Uncovering The Money Laundering Attempts Of Bitcoin Fraudsters Behind The Recent Twitter Scam – Forbes

A snap-shot investigation to follow the funds connected with yesterdays Twitter Hack of Jeff Bezos, ... [+] Elon Musk, and several celebrities to review where the fraudsters have transferred the funds into.

Performing an initial investigation to follow the funds related to the Twitter TWTR hack that happened on July 15 to Elon Musk, Jeff Bezos, Barack Obama, Joe Biden, Kanye West, Bill Gates and numerous other celebrities and executives of large technology companies, it is evident the many of those funds already hit reputable exchanges that might freeze the funds.

During the Twitter hack, the fraudsters, posing as celebrities, falsely informed users that they have decided to partner up with a mysterious organization called "CryptoForHealth" in order to 'give back to their community.' The scam has been covered extensively by several news outlets including Forbes contributors like Jasse Damiani, that reviewed the initial steps just after the hack.

As different celebrities were sharing and resharing those posts that turned out to be fraudulent, some of their followers decided to open up their own wallets and pay as well. More than $130,000 later, most of the posts had been removed, the website of CryptoForHealth shut down. Twitter stepped in to forbid some users to tweet, but it is high time to recover the funds to the victims or at least specify to which exchanges they have been sent.

Despite a common misperception as Bitcoin represents a pseudo-anonymous network, transactions performed on it are both visible to the general public and traceable. Addresses can be directly connected to particular exchanges.

As scammers are still moving funds between cryptocurrency wallets, investigators from all over the world have stepped in with the goal to identify types of exchanges and freeze the funds on different accounts.

From the initial review, it is evident that much of the funds have been transferred to Binance. In a recent statement to TechCrunch, Binance Security Team informed that they have been aware of the situation and launched an investigation, which is visible to the crypto community as their team marked several cryptocurrency wallets as fraudulent.

Earlier today, an article released by Cointelegraph revealed that addresses used by the hackers had previously been linked to Coinbase and BitPay, common names in the cryptocurrency exchange and merchant sphere.

According to our initial analysis the funds have reached many exchanges, but the core of the funds originated from the main Binance address. It is now clear that scammers were sending funds back and forth between different cryptocurrency addresses in an attempt to confuse law enforcement agents, wash them. Once completed fraudsters have sent a large parts of the funds to an address belonging to Binance yet again, which has been rather quickly discovered and flagged by the exchange.

Secondary besides Binance, it seems though that multiple exchanges like Bittrex, as well as MercadoBitcoin in Brazil have received funds from this scam already, said Sven Martinsson, the Founder & CEO of VALEGA Chain Analytics - a Blockchain Investigations and analytics firm working out of Finland.

Even though the investigation remains novel, due to the transparency of the open blockchain of Bitcoin, it is possible to follow different transactions to a different account at cryptocurrency exchange platforms. Being personally engaged in one such crypto exchange platform, competent and motivated compliance team members have a portfolio of tools and processes to stop such transactions in case they are being spotted. The fraudsters seem to know that so that there is a race for the fraudsters to try to exchange the funds to fiat currencies as soon as possible and Blockchain investigators to mark as many wallets as quickly as possible to freeze those funds.

Even though the identity of the scammers remains yet unknown, there are tools in place which allow for visualizing transactions between different accounts and exchanges that use the publicly available data and connect wallets to crypto exchanges.

Here are a couple of examples of how the fraudsters anticipated to hide their tracks. Everything starts on the left side in the middle of the graph, which represents the first address to which the scammers asked users to pay. Each additional connected line of dots represents their effort to hide their tracks and mix funds between different wallets and exchanges.

A more comprehensive description has been placed below each picture which represents a print screen out of a Blockchain Analytics Software.

