
Live BTC transactions in Twitter hack - aliabd
https://www.blockchain.com/btc/address/bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh?page=2
======
dang
The general thread about the hack is
[https://news.ycombinator.com/item?id=23851275](https://news.ycombinator.com/item?id=23851275).

Please discuss the general aspects there and the BTC aspects here.

------
seibelj
At Poloniex, we quickly blacklisted this address. Prevents all of our users
from sending money to them. Many exchanges likely can do the same thing.

~~~
mrtksn
While this is a good measure, what does it mean to the decentralization
promise of Bitcoin?

~~~
seibelj
People who use exchanges are traders (retail or professional) and hodlers who
don't want to deal with the intricacies of managing 100+ coins on 50+
blockchain networks. The decentralization of cryptocurrencies is not an all-
or-nothing proposition - users can choose the level of decentralization they
would like based on their preferences.

What I like most about decentralization is that anyone in the world can create
a new crypto business on the blockchain rails, integrate with everyone else,
and attract users. Of course there are real-world repercussions if your
physical entity is in a locale with laws that you violate, but it is orders of
magnitude easier to start a crypto exchange than a traditional bank.

~~~
cortesoft
Won't this end up like email, though? Sure, anyone can set up their own
business... however, 90% of people will be on a few large providers, and those
providers will end up blocking transactions coming from unknown new providers
(to prevent scams). Decentralization doesn't stop consolidation.

~~~
seibelj
It is much easier to set up your own cryptocurrency wallet than it is to set
up your own trusted email server. Your metaphor is similar but off by a large
amount. The major difference is that blockchain deals primarily with money, so
email spam (useless worthless messages) is inherently less worthy of sending
because doing so actually pays me, in addition to the fees you pay the
network.

~~~
jefftk
It used to be pretty easy to run your own email server, back when a lot of
people did it. If someone is worried about a future where most cryptocurrency
runs through a small number of providers, as email does today, I don't think
they should find your comparison heartening.

~~~
seibelj
I see what you are saying, I know SMTP fairly well, used to run my own server,
and looked fairly deeply at DKIM / SPF / DMARC. However I also know blockchain
protocols intimately, and I can say with certainty that the Bitcoin protocol
and SMTP are completely different (as well as Ethereum, Monero, Stellar,
Ripple, EOS, Tron, and on and on). It is just a completely different thing.

If you are worried about other wallets not accepting "my" wallet, as is the
typical problem with hosting your own email, you don't need to worry. Money is
money, if I receive it I receive it. It's just completely different from
receiving a text-based message like the wide-open and free SMTP is.

------
byteshock
They reposted it on the cash app account but with a different address. The
exchanges are going to have a field day monitoring twitter.

New address: bc1qwr30ddc04zqp878c0evdrqfx564mmf0dy2w39l

Tweet:
[https://mobile.twitter.com/CashApp/status/128352200769559757...](https://mobile.twitter.com/CashApp/status/1283522007695597570)

~~~
ben174
So strange that twitter can't automatically filter these. The message format
is pretty consistent. Surely they could write something to at least put tweets
matching this pattern in a moderation queue.

~~~
maaarghk
Apparently all tweets containing seemingly random strings of characters are
blocked:
[https://twitter.com/NepalBlockchain/status/12835375822492180...](https://twitter.com/NepalBlockchain/status/1283537582249218048)

~~~
nexuist
How would you write a regex that does this? How do you determine whether a
string of characters is random?

~~~
Blackthorn
The classic way to do it is see how well it compresses, though that requires a
certain minimum length.

------
mikeyouse
Seems like it would have been more profitable to take a huge short position in
TSLA and hack Elon's Twitter to post something about a SEC investigation for
accounting fraud and that you'd need to restate multiple years' worth of
earnings.

~~~
spyder
Or they could have been doing something similar with cryptos without risking
SEC or requiring ID on exchanges: using the twitter accounts to announce
partnerships with one of the cryptocurrencies. Probably less gain then with
stocks but more than with this simple scam.

~~~
banterfoil
This would have been excellent. It's really shocking that the offenders had
the knowledge/power to get into the twitter account but didn't do something
like this.

