[HN Gopher] Live BTC transactions in Twitter hack ___________________________________________________________________ Live BTC transactions in Twitter hack Author : aliabd Score : 154 points Date : 2020-07-15 20:48 UTC (2 hours ago) (HTM) web link (www.blockchain.com) (TXT) w3m dump (www.blockchain.com) | cbsks wrote: | It would be interesting if the scammers started sending back | twice as many bitcoins, as promised, from the same address. It | could be a real-time ponzi scheme! | dredds wrote: | In that scenario 10% per month would be a sufficient inducement | and likely more believable given the volatility. | rcpt wrote: | +0.00001337 BTC | | which one of us did that? | odomojuli wrote: | 1JustReadALL1111111111111114ptkoK 0.00000666 BTC | | 1TransactionoutputsAsTexta13AtQyk 0.00000667 BTC | | 1YouTakeRiskWhenUseBitcoin11cGozM 0.00000668 BTC | | 1forYourTwitterGame111111112XNLpa 0.00000669 BTC | | 1BitcoinisTraceabLe1111111ZvyqNWW 0.00000670 BTC | | 1WhyNotMonero777777777777a14A99D8 0.00000671 BTC | | bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh 0.00001337 BTC | | Can anyone explain what happened in this block of transactions to | me? | uncoder0 wrote: | Someone is trying to communicate with the hacker using invalid | addresses. | rubatuga wrote: | You can send BTC to any address you want | gjkhkldajghl wrote: | Maybe I'm missing something, but I'm assuming someone is | critiquing the scammer as foolish for using bitcoin instead of | Monero because it is more difficult to cash out, as bitcoin is | less anonymous than Monero? | drexlspivey wrote: | These are bitcoin eater addresses (essentially receive only | addresses), you can create addresses like these if you | bruteforce the checksum bytes however you dont have the private | key for them. I think the more famous one is | 1BitcoinEaterAddressDontSendf59kuE | vince14 wrote: | https://blockchair.com/bitcoin/transaction/54215bf9b24db3dbf... | | How did you find that so quick? | seibelj wrote: | At Poloniex, we quickly blacklisted this address. Prevents all of | our users from sending money to them. Many exchanges likely can | do the same thing. | arcticbull wrote: | That doesn't sound very decentralized and trustless. If I want | to get scammed in this brave new world, shouldn't I be allowed | to? Maybe I want to fund the Nigerian Prince's get-out-of-jail | efforts. | dmix wrote: | Thats what Bitcoin exchanges in Russia are for. | paulpauper wrote: | like trying to stop a steam roller with a mattress | | obv the hackers will likely use multiple addresses | smsm42 wrote: | The weak link here is: to run a successful scam, you need to | publicize the incoming address widely. That allows exchanges | to block it. If you keep the address in secret, you can't get | the gullible masses to fall for it. | paulpauper wrote: | multiple addresses, mixing, etc. there are tons of ways to | evade exchange restrictions. | jdminhbg wrote: | The most recent Elon Musk tweet (2:38 pm PDT; I cannot | believe Twitter hasn't locked this down yet) used the same | address. | paulpauper wrote: | i saw another one 2 minuses ago. remarkable twitter has not | fixed it yet. | blisseyGo wrote: | I read somewhere that they hacked it multiple times. The | first tweet got taken down and then it got posted again. | Wingman4l7 wrote: | Coinbase apparently did also: | https://news.ycombinator.com/item?id=23852054 | | I'm betting Gemini also blacklisted that BTC address, | especially considering that they were in the first wave of fake | tweets. | | Really wondering now just how much BTC the attacker effectively | left on the table by reusing a single wallet address, | especially considering that lots of people who deal in crypto | use just a handful of exchanges to send it. Would be pretty | difficult to quantify, though. | mrtksn wrote: | While this is a good measure, what does it mean to the | decentralization promise of Bitcoin? | [deleted] | lostmsu wrote: | In this case you could just create a separate wallet and send | BTC through it. Sounds like Poloniex does its job better than | your own wallet here. | baby wrote: | It means that to block these funds every single recipients | must block the address. | mlindner wrote: | Just because you can stuff dollars under your bedsheets | doesn't mean you can't also use a bank. | drexlspivey wrote: | It means dont keep your money at exchanges if you want to | control them | celticninja wrote: | Also protects the stupid. You can still send this address | BTC. You just need to withdraw it to your own wallet first. | Which buys the user time in which to discover it's a scam | seibelj wrote: | People who use exchanges are traders (retail or professional) | and hodlers who don't want to deal with the intricacies of | managing 100+ coins on 50+ blockchain networks. The | decentralization of cryptocurrencies is not an all-or-nothing | proposition - users can choose the level of decentralization | they would like based on their preferences. | | What I like most about decentralization is that anyone in the | world can create a new crypto business on the blockchain | rails, integrate with everyone else, and attract users. Of | course there are real-world repercussions if your physical | entity is in a locale with laws that you violate, but it is | orders of magnitude easier to start a crypto exchange than a | traditional