Twitter’s Tax Day Disaster: The Beginning (and End) of Mainstream Crypto Scams

The first transaction to hit the scam wallet

Where Did The Money Go?

In addition to receiving these ill-gotten funds, the scammer wasted little time in moving the spoils of his efforts around. While no attempt at liquidation has been observed to this point, there is little doubt that the transaction activity that took place in the hours following the scam’s launch are in preparation for exactly that.

  • Within the first few hours, known customers of Binance, Bitflyer, and Xapo had wired Bitcoins into the scammer’s wallet. In all likelihood, they represent the first victims of the scam.
A detailed visualization of the scam wallet’s transaction history.
  • Around 38% is sitting here: 3ChjurNXe6eJrgvF3Hz4Hw4rEgSRkkCeN5
  • Around 16% is sitting here: 3Ke8ZDBe4EB7NMvH4n34kSqRaMqTnyqYHz
  • Around 8% is sitting here: 3JMfBVJbaeh9pxMXMERS7wFDNqZZghb8fx
  • Around 8% is sitting here: 3KKfRzeaHQ4vPQTGcnpPXqpHCsP96GK9Sp
  • Around 8% is sitting here: 3NycH7LNSdmZ1R2ZgJaanMFAFRGuVQFy6Y
  • Around 8% is sitting here: 3JkFd23hsNqTACyaPL7EtNTegY6s23voA4

Who Was Behind The Hack?

While it is too early to draw conclusions about who exactly masterminded this hack, we can still observe some intriguing patterns in their behavior over the course of its execution.

  • This incident is a highly-coordinated crime by a sophisticated hacker or group of hackers.
  • Cryptocurrencies, the ideal financial vehicle for digital crime, are being employed, and some traditionally effective obfuscation tactics, such as using a brand new wallet, distributing funds across multiple wallets, and waiting to liquidate, are being employed.
  • While we await Twitter’s ongoing internal investigation, we cannot be certain of the methodology behind this attack. Various tactics could have been exploited, based on our team’s APT cybersecurity experience: social engineering and phishing; MFA Multi-Factor Authentication hack; SSO Single Sign-On hack; password management tool vulnerability; 0day exploit; etc.
  • Our threat intelligence shows the scammer seems to be somehow associated with, an affiliation that served as a key component in the scam’s early phases before being dropped as it moved on to mainstream targets.
The inclusion of in the scam’s early phases
VirusTotal Report on the cryptoforhealth domain , high risk domain name



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store



Blockchain data analytics firm providing security, risk, and compliance solutions.