------
1f60c
I wasn’t sure what I was looking at, until I googled the Bitcoin address
(bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh):

Several high-profile Twitter users, including Elon Musk, Bill Gates, and the
official Uber account appear to have been hacked, and all promoted that
address, saying any funds sent to it will be doubled.

~~~
Barrin92
Sounds more like Twitter itself has been compromised on their end at that
point.

~~~
Kye
It's much more likely a common social media marketing platform was
compromised.

~~~
Scoundreller
But then wouldn't these tweets say something other than "Twitter Web App" ?

~~~
bowmessage
Users of the middleware likely want to hide the fact that they're scheduling
their tweets, I would imagine the tool sets this value explicitly to have the
tweets appear more genuine. </postulating>

------
cbsks
It would be interesting if the scammers started sending back twice as many
bitcoins, as promised, from the same address. It could be a real-time ponzi
scheme!

~~~
Cthulhu_
That's how it's done in Eve Online, the money duplication scam is common
there.

How it works is that the scammer announces in an area (usually the trade hub
system Jita) that they're quitting and giving away all their money. They link
to a webpage that (they claim)_shows all of their bank transactions, using
Eve's API.

You send them 100K just to try it out, they send you back 200K, both
transactions show up in the webpage. "Ha it works!", you say, sending them 1M,
they send you 2M back.

Until at any point, they stop sending you money back. Their outgoing
transaction shows up in the webpage, but ingame you never received anything.
When you message them they go "must be a bug, I sent the money because look at
my transaction log. Contact support, not my problem, the money left my
account"

You'd think it just doesn't work, why would anyone fall for that, but plenty
fall from it. Plenty of people try and outsmart them as well, making use of it
to earn some money. But as another commenter pointed out, it can be like a
game of roulette.

~~~
cvrjk
Nothing like being a n00b on Runescape and getting scammed of your entire bank
by players "glow1:wave: Doubling Money" at the GE.

------
odomojuli
1JustReadALL1111111111111114ptkoK 0.00000666 BTC

1TransactionoutputsAsTexta13AtQyk 0.00000667 BTC

1YouTakeRiskWhenUseBitcoin11cGozM 0.00000668 BTC

1forYourTwitterGame111111112XNLpa 0.00000669 BTC

1BitcoinisTraceabLe1111111ZvyqNWW 0.00000670 BTC

1WhyNotMonero777777777777a14A99D8 0.00000671 BTC

bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh 0.00001337 BTC

Can anyone explain what happened in this block of transactions to me?

~~~
gjkhkldajghl
Maybe I'm missing something, but I'm assuming someone is critiquing the
scammer as foolish for using bitcoin instead of Monero because it is more
difficult to cash out, as bitcoin is less anonymous than Monero?

~~~
legopiece
Agreed. They are basically telling the scammer(s) to use a more anonymous &
untraceable crypto next time, as everyone will be following the coins in that
BTC wallet now, which makes it much more difficult to "launder".

I guess the choice of BTC but the scammer(s) was based on its much bigger
popularity relative to Monero (many people have a few satoshis somewhere, but
not many have some monero lying around)

------
puranjay
What kind of heat would the person or party that started this hack get? What
could be the expected consequences? Going after political figures, including
the former President of the US, should, I think, trigger a digital man hunt.

~~~
blisseyGo
This could also impact the stock market I think.

------
sleepybrett
Seems like they could have sold this hack for way more than this will make
them.

~~~
jdminhbg
Via Tyler Cowen [0]:

> If you've ever watched _Goldfinger_ , you have to wonder if the real ploy
> isn't somewhere else, such as auctioning off DMs, blackmail, etc., and the
> bitcoin thing just proof of concept.

0:
[https://twitter.com/tylercowen/status/1283518906041278468](https://twitter.com/tylercowen/status/1283518906041278468)

~~~
giarc
Motherboard is reporting some screenshots that apparently show some Twitter
admin panel that allowed these hackers to take control. Assuming this panel
has that kind of power, they potentially could see all DMs as well. However,
why expose yourself if you can get in and out of these accounts and collect
the info. I'm not sure I buy the diversion explanation.

~~~
jjulius
>However, why expose yourself if you can get in and out of these accounts and
collect the info. I'm not sure I buy the diversion explanation.

Perhaps they felt as though they already had everything they needed and didn't
mind ending their access? That would be weird, though, because I imagine long-
term, continued access to DMs would likely be more valuable than just cutting
out now.