bank. | cortesoft wrote: | Won't this end up like email, though? Sure, anyone can set | up their own business... however, 90% of people will be on | a few large providers, and those providers will end up | blocking transactions coming from unknown new providers (to | prevent scams). Decentralization doesn't stop | consolidation. | Sebb767 wrote: | Sure, but even with E-Mail there are a lot of smaller | service providers. It's not _ideal_, yes, but the | situation is at least a tad better and one failing | company will not destroy the whole ecosystem. | seibelj wrote: | It is much easier to set up your own cryptocurrency | wallet than it is to set up your own trusted email | server. Your metaphor is similar but off by a large | amount. The major difference is that blockchain deals | primarily with money, so email spam (useless worthless | messages) is inherently less worthy of sending because | doing so actually pays me, in addition to the fees you | pay the network. | H8crilA wrote: | Kinda similar to like under a gold standard you don't | actually pay with gold. You can, but most people just use | centralised "wrappers" around gold in the form of bank | notes. | WA wrote: | So much for "Bitcoin is anonymous, decentralized and nobody | controls it". | mlindner wrote: | Bitcoin has never been anonymous, only pseudonymous. | Tenoke wrote: | It is - all the exchanges in the world can't stop you from | making the transaction if you want to. | rvz wrote: | You can see the high profile Twitter accounts hacked here by | searching the address in Twitter with the verified filter: | bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh filter:verified | Scoundreller wrote: | Here's a link to make your life easier: | | https://twitter.com/search?q=bc1qxy2kgdygjrsqtzq2n0yrf2493p8... | | They'll all say "Twitter Web App" as the tweet source. | | If you search through all accounts (ie: also the unverified | ones), you see plenty that say Twitter for iPhone or Twitter | for Android. Those are likely trolls. | | Those are here: | https://twitter.com/search?q=bc1qxy2kgdygjrsqtzq2n0yrf2493p8... | rvz wrote: | Thanks, but they have now moved to another address and the | hackers are at it again: | | Replace the old BTC address with this one: | bc1qwr30ddc04zqp878c0evdrqfx564mmf0dy2w39l | 21eleven wrote: | Hopefully most of this bitcoin is just the attacker sending their | own funds to make it look legitimate. | beervirus wrote: | How many people who would fall for this scam would also know | how to look at the blockchain data? | paulpauper wrote: | it is amazing given how long twitter has been around that such a | powerful exploit still existed, assuming it was not an insider | job. It also shows that bug bounties will not prevent the really | bad stuff. The payoff from exploiting such a huge bug is in the | millions, which no bug bounty program will ever pay, | celticninja wrote: | This hack isn't going to generate millions for the attackers. | But you're right that it was still outweigh any bug bounty | Tenoke wrote: | I'm guessing they'll end up with ~100-300k total after all is | done and they tumble, launder etc. the coins. | | I am not sure how much that is for them but there are claims that | the 'regular' version of that scam already nets millions a year. | aeternum wrote: | Better payout than the $2.9k for disclosing this to Twitter via | bug bounty. | thephyber wrote: | Do you have any evidence this is a Twitter flaw and not a 3rd | party app? | lytedev wrote: | OP's point holds. A third party likely has a less-rewarding | bug bounty, doesn't it? | manquer wrote: | If the twitter security model allows third party apps | access to verified high profile accounts without auditing | the security of that app it is still a flaw in Twitter's | processes. | | Twitter after all has a lot higher risk than the 3rd party | app, it is in their interest to make sure partners dealing | with high profile accounts or partners handling a large | volume of accounts are also secure. | 1-6 wrote: | Can Twitter put up a banner warning folks not to submit crypto??? | blisseyGo wrote: | It's been at least 3 years and they still haven't made a fix | for the spam comments until Elon Musk's tweets for crypto scam | from user account names of "Elon_Musk" or others. This should | be such an easy way to block. Don't even allow new user | accounts with "Elon" and "Musk" in it unless verified. I have | been seeing this for over 3 years and no fix. | Nextgrid wrote: | Crypto scams that are trivial to block have been going on for | years. There is no reason to believe Shitter cares about the | well-being of their users, and frankly they were right because | people kept using this rotten platform despite that. | | Maybe _now_ things will change. | dredmorbius wrote: | Numerous dupe submissions, primary discussion: | https://news.ycombinator.com/item?id=23851275 | mikeyouse wrote: | Seems like it would have been more profitable to take a huge | short position in TSLA and hack Elon's Twitter to post something | about a SEC investigation for accounting fraud and that you'd | need to restate multiple years' worth of earnings. | paulpauper wrote: | yeah and then the SEC freeze your account and you go to jail | and get $0 | spyder wrote: | Or they could have been doing something similar with cryptos | without risking SEC or