How Twitter hackers made $118k in just over 6 hours

NEW DELHI: It lasted six and a half hours before everyone fully caught on. Twitter accounts of Barack Obama, Joe Biden, Bill Gates, Jeff Bezos, Kanye West, Kim Kardashian, Elon Musk, Apple and a number of cryptocurrency exchanges asked users on Thursday to send bitcoins to an account to "double" them. The accounts, it turned out, were hacked and the scheme, a giveaway scam, had made the hackers $118,314.86.
Bitcoin giveaway scams have been around since 2018.The template is an established one — a public figure or an ad promises high returns on bitcoin that anyone sends in. “To participate you just need to send from 0.1 BTC to 20 BTC to the contribution address and we will immediately send you back 0.2 BTC to 40 BTC … (x2 back),” promised the website cryptoforhealth.com, which has now been taken down. For higher amounts, a “bonus” was promised, up to 25%.
Around the same time, at 12.23am, a hacker group warned its members not to “purchase any Twitters” because someone has hacked “the internal employee panel.” Sale of Twitter accounts is quite common on the deep web as well as clear web.
Exactly a week ago, a post on Dread, the deep web version of Reddit, said, “Need a twitter account that has blue check mark.” It went on, “I have a plan I want to execute.” On a clear web forum, a user who joined on Wednesday had asked, “How big would the risks be of buying an inactive verified twitter?” And on an iteration of the banned website 4chan, a user posted that they could hack twitter accounts” because of a “twitter employee.”
The scam, meanwhile, started working. The first bitcoin transaction that came in, at 12.33am IST, amounted to $1.81. When someone sent bitcoins, the site would show that the transaction is still being processed. The throbber would never stop, saying “waiting for payment,” and a money-back guarantee: “Every address that is sent too late, gets their BTC (bitcoin) immediately sent back.”
By the time it was over — the hacker(s) had cleared out by 6.43am — bitcoin transactions that had come in ranged from 50 cents to $41,953. In fact, 17 users had sent $1000 or more. Most others were below $100. But as more transactions kept coming in, at 2.31am, the scam wallet transferred bitcoins worth $9,634.72 to two other wallets. The plan was meticulous — it would eventually siphon off all but 0.012 of its bitcoins (worth $112.59) to 12 wallets in 10 separate high-volume transactions. Each wallet then transferred bitcoins to two other wallets, which did the same, and so on.
Of these secondary wallets, there was one that stood out. It was set up on May 4, had 54 transactions and unlike the other wallets which moved the bitcoins fast, this one still has bitcoins worth $67,185.15.
Tracing the transaction history back from this wallet, by going to the first time bitcoins were sent to it, shows that the stakes get bigger the further back one goes — each wallet was seeded by a wallet of much higher value than the last. The one where it all started had $276,590.39 when it began functioning.
Every bitcoin transaction is public — wallets are identified by a series of numbers and letters, which is its address (the address of the scam wallet where all the bitcoins went on Thursday has now become a fodder for memes). But no transaction is traceable or reversible. So while hundreds watched bitcoins flow into and out of the scam wallet, there was nothing to be done.
But while observing this, a strange pattern emerged — some of the wallets sending bitcoins to the scam wallet were ones that had received bitcoins from one of the 12 secondary wallets earlier. For instance, the first wallet to send bitcoins to the scammer had received bitcoins worth $921.37 a day before the scam — from a wallet (to be referred to as wallet A) that the scammer had then sent the bitcoins to on Thursday. “This is meant to make the scammer’s claims appear legitimate … To make it look like they were fulfilling their claims, the scammers seeded wallets that they owned themselves,” Sumit Gupta, founder and CEO of CoinDCX, an Indian cryptocurrency exchange, told TOI.
But it also means that the money they made — it’s fair to assume this involved a group of individuals and not just one actor — may be lower than the value of the transactions.
The scam was also unusual in many ways. A German cryptocurrency investor told TOI that such scams usually rely on fake accounts. “It has happened several times with Vitalik Buterin (founder of another cryptocurrency, ethereum). Elon Musk’s name is also often used by scammers who get vanity addresses for their bitcoin wallets (an address that uses Musk’s name instead of a random string of numbers and letters),” the investor said.
Besides, a scam on this scale could have raked in a lot more money. “The scammers targeted celebrities, some of whom have been very vocal about decentralisation and (are) supporters of cryptocurrencies. It appears that the hack was executed in a complex and orchestrated manner,” Gupta said. On cybersecurity forums, the questions revolved around the political nature of the attack since all targets were liberal or Democrats — the US elections are due in November.
And that brings up the motive. “I really doubt that someone would go to this length to steal 12 bitcoins from users,” said Nischal Shetty, founder of Indian cryptocurrency exchange WazirX, acquired in November by Binance, whose Twitter account was among those hacked on Thursday. “There could have been more malicious activities besides posting fake giveaways. We’ll eventually find out.”
By now, it is clear that credentials of a Twitter employee were misused to gain access. In a statement, Twitter said it was a “coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools. We know they used this access to take control of many highly-visible (including verified) accounts and Tweet on their behalf. We’re looking into what other malicious activity they may have conducted or information they may have accessed.”