com in the scam’s early phases
VirusTotal Report on the cryptoforhealth domain , high risk domain name

What Do We Do Next?

It is certainly unfortunate to see such a massive scam perpetrated on Tax Day 2020, especially in the wake of ongoing COVID-19 related turmoil. Cryptocurrency plays a key role in this scam, a fact that no doubt reflects poorly on the entire virtual asset economy especially given the massive penetration of this scam into the mainstream.

However this incident also provides an opportunity for us to demonstrate the advantages of blockchain technology, and our ability to not only continuously monitor the implicated wallets, but to capture them at the point of liquidation and subsequently recuperate the funds. Scams that have long plagued traditional financial vehicles can be traced and punitive measures applied utilizing qualities inherent to the blockchain and digital assets.

AnChain.AI is a Silicon Valley blockchain security startup. We started to receive calls from friends and analysts minutes after the first posting, and were among the first companies to respond to the public with our findings! We received hundreds of inquiries in a few hours, and we were so impressed by the public’s efforts and interest that we’ve decided to open up our award winning investigation tool, CISO, for free! Create your account here:

http://www.anchain.ai/ciso

We are democratizing blockchain investigation, offering the most accessible and powerful investigative software on the market so more people can bring transparency into the emerging cryptocurrency and blockchain industry! We look forward to hearing your findings!

The AnChain.AI team will continue to monitor and deliver updates on this situation as it develops. To stay tuned for the latest updates on this scam, groundbreaking research, and more, subscribe at anchain.ai/subscribe.

Blockchain data analytics firm providing security, risk, and compliance solutions.