requiring ID on exchanges: using the | twitter accounts to announce partnerships with one of the | cryptocurrencies. Probably less gain then with stocks but more | than with this simple scam. | ealexhudson wrote: | More profitable but more likely to be caught. | mikeyouse wrote: | Probably true - though there's already a ton of short | interest in the company. Seems like you could take a few | million in profits and still blend in fairly seamlessly. | puranjay wrote: | The stock market is way more regulated and you'd be caught | ve55 wrote: | They do use a lot more addresses than just this one too | [deleted] | throwaway888abc wrote: | Fascinating to see the transactions going up (refresh the page) | every minute as the scam propagate | baal80spam wrote: | Someone just sent 4.5 BTC... | [deleted] | jolmg wrote: | At 13:47 PDT, there's a 60.4 BTC one[1]. That alone is half a | million USD. | | EDIT: Replies are right. Now I see that the majority of it | went to the same address as the source. | | [1] https://www.blockchain.com/btc/tx/4df1391d936d3256ce84a86 | 7e1... | dnprock wrote: | In this transaction, there's only 0.00291948 BTC sent to | the scamming address: | bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh. | | It's time to learn more about Bitcoin. :) | [deleted] | [deleted] | baal80spam wrote: | Wait, where do you see that? On the linked page, I can see | the following: | | Total Received: 11.39184745 BTC | | edit: OK, either this is strange or I don't understand how | it works. | jolmg wrote: | Yeah, I also don't understand how one can have multiple | destination addresses in a single transaction. | oarsinsync wrote: | As a a sender, you have a coin of amount X, and you split | it up and send it wherever you like | | If your coin is 1 and you want to send one person 0.2 and | another person 0.3, you can do that as a single | transaction to three destinations, one with 0.2, another | with 0.3 (to the people you're sending to) and a final | one with 0.5 back to one of your own addresses (aka a | change wallet) | oarsinsync wrote: | You're fine. The GP doesn't understand. Only 0.00291948 | BTC was sent to the hacker wallet. The remainder went to | other wallets. The vast majority went back to the person | making the transaction (IE nowhere) | puranjay wrote: | What kind of heat would the person or party that started this | hack get? What could be the expected consequences? Going after | political figures, including the former President of the US, | should, I think, trigger a digital man hunt. | blisseyGo wrote: | This could also impact the stock market I think. | ex3ndr wrote: | It actually looks like all targets are enemies of current POTUS | bayesbot wrote: | not Kanye | wh-uws wrote: | Elon Musk is not. | [deleted] | paulpauper wrote: | this is motivated by profit. nothing political. potus being | hacked would escalate to national security threat and | possibly force twitter to shutdown by decree. which the | hacker is smart enough to know not to tread | monokh wrote: | I really didn't imagine a purely financially motivated hack | could be turned into politics. I guess I underestimate the | levels of innovation. | ex3ndr wrote: | Current administration is purely financially motivated | though | odomojuli wrote: | Is it significant at all that this is happening on US Tax Day? | paulpauper wrote: | looks sms porting..been 3 years now and still no one has a good | fix for this | rodiger wrote: | ...no, you aren't going to get access to all these high profile | accounts at the same time with sms porting. This is almost | definitely internal. | paulpauper wrote: | i didn't realize the extent until now. Way more than just 4 | ..more like 40+ | dang wrote: | The general thread about the hack is | https://news.ycombinator.com/item?id=23851275. | | Please discuss the general aspects there and the BTC aspects | here. | sleepybrett wrote: | Seems like they could have sold this hack for way more than this | will make them. | logicslave wrote: | Its almost suspicious how poorly this turned out for them. I | suspect theres more going on than this | rcpt wrote: | It's such a dumb way to make money with this kind of power | that I'm more likely to believe that Elon really is sending | back 2x BTC | manquer wrote: | It is perhaps a proof of ability, burning a zero day might | be worth it, if you have others you can sell, also if the | zero day was one time use or likely getting closed soon , | the value might be not as high as it may look. | jdminhbg wrote: | Via Tyler Cowen [0]: | | > If you've ever watched _Goldfinger_ , you have to wonder if | the real ploy isn't somewhere else, such as auctioning off DMs, | blackmail, etc., and the bitcoin thing just proof of concept. | | 0: https://twitter.com/tylercowen/status/1283518906041278468 | 1f60c wrote: | I wasn't sure what I was looking at, until I googled the Bitcoin | address (bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh): | | Several high-profile Twitter users, including Elon Musk, Bill | Gates, and the official Uber account appear to have been hacked, | and all promoted that address, saying any funds sent to it will | be doubled. | gruez wrote: | >Several high-profile Twitter users, including Elon Musk, Bill | Gates, and the official Uber account appear to have been | hacked, and all promoted that address, saying any