A cyberattack against Twitter has sparked widespread debate about tech industry regulations and borderless money.
So far the scam has garnered $120,000 worth of bitcoin by tweeting about a fake giveaway campaign. Verified Twitter accounts briefly lost the ability to post Wednesday, which inspired one New York magazine columnist to tweet that making cryptocurrency “illegal” would “prevent this sort of thing.”
Missouri Republican U.S. Sen. Josh Hawley promptly published a public letter to CEO Jack Dorsey, saying Twitter should work with the Justice Department and the Federal Bureau of Investigation to address security issues. By Thursday morning, many authentic Twitter accounts were no longer able to tweet bitcoin addresses at all, although QR codes still worked.
“As much as I can tell by the evidence I see right now, the attackers did not understand the value of the information that they had,” ClearSky CEO Boaz Dolev told CoinDesk. “We need to find a way to build a more resilient audience that won’t believe anything they see in a certain format is true. It’s a new era where we need new tools to understand what is true.”
That said, with an audience reach of over 375 million followers, the hacked accounts only ensnared 421 bitcoin transactions, with only 17 of those transactions valued above $1,000. Roughly half of the transactions hailed from North American exchange accounts.
Whoever is behind the Twitter Hack of 2020, which collected bitcoin by hijacking the accounts of everyone from Barack Obama to Elon Musk, Dolev said it doesn’t appear to be a state actor or a terror group.
“Based on the history of the first destination address of the CryptoForHealth scam addresses, the scammers have a history of gambling on BitMEX and Coinbase usage,” said the privacy-centric team behind Samourai Wallet.
And yet, despite clearly being a crypto veteran, the attackers didn’t use some of the best bitcoin privacy tech available.
Samourai Wallet said so far none of the 12.8 BTC appear to have been mixed with the firm’s WhirlPool tool nor any other non-custodial CoinJoin software. Instead, the evidence suggests the hackers have used centralized exchange accounts, like BitMEX, in the past.
The crypto startup CryptoQuant tweeted “4.8 BTC went into the mixer.” But evidence from the analytics firm Quantstamp shows the illicit funds have not been used with any non-custodial mixing or CoinJoins. To Quantstamp CEO Richard Ma, this suggests an unsophisticated attacker because it will be hard to liquidate these funds.
“The hacker used a single address, which likely reduced the hacker’s earnings by making it easier to trace,” Ma said. “Many exchanges including Coinbase, Kraken and Gemini have already blacklisted the address as well as the derivative addresses as the hacker seeks to exit with the funds.”
CryptoQuant CEO Ki Young Ju promptly responded to a direct message from CoinDesk clarifying this blockchain data may suggest use of a “centralized mixing wallet.”
“The transaction patterns look like mixing because this wallet has multiple unknown tx inputs from one-time used wallets,” he said. But after further investigation, he replied again that it was a mistake.
“I sincerely apologize for giving the wrong info,” Young Ju said in a message.
Only a sophisticated user would notice this data about “the mixer” was described incorrectly and that the hack was not affiliated with any popular mixing wallets or software projects. Bálint Harmat, co-CEO of the Wasabi Wallet maker zkSNACKs, said, “We took a quick look at the addresses. They are not related to Wasabi CoinJoins as of now.”
Even using the same bitcoin addresses, experts may incorrectly interpret the data. Both Ma and the Samourai Wallet team described the bitcoin transactions as simple, sometimes even a single hop. In the end, all parties agreed there is no evidence of mixing.
As Twitter users struggle to regain full access to the platform and protect their data, there’s no way for the social media company to prioritize millions of issues at once. Legacy brands and celebrities may have the resources to manage public broadcasts but few citizen journalists do.
ClearSky’s Dolev said the most interesting implications of the attack won’t be related to bitcoin itself. It will be how this impacts the communications infrastructure on which so many markets, including crypto markets, rely.
“We can learn a lot about what banks are doing to protect themselves from fraud, and there’s a lot of similarity between fraud and this type of action,” Dolev said. “We’ll have to see what Twitter is going to do to secure accounts and also what Facebook and other social networks will do as well.”
Will Foxley contributed reporting.