Ron Ziegler is an Engagement Director with Treliant. He is an experienced global risk management executive with expertise in forensic investigations, Bank Secrecy Act/Anti-Money Laundering (BSA/AML), Office of Foreign Assets Control (OFAC) sanctions, employee conduct risk programs, internal audit, and derivatives/securities trading at global investment and commercial banks.
- Source: justice.gov
Treliant knows how to design, operationalize, and maintain cryptocurrency BSA/AML risk management programs. Treliant can help institutions of all types and sizes ensure that they meet the expectations of regulators and law enforcement when designing and operating sustainable compliance programs.
On July 15, 2020, multiple high-profile verified Twitter accounts (i.e. high-profile individuals, such as celebrities have “verified” their accounts by proving to Twitter that they are indeed the real person named on the account) were compromised, including accounts belonging to Bill Gates, Elon Musk, Kanye West, Joe Biden, Barack Obama, Jeff Bezos, Michael Bloomberg, Warren Buffett, Benjamin Netanyahu, and Kim Kardashian.
Accounts belonging to cryptocurrency exchanges (i.e. Binance, Gemini, Coinbase, Bitfinex, and AngeloBTC) were also compromised, as were prominent companies like Apple and Uber. Per a statement made by Twitter on July 16, 2020, approximately 130 Twitter user accounts were affected in the hack: “For a small subset of these accounts, the attackers were able to gain control of the accounts and then send Tweets from those accounts.”
According to numerous media reports and Twitter’s own statements, the malicious actor(s) gained access to the Twitter accounts by compromising a Twitter employee’s account. The actor(s) then used their access to the compromised Twitter accounts to post messages directing victims to send cryptocurrency to accounts with a specific bitcoin address. On some of the Twitter posts, the posts guided victims to a website hosted at the domain cryptoforhealth.com, which also provided the same specific bitcoin address. In all cases, the Twitter postings said that individuals who sent any bitcoin to the aforementioned address would receive double the bitcoin in return.
The fraud campaign was successful, coordinated Twitter messages were posted through the comprised celebrity and cryptocurrency exchange accounts which generated an appearance of legitimacy. Between July 15, 2020, when the hack of the verified Twitter accounts occurred, and July 16, 2020, the bitcoin wallet associated with the specific address that people were told to send Bitcoin to, had sent or received 426 transfers. Approximately 415 of those transfers consisted of transfers received from other bitcoin addresses into the specific account, totaling 12.86 bitcoin, worth $117,457 as of July 16, 2020. Eleven of those transfers were sent from the wallet associated with the specific address to other bitcoin addresses, siphoning off 99.74% of the bitcoin deposited, or 12.83 bitcoin, worth $117,183, leaving a remaining balance of $274.00 in the account. No bitcoin was returned to the victims.
The Department of Justice (DOJ) undertook an extensive investigation that utilized a variety of approaches to identify the malicious actors that carried out the Bitcoin Twitter scam. The forensic techniques included the following:
- Hack Analysis: The DOJ review the messages posted on the compromised Twitter accounts and subsequently confirmed with the rightful owners of the compromised Twitter accounts whether the messages were posted directly by them or malicious actors. In addition, the DOJ worked with Twitter to identify how the hackers accessed the verified accounts and obtain the specific bitcoin addresses which was posted in the messages;
- Website Analysis: A review of the website that directed individuals to send bitcoin in exchange for twice the amount of bitcoin deposited in return confirmed the specific bitcoin address matched that which was posted in the Twitter messages;
- Social Media Analysis: After sourcing details associated with the hackers, the DOJ undertook a review of their corresponding social media accounts and cryptocurrency accounts. This led to identifying usernames (i.e. Chaewon, ever so anxious#001, Kirk#5270 and Rolex#0373) on a messaging platform, Discord, believed to be at the center of the Twitter compromise;
- Chat Log Review: The DOJ reviewed chat logs on Discord between the usernames suspected to be at the center of the Twitter compromise. A chat between Kirk#5270 and ever so anxious#001 included the use of OGU which is believed to be a reference to the OGUsers forum, an online forum popular among people involved in the hijacking of online accounts.
- The detailed review of the OGUsers forum activity database for each of the usernames that were at the center of the Twitter compromise included IP address analysis;
- KYC Information Review: Cryptocurrency exchange records, including Know Your Customer (KYC) account opening information (e.g. government issued document provided at the time of account opening at the exchange) to confirm the ownership of the accounts; and
- Blockchain Clustering and Tracing Analysis: To be discussed in more detail below.
Blockchain Clustering and Tracing
While all the investigative techniques contributed to unearthing the malicious actors in this case, the most prominent involved the use of analyzing clusters of wallets and tracing bitcoin movements across the ledger. Before we describe the specifics of how clustering and tracing was analyzed, a quick introduction to bitcoin.