funds sent to | it will be doubled. | | speculation time: How did those accounts get hacked? Did they | all get spearphished? Did twitter get compromised? | o-__-o wrote: | Or was it a marketing platform that was owned? I worked for | one a few years back and they used the same fb key for all of | their 500 musicians they represented. One day facebook | enforced key rotation and a bunch of fan sites went dark. | Imagine if someone got access to our codebase, this same type | of nefarious action would have happened | | The curtain has been pulled back for some. Their favorite | tweeters aren't actually tweeting themselves | | Edit: I also wonder if it's an elaborate money laundering | scheme. Mix coins with deniability. Combine with the Epstein | drama, maybe there's more to what meets the eye. Either way | it's popcorn time | milofeynman wrote: | It's got to be a 3rd party authed w/ the Twitter account, I'd | guess. | Barrin92 wrote: | Sounds more like Twitter itself has been compromised on their | end at that point. | [deleted] | Kye wrote: | It's much more likely a common social media marketing | platform was compromised. | lkbm wrote: | It's a wide enough range of accounts that it's most likely | an internal admin panel. | | Special protected accounts (e.g., Trump's) seem unaffected, | whereas hundreds (thousands?) of "regular" accounts, high | profile and small, are compromised. | Kye wrote: | A lot happened in the 32 minutes since I posted that. | Scoundreller wrote: | But then wouldn't these tweets say something other than | "Twitter Web App" ? | bowmessage wrote: | Users of the middleware likely want to hide the fact that | they're scheduling their tweets, I would imagine the tool | sets this value explicitly to have the tweets appear more | genuine. </postulating> | PeterisP wrote: | It seems a total account takeover, not just the ability to | send tweets in their name - the email addresses have been | reset, see | https://twitter.com/sniko_/status/1283485972286656517 | paulpauper wrote: | tons of account hacked. like every single high profile account | hacked. either inside job or major exploit | paulpauper wrote: | and to think you could have just bought those bitcoin for like | $2000 in 2016 without all the work of having to hack | | Bill gates and Bezos not showing up on twitter search. Twitter | ghosting some of the affected accounts | byteshock wrote: | They reposted it on the cash app account but with a different | address. The exchanges are going to have a field day monitoring | twitter. | | New address: bc1qwr30ddc04zqp878c0evdrqfx564mmf0dy2w39l | | Tweet: | https://mobile.twitter.com/CashApp/status/128352200769559757... | ben174 wrote: | So strange that twitter can't automatically filter these. The | message format is pretty consistent. Surely they could write | something to at least put tweets matching this pattern in a | moderation queue. | ageitgey wrote: | They are blocking tweets with that address now. I'm guessing | that they still have no idea what the root cause is. | byteshock wrote: | Somebody is getting fired today... | | Edit: I was only making a joke, relax. Most likely it's not | a single person's mistake. It's just something you say when | shit hits the fan. | floatingatoll wrote: | Promoting, praising, or otherwise endorsing the kind of | reaction you state is inexcusable in IT Operations. Your | unstated assumptions-by-framing are: | | 1) A single person is responsible for the flaw. | | 2) A single person is either already under performance | review or committed gross neglect of duties. | | 3) The above single person will be terminated rather than | retrained. | | If this is how you would speak about your own employees | during a security incident, your business deserves to | fail. | | If this is how you expect to be treated by your employer | during a security incident, you should seek employment | elsewhere. | kgraves wrote: | jeez, they said it's just a joke... | floatingatoll wrote: | They used the edit function to walk back their comment as | a 'joke' _after_ my post was submitted, and managed to | make things worse in the process. | | Would you joke about firing someone for a mistake during | an interview? I would consider that a dealbreaker if I | were interviewing someone, as in "this interview is over, | go home". | | Do you consider HN an appropriate forum for pithy one- | liner jokes that do not contribute to the discussion? | Reconsider. | VectorLock wrote: | So saying one person should be fired is not okay, but | saying a whole business should be fired is okay? | secondcoming wrote: | Calm down | ahelwer wrote: | Unlikely. That isn't how hacks or outages are punished in | large software service orgs, unless it was intentional or | due to negligence like disabling a failing test to get | something shipped to prod. | mc32 wrote: | I'd be curious to find out which one of the accounts proved to | be the better "sales lead" | VectorLock wrote: | They should have used unique wallets for each tweet and A/B | tested the gullibility of the victim's audience. | | Would have made them more difficult to track and shut down as | well. More hallmarks that this wasn't probably something they | lucked into, rather than some sophisticated attack. ___________________________________________________________________ (page generated 2020-07-15 23:00 UTC)