It is unclear exactly how the hackers gained access to make the tweets from these accounts, but Twitter posted an update which corroborated reports that indicated company personnel and internal admin tools were involved.
Considering that the hackers had control over some of the most influential accounts on Twitter, posting a simple Bitcoin scam and exposing their access is a curious choice. As Kris Holt said, It could have been a lot worse - Accounts were frozen quickly, and the main known hacker address only received around $120,000 worth of BTC at the time of writing. Tracking these funds, however small the amount, is important and the FBI is reportedly investigating:
Bitcoin is a public blockchain, so anyone can pull and investigate all of the hack-associated transactions and addresses from their own node. Zach Finzi and I use this publicly available blockchain data to model the funds received and subsequently sent by the scammer(s).
Bitcoin Network Topology Visualization Twitter Hack/Cryptoforhealth Scam. Source: NTerminal data in Splunk
The above graph uses the 3d Network Topology App for Splunk
SPLK +5.1%’s Machine Learning Tool Kit. It shows the indexed transactions between addresses implicated in the scam. Each node represents an individual address and the edges represent a set of transactions and transfers of BTC between the two nodes. Blue nodes are those linked to the Twitter hack, and blue edges represent transactions between them. Green edges represent funds received by the hacker(s), and orange ones show where they sent their funds.
To better visualize the movement of funds we can use a Sankey diagram:
Sankey Diagram of BTC transactions associated with the Twitter Hack. Source: NTerminal data in Splunk
In the above image, transaction directionality can better be seen (BTC moves from addresses on the left to those on the right). To reduce complexity, not all transactions or addresses are pictured.
The primary address which the scammer collected payments with, and was linked on the “cryptoforhealth” website, before it was pulled down, can be tracked by anyone here.
Sankey Diagram with Twitter Scam addresses aggregated. Source: NTerminal data in Splunk
The addresses which now hold these funds can further be monitored in an attempt to see if they eventually are transferred to a known entity such as a regulated cryptocurrency exchange or gambling service, and to prevent the spending or laundering of them.
Natural Language Processing of Bitcoin Scam/Hack Events
Due to the high-profile nature of the accounts hit, the large security concerns that come with such an attack are perhaps more important than the missing $120k.
By combining techniques such as keyword detection, topic modeling, sentiment analysis, and named-entity recognition, I analyze natural language data surrounding Bitcoin. The below graphs shows unique document URLs (which are equivalent to unique articles, but also can contain structured text derived from images or videos) which contain the key term Bitcoin (and its aliases, such as BTC) and have topics related to scam, fraud, or hack.
The first image shows a daily count of the number of documents with the above criteria sorted by average term sentiment (that is sentiment in relation to the term “Bitcoin”). Expectedly, we can see a massive spike on July 15th and 16th.
Bitcoin Scam/Hack timeseries data from June 16th to July 16th 2020. Source: NTerminal data in Splunk
By taking these filtered Bitcoin mentions, and limiting to only events from July 15th and 16th, we can see a highly negative average term sentiment (23.844%, where 0 is highly negative and 100 is highly positive). We also see that our models detect many mentions in these events for the high profile individuals whose accounts were compromised in this Hack:
Bitcoin Scam/Hack data from July 15th to July 16th 2020. Source: NTerminal data in Splunk
Metadata about the information used in below panels (top). Top mentioned person name candidates identified through our neural nets (left). The overall sentiment for the term Bitcoin (right).
Despite the negative attention directed at Bitcoin, the incident does not imply any underlying security concerns for the Bitcoin network itself. In fact, the cryptofinancial ecosystem’s response to the hack has included spreading awareness of the scam, cooperative investigating of the activity, and reporting of the implicated addresses.
Bitcoinabuse.com, a site for self reporting of fraud-associated addresses, quickly received a number of reports for the scam addresses:
Twitter Hack Associated Addresses Bitcoinabuse Reports. Source: Bitcoinabuse data in Splunk