All bitcoin transactions are recorded on what is known as the blockchain. The blockchain is essentially a distributed public ledger that keeps track of all bitcoin transactions, incoming and outgoing, and updates approximately six times per hour. The blockchain records every bitcoin address that has ever received bitcoin and maintains records of every transaction and all the known balances for each bitcoin address. As a result, forensic analytical tools are able to be utilized to review the blockchain and analyze the bitcoin deposits and withdrawals to wallets and clusters. In this case, cluster analysis and blockchain tracing analysis allowed the DOJ to find the connections of bitcoin wallets and bitcoin transfers that would have seemingly appeared unrelated to each other.
A prominent cryptocurrency fraud typology, which formed the central theme in this case, to move bitcoins involved the use of multiple bitcoin wallets controlled by the same person. These individuals move bitcoin from one wallet to another in order to obfuscate its origin, the bitcoin transfers out of the origin bitcoin wallet to other addresses were intended to conceal the origin of the funds. To uncover the bitcoin Twitter scam activity, the investigation deployed a key forensic technique known as clustering analysis. In the context of cryptocurrencies, a cluster is a collection of bitcoin addresses that can be attributed to one person or entity and is an estimate of all of the bitcoin addresses, and its bitcoins, contained in a user’s bitcoin wallet or wallets.
The blockchain tracing analysis was utilized to review the bitcoin deposits and withdrawals associated with Chaewon (it was later learned that Chaewon, ever so anxious#001 and Mas were accounts alleged to be controlled by the same person) and Kirk#5270. The results would identify that Chaewon acted as a broker for Kirk#5270, sending criminally derived proceeds from the sale of Twitter accounts to Kirk#5270 for the exchange for compromised Twitter accounts:
- The Kirk#5270 wallet received several large deposits of bitcoin on July 15, 2020, totaling approximately 3.69 bitcoin (approximately $33,000 at the time of payment) from Chaewon wallet cluster. The timing and amounts of these deposits correspond with the timing of payment requests made by Kirk#5270 to ever so anxious#001 for stolen Twitter usernames.
- Chaewon had a wallet cluster and there were several Binance bitcoin exchange deposits and withdrawals. On July 15, 2020, the pattern of payment deposited and withdrawn from the Chaewon cluster showed that ever so anxious#001 used this bitcoin wallet cluster to broker bitcoin transfers between the buyers of various stolen Twitter usernames and Kirk#5270. During the relevant time frame on July 15, 2020, ever so anxious#001 received approximately 4.48 bitcoin (approximately $40,065 at the time of payment) in this wallet cluster and paid 3.69 bitcoin (approximately $33,000 at the time of payment) to Kirk#5270.
- U.S. based cryptocurrency exchange, Coinbase, provided transaction records for the Coinbase controlled wallets that paid into the Chaewon cluster. The records showed that Coinbase customers made several bitcoin payments that valued $250, which is the amount advertised by Chaewon for changing the emails associated with any Twitter account, to the wallet cluster.
The investigation also utilized a leaked database (i.e. OGUsers forum) made publicly available, from a hack, containing all of the user information (all public forum postings, private messages between users, IP addresses – date and timestamp, email addresses, and additional user information). The OGUsers forum has been known to be abused by criminal networks and in this context was the forum where Chaewon advertised he could change email address tied to any Twitter account for $250. However, Chaewon referred interested buyers to contact ever so anxious#001 on the Discord messaging platform. The chat log review revealed an initial transaction where ever so anxious#0001 purchased stolen Twitter username @anxious from Kirk#5270 by paying bitcoin to the Kirk#5270 address. After this initial transaction, ever so anxious#0001 brokered the purchase of additional stolen Twitter usernames for his contacts and via his advertisement on the OGUsers forum. In addition, the chat log review also revealed a number of chats where Rolex#0373 acted as a broker for Kirk#5270, and advertised the sale of compromised Twitter accounts for Kirk#5270 and procured buyers for Kirk#5270.
Additional blockchain tracing analysis was undertaking using the new information from the database leak. While there were more transactions identified between Chaewon, ever so anxious#001 and Kirk#5270, there was an IP address from the U.K. that connected to the account Chaewon and another user account, Mas. The account for Mas was tied to several email addresses. One of the email addresses was linked to an account at Coinbase. Coinbase’s Know Your Customer (KYC) procedures required the collection of a government issued identification document to open an account, as a result Coinbase had the U.K. driver’s license, address and date of birth of the person who controlled the account for Mas. The blockchain tracing analysis also found several bitcoin exchange deposits and withdrawals for Mas associated with Binance, a virtual currency exchange. The same KYC standards were employed at Binance and as a result the account information revealed the same driver’s license that was provided to Coinbase.
Firms operating in the cryptocurrency market have a unique opportunity to assist law enforcement in their effort to root out bad actors and reduce the risk of being unwittingly used to facilitate criminal activity. In particular, KYC procedures, transaction monitoring, and investigative procedures such as blockchain clustering and tracing are key processes that firms should ensure are well developed, implemented, and maintained. In addition, establishing strong relationships with law enforcement to share information relating to cryptocurrency activity enhances the probability of protecting the relevant cryptocurrency network from bad actors aiming to engage in fraud, money laundering, sanctions violations, and other forms of criminal conduct.