Even though if this initial graph might not be the easiest to read, it represents the initial ... [+] address cryptocurrency address listed on the hacked addresses (red dot at the lower part of the picture on the left side). Once the scammers received the funds they started to distribute the funds to multiple different wallets. (the second line, looking from the left to the right). While receiving those funds scammers have been trying to transfer funds to more and new addresses to try to wash them to possibly exchange them back to FIAT currency. Green dots represent the addresses that already have been flagged as fraud, green represents addresses that have not YET been flagged in the system as of 6:30 PM CET. When expanding a few of those as an example, it is possible to see that a few were sent to an address that had not yet been associated with fraud or suspicious activities.

Zooming in closer to different dots allows us to directly view the cryptocurrency wallet address which has been used. It is connected to a particular wallet provider or a platform (with strong but not utmost certainty). In order to review where funds were directed and how much was sent.

Expanding further, one of the addresses gives an immediate hit on another Binance address (This ... [+] addresses has already been flagged by the exchange as of 6:30 PM CET)

It is visible that scammers used some of the addresses multiple times (the split the funds to ... [+] different addresses and send them to a new address) and not yet all of the wallets have been flagged as fraud.

Investigations performed by compliance teams take time as they are most likely performed by individuals who are working for different exchange platforms or geographies, so sometimes the funds are able to be transferred to an account before they are being flagged as fraudulent. Red accounts have been already marked as fraudulent.

By the time Binance, when this chart has been recorded most certainly the team behind Binance has ... [+] taken the appropriate countermeasures and flagged a Cryptocurrency wallet as Darknet wallet. Before this cryptocurrency wallet has been flagged, unfortunate significant amount of funds have passed across it to other addresses.

The fraudsters didnt stop at one platform there. Within hours, one of the cryptocurrency wallets in ... [+] which funds have not been moved, has finally initialled a transfer. (It is the red-dot at the bottom, which starts with Cpf)

Following each transaction and the connected spiderweb of transfers between cryptocurrency addresses helps to spot a time period in which fraudsters will try to wash funds with a legitimate exchange. As stated below, fraudsters launched a transfer to MercadoBitcoin in Brazil as well as Bittrex.com already.

The more paths have been explored the more exchange have been listed to which funds have been ... [+] transferred. This time funds were sent to a suspicious cluster (in yellow) of entities (mainly with tumblers and gambling companies, an easy way to launder money) Using the weakness of mostly national law enforcement agencies., fraudsters have approach many exchanges around the globe like MercadoBitcoin (an exchange in Brazil). Furthermore a Binance address to the left now considered a darknet entity.

This review is just a snapshot of the current stage of transfers performed by the fraudsters as of the afternoon of July 17th. It does not display traces in full to avoid obstructing justice or investigations. Even though it has been a Twitter hack and not a Bitcoin hack, the pseudo-anonymity of bitcoin and visibility of each transaction with tools like the wallet explorer does prove that the Crypto community is not helpless and knows more and more with each transaction the fraudsters perform. It is important to underline that it was not Bitcoin that got hacked, it was Twitter. Bitcoin was just the chosen means of payment.

Sven will release a collected investigation free of charge to anyone who can identify themself as an investigator in the process.


The transaction investigation remains ongoing. For security reasons and not to interfere with investigations, this is just a teaser to provide insights into different tactics of criminal networks. Exchanges in question have the appropriate means to stay compliant and do their reporting accordingly. This is NOT an attempt to defame or point any fingers and the statements are assumptions, not yet evidence. It remains a visualization of investigation that affected many users and the account holders on Twitter.

For transparency purposes - The contributor of this post is a Head of Compliance in one of the leading Cryptocurrency Exchanges in the Nordics called Safello.

He serves as a board advisor to Valega Chain whose team has launched an investigation to follow the stolen funds on his request. Statements about how Blockchain Analytics Tools work have been performed on the example of Valega Chain Analytics and should not be generalized to other Blockchain Analytics Tools as all of them have their own criteria, tools, and internal processes.

Read more:

Uncovering The Money Laundering Attempts Of Bitcoin Fraudsters Behind The Recent Twitter Scam - Forbes

Related Post

Comments are closed.