------
odomojuli
Is it significant at all that this is happening on US Tax Day?

~~~
dividedbyzero
What is US Tax Day?

~~~
henryfjordan
The day taxes are due in the US (or you need to file for an extension). If you
don't file by today, you'll owe late fees.

Usually it's in April but this year it was delayed for Covid.

------
rvz
You can see the high profile Twitter accounts hacked here by searching the
address in Twitter with the verified filter:
bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh filter:verified

~~~
Scoundreller
Here's a link to make your life easier:

[https://twitter.com/search?q=bc1qxy2kgdygjrsqtzq2n0yrf2493p8...](https://twitter.com/search?q=bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh%20filter%3Averified&src=typed_query&f=live)

They'll all say "Twitter Web App" as the tweet source.

If you search through all accounts (ie: also the unverified ones), you see
plenty that say Twitter for iPhone or Twitter for Android. Those are likely
trolls.

Those are here:
[https://twitter.com/search?q=bc1qxy2kgdygjrsqtzq2n0yrf2493p8...](https://twitter.com/search?q=bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh&src=typed_query&f=live)

~~~
rvz
Thanks, but they have now moved to another address and the hackers are at it
again:

Replace the old BTC address with this one:
bc1qwr30ddc04zqp878c0evdrqfx564mmf0dy2w39l

------
strogonoff
This may be an unpopular opinion to voice here, but if we take a time-tested
construct X and remove physical proximity constraints restricting its scale,
we must hold the resulting technology to much, much higher standards than the
old X—because scale, along with potentially unbounded yet-unknown upsides,
brings potentially unbounded yet-unknown negative implications, and we should
be concerned about the latter more than the former.

~~~
thinkloop
What exactly are you referring to?

~~~
mumblemumble
I think the gist is, "Electronic payment platforms, including cryptocurrency,
need more built-in consumer protection than cash money does, because they're
much bigger pots of honey."

~~~
strogonoff
Thank you, yes, that’s one of the corollaries.

In general, we (humans) are not great at assessing the potential of
negative/positive effects beyond certain scale (black swans and all), and
analogies along the lines of “like X, but digital” are just too attractive.
Those analogies are dangerous, since the scale makes Y an entirely new thing
with effects that cannot be predicted based on its outside similarity to X.

This applies to many concepts including infosec (e.g., likening remotely
exploitable vulnerabilities to faulty door locks), cryptocurrency, mass media,
though when I was writing the above I mainly was specifically thinking about
cryptocurrency. It is misleadingly similar to “cash, but digital and not
backend by government”, but its scale makes it something we actually have
never had to deal with before, with unknown implications that go both ways.

Considering the potential effects can be unbounded, limiting it in order to
bound the downsides ones might be a rational (but both unpopular, boring and
ambiguous) thing to do, even if it also limits the upsides.

------
totorovirus
They hacked the twitter for 12 bitcoins?

~~~
shlant
yea there are a lot of people on twitter poking fun at the fact that there
were probably MUCH more lucrative things you could have done with that kind of
access. Seems like a quick smash and grab by some teenagers or something

~~~
pdr2020
Agreed.

------
throwaway888abc
Fascinating to see the transactions going up (refresh the page) every minute
as the scam propagate

~~~
baal80spam
Someone just sent 4.5 BTC...

~~~
jolmg
At 13:47 PDT, there's a 60.4 BTC one[1]. That alone is half a million USD.

EDIT: Replies are right. Now I see that the majority of it went to the same
address as the source.

[1]
[https://www.blockchain.com/btc/tx/4df1391d936d3256ce84a867e1...](https://www.blockchain.com/btc/tx/4df1391d936d3256ce84a867e15b9ef529161bf6b8ef48a1a1a7ec062d9f3a12)

~~~
baal80spam
Wait, where do you see that? On the linked page, I can see the following:

Total Received: 11.39184745 BTC

edit: OK, either this is strange or I don't understand how it works.

~~~
oarsinsync
You’re fine. The GP doesn’t understand. Only 0.00291948 BTC was sent to the
hacker wallet. The remainder went to other wallets. The vast majority went
back to the person making the transaction (IE nowhere)

~~~
bobbyi_settv
What is the point of someone sending btc back to himself?

~~~
lawn
That's just how Bitcoin works.

Say you have 1 BTC on an address and you want to send 0.1 to someone, you
still need to send all of the money. So wallets "split" the 1 BTC into 0.1 and
0.9 outputs, sending the 0.9 to yourself to another address you control. It's
called a change address.

Modern wallets do this automatically, but it can be confusing to look at it on
a blockchain explorer.

------
Tenoke
I'm guessing they'll end up with ~100-300k total after all is done and they
tumble, launder etc. the coins.

I am not sure how much that is for them but there are claims that the
'regular' version of that scam already nets millions a year.

