Chengdu Lianan: Review and analysis of the Twitter account Bitcoin fraud incident

1. Event Overview

- On July 15, 2020, a large number of Twitter accounts were affected in a large-scale attack on Twitter.

- The scam began when the attacker took over the account AngeloBTC of an employee working at BitMEX.

- At least 30 high-profile accounts were affected in the next 4 hours.

2. Analysis of fraud incidents

On Wednesday, July 15, 2020, this massive attack on Twitter targeted the Twitter accounts of many celebrities, large companies, and certain digital currency exchanges. Most of the accounts taken over by the attackers were used to post BTC scam information, including former US President Obama, celebrity Kim Kardashian, Bill Gates, and "Silicon Valley Iron Man" Elon Musk.

Twitter explained in a statement that in this large-scale attack on Twitter, hackers gained access to internal systems through intrusion, attacked the accounts of some Twitter employees, and changed the relevant e-mail addresses of more than 30 highly followed accounts.

But how did all this happen?

The first hijacked account was AngeloBTC, an account of a trader working for BitMEX. The account posted a Twitter message at 8:16 pm EST on July 15, 2020, inviting users to join the paid telegram group he created to obtain certain transaction information. However, the tweet was quickly deleted, which shows that the information posted by the account was not posted by its actual owner. Although the tweet was deleted, the attacker can still deceive some people in a similar way.

Figure 1 (Source: Twitter)

Although the hacker did not directly give out the Bitcoin address, he sent the address to people who wanted to join the paid group through private messages. The address (1Ai52Uw6usjhpcDrwSmkUvjuqLpcznUuyF) received a total of 7.4 BTC (about $67,654) until the attack was exposed, and the balance was cleared on July 17, 2020.

Figure 2 (Source: bitinfocharts)

The second message was posted an hour later by an account belonging to Binance, saying that the company had cooperated with the "CryptoForHealth" community to return 5,000 BTC to community members.

Figure 3 (Source: Twitter)

The webpage address posted by the attackers linked to a second BTC address (bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh), which was also used in subsequent tweets posted using other compromised accounts over the next hour.

Figure 4 (Source: bitcinfocharts)

Now open the URL http://cryptoforheal.com, metamask will prompt that the website is a phishing website.

Figure 5

After ignoring the phishing prompt, you can enter the website and see detailed scam information.

Figure 6 (http://cryptoforhealth.com)

Later, Ripple’s account sent a tweet saying that it was returning 2,000 XRP to a random address that sent over 1,000 Ripple to their XRP address (rhYSX8qSpoU7Dwjh6vMSuACu8MBECn6bQR) for the Covid-19 fund.

Figure 7 (Source: Twitter)

After attacking Ripple accounts, hackers shifted their targets from cryptocurrency-related accounts to mainstream celebrity accounts and large corporate accounts.

Elon Musk, the "Iron Man of Silicon Valley" with nearly 37 million fans, Bill Gates, Uber, Apple, and former US President Obama. The specific timeline is as follows:

Figure 8 (Data from Block Research)

Before Twitter took corresponding measures, the last account to post fraudulent messages belonged to Kim Kardashian, who posted the third BTC address (bc1qwr30ddc04zqp878c0evdrqfx564mmf0dy2w39l). Its income and expenditure are as follows:

Figure 9 (Source: bitinfocharts)

Although the hacker released three addresses, analysis of on-chain transaction data shows that the attack was carefully planned by the same hacker (or the same hacker group).

3. Some safety suggestions

For individual cryptocurrency holders, Chengdu Lian'an recommends not to believe in doubling returns at will. Instead, you should believe that "when you stare into the abyss, the abyss is also staring at you." If you want to profit from investment, please choose a stable channel. For good things that "fall from the sky," please calmly analyze the relevant information behind them. You must strengthen your awareness of asset fraud prevention to avoid property losses.

For companies, Chengdu Lian'an recommends that in the management of media accounts, it is necessary to strengthen risk control and public opinion monitoring as well as safety awareness training for personnel to avoid adverse effects caused by omissions and damage to the company's reputation.