~~~
aeternum
Better payout than the $2.9k for disclosing this to Twitter via bug bounty.

~~~
thephyber
Do you have any evidence this is a Twitter flaw and not a 3rd party app?

~~~
manquer
If the twitter security model allows third party apps access to verified high
profile accounts without auditing the security of that app it is still a flaw
in Twitter's processes.

Twitter after all has a lot higher risk than the 3rd party app, it is in their
interest to make sure partners dealing with high profile accounts or partners
handling a large volume of accounts are also secure.

------
dredmorbius
Numerous dupe submissions, primary discussion:
[https://news.ycombinator.com/item?id=23851275](https://news.ycombinator.com/item?id=23851275)

------
VWWHFSfQ
The hackers made more profit in 5 minutes than Twitter has in 10 years

~~~
gkoberger
That's not true. The hackers made about $100k (assuming everything in the
wallet is a real transaction from someone who was scammed), and Twitter's
revenue in 2019 was $3.46 billion. Twitter's been posting a profit since 2018.

~~~
phreeza
> Twitter's been posting a profit since 2018.

12 years after it was founded.

------
vs4vijay
If you take a look at some of the transactions, you will see some interesting
addresses like:

1JustReadALL1111111111111114ptkoK

1TransactionoutputsAsTexta13AtQyk

1YouTakeRiskWhenUseBitcoin11cGozM

1BitcoinisTraceabLe1111111ZvyqNWW

1WhyNotMonero777777777777a14A99D8

1forYourTwitterGame111111112XNLpa

Link:
[https://www.blockchain.com/btc/tx/67b814526ae6ee78a16059bfcf...](https://www.blockchain.com/btc/tx/67b814526ae6ee78a16059bfcfc06ed7768c92c58f3409367cb180627631ddbe)

------
21eleven
Hopefully most of this bitcoin is just the attacker sending their own funds to
make it look legitimate.

~~~
beervirus
How many people who would fall for this scam would also know how to look at
the blockchain data?

------
RcouF1uZ4gsC
This has to be the biggest advertising flop in history!

The hackers basically ran an advertisement on the most followed Twitter users
in the world, and had 374 conversions (based on the number of transactions as
of the time of this post).

------
1-6
Can Twitter put up a banner warning folks not to submit crypto???

~~~
blisseyGo
It's been at least 3 years and they still haven't made a fix for the spam
comments until Elon Musk's tweets for crypto scam from user account names of
"Elon_Musk" or others. This should be such an easy way to block. Don't even
allow new user accounts with "Elon" and "Musk" in it unless verified. I have
been seeing this for over 3 years and no fix.

------
rcpt
+0.00001337 BTC

which one of us did that?

------
paulpauper
it is amazing given how long twitter has been around that such a powerful
exploit still existed, assuming it was not an insider job. It also shows that
bug bounties will not prevent the really bad stuff. The payoff from exploiting
such a huge bug is in the millions, which no bug bounty program will ever pay,

~~~
celticninja
This hack isn't going to generate millions for the attackers. But you're right
that it was still outweigh any bug bounty

------
zacharycohn
This is the first thing I looked up when I heard about the attack.
Surprisingly few transactions given the scale.

------
StefanoC
ELI5: how will they get the money out of there without getting busted?

------
cryptozeus
Is the address also sending out money? It appears that way.

------
ve55
They do use a lot more addresses than just this one too

------
rbanffy
Phineas Barnum was right.

------
paulpauper
looks sms porting..been 3 years now and still no one has a good fix for this

~~~
rodiger
...no, you aren't going to get access to all these high profile accounts at
the same time with sms porting. This is almost definitely internal.

~~~
paulpauper
i didn't realize the extent until now. Way more than just 4 ..more like 40+

