[HN Gopher] Live BTC transactions in Twitter hack
___________________________________________________________________
Live BTC transactions in Twitter hack
Author : aliabd
Score : 154 points
Date : 2020-07-15 20:48 UTC (2 hours ago)
(HTM) web link (www.blockchain.com)
(TXT) w3m dump (www.blockchain.com)
| cbsks wrote:
| It would be interesting if the scammers started sending back
| twice as many bitcoins, as promised, from the same address. It
| could be a real-time ponzi scheme!
| dredds wrote:
| In that scenario 10% per month would be a sufficient inducement
| and likely more believable given the volatility.
| rcpt wrote:
| +0.00001337 BTC
|
| which one of us did that?
| odomojuli wrote:
| 1JustReadALL1111111111111114ptkoK 0.00000666 BTC
|
| 1TransactionoutputsAsTexta13AtQyk 0.00000667 BTC
|
| 1YouTakeRiskWhenUseBitcoin11cGozM 0.00000668 BTC
|
| 1forYourTwitterGame111111112XNLpa 0.00000669 BTC
|
| 1BitcoinisTraceabLe1111111ZvyqNWW 0.00000670 BTC
|
| 1WhyNotMonero777777777777a14A99D8 0.00000671 BTC
|
| bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh 0.00001337 BTC
|
| Can anyone explain what happened in this block of transactions to
| me?
| uncoder0 wrote:
| Someone is trying to communicate with the hacker using invalid
| addresses.
| rubatuga wrote:
| You can send BTC to any address you want
| gjkhkldajghl wrote:
| Maybe I'm missing something, but I'm assuming someone is
| critiquing the scammer as foolish for using bitcoin instead of
| Monero because it is more difficult to cash out, as bitcoin is
| less anonymous than Monero?
| drexlspivey wrote:
| These are bitcoin eater addresses (essentially receive only
| addresses), you can create addresses like these if you
| bruteforce the checksum bytes however you dont have the private
| key for them. I think the more famous one is
| 1BitcoinEaterAddressDontSendf59kuE
| vince14 wrote:
| https://blockchair.com/bitcoin/transaction/54215bf9b24db3dbf...
|
| How did you find that so quick?
| seibelj wrote:
| At Poloniex, we quickly blacklisted this address. Prevents all of
| our users from sending money to them. Many exchanges likely can
| do the same thing.
| arcticbull wrote:
| That doesn't sound very decentralized and trustless. If I want
| to get scammed in this brave new world, shouldn't I be allowed
| to? Maybe I want to fund the Nigerian Prince's get-out-of-jail
| efforts.
| dmix wrote:
| Thats what Bitcoin exchanges in Russia are for.
| paulpauper wrote:
| like trying to stop a steam roller with a mattress
|
| obv the hackers will likely use multiple addresses
| smsm42 wrote:
| The weak link here is: to run a successful scam, you need to
| publicize the incoming address widely. That allows exchanges
| to block it. If you keep the address in secret, you can't get
| the gullible masses to fall for it.
| paulpauper wrote:
| multiple addresses, mixing, etc. there are tons of ways to
| evade exchange restrictions.
| jdminhbg wrote:
| The most recent Elon Musk tweet (2:38 pm PDT; I cannot
| believe Twitter hasn't locked this down yet) used the same
| address.
| paulpauper wrote:
| i saw another one 2 minuses ago. remarkable twitter has not
| fixed it yet.
| blisseyGo wrote:
| I read somewhere that they hacked it multiple times. The
| first tweet got taken down and then it got posted again.
| Wingman4l7 wrote:
| Coinbase apparently did also:
| https://news.ycombinator.com/item?id=23852054
|
| I'm betting Gemini also blacklisted that BTC address,
| especially considering that they were in the first wave of fake
| tweets.
|
| Really wondering now just how much BTC the attacker effectively
| left on the table by reusing a single wallet address,
| especially considering that lots of people who deal in crypto
| use just a handful of exchanges to send it. Would be pretty
| difficult to quantify, though.
| mrtksn wrote:
| While this is a good measure, what does it mean to the
| decentralization promise of Bitcoin?
| [deleted]
| lostmsu wrote:
| In this case you could just create a separate wallet and send
| BTC through it. Sounds like Poloniex does its job better than
| your own wallet here.
| baby wrote:
| It means that to block these funds every single recipients
| must block the address.
| mlindner wrote:
| Just because you can stuff dollars under your bedsheets
| doesn't mean you can't also use a bank.
| drexlspivey wrote:
| It means dont keep your money at exchanges if you want to
| control them
| celticninja wrote:
| Also protects the stupid. You can still send this address
| BTC. You just need to withdraw it to your own wallet first.
| Which buys the user time in which to discover it's a scam
| seibelj wrote:
| People who use exchanges are traders (retail or professional)
| and hodlers who don't want to deal with the intricacies of
| managing 100+ coins on 50+ blockchain networks. The
| decentralization of cryptocurrencies is not an all-or-nothing
| proposition - users can choose the level of decentralization
| they would like based on their preferences.
|
| What I like most about decentralization is that anyone in the
| world can create a new crypto business on the blockchain
| rails, integrate with everyone else, and attract users. Of
| course there are real-world repercussions if your physical
| entity is in a locale with laws that you violate, but it is
| orders of magnitude easier to start a crypto exchange than a
| traditional bank.
| cortesoft wrote:
| Won't this end up like email, though? Sure, anyone can set
| up their own business... however, 90% of people will be on
| a few large providers, and those providers will end up
| blocking transactions coming from unknown new providers (to
| prevent scams). Decentralization doesn't stop
| consolidation.
| Sebb767 wrote:
| Sure, but even with E-Mail there are a lot of smaller
| service providers. It's not _ideal_, yes, but the
| situation is at least a tad better and one failing
| company will not destroy the whole ecosystem.
| seibelj wrote:
| It is much easier to set up your own cryptocurrency
| wallet than it is to set up your own trusted email
| server. Your metaphor is similar but off by a large
| amount. The major difference is that blockchain deals
| primarily with money, so email spam (useless worthless
| messages) is inherently less worthy of sending because
| doing so actually pays me, in addition to the fees you
| pay the network.
| H8crilA wrote:
| Kinda similar to like under a gold standard you don't
| actually pay with gold. You can, but most people just use
| centralised "wrappers" around gold in the form of bank
| notes.
| WA wrote:
| So much for "Bitcoin is anonymous, decentralized and nobody
| controls it".
| mlindner wrote:
| Bitcoin has never been anonymous, only pseudonymous.
| Tenoke wrote:
| It is - all the exchanges in the world can't stop you from
| making the transaction if you want to.
| rvz wrote:
| You can see the high profile Twitter accounts hacked here by
| searching the address in Twitter with the verified filter:
| bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh filter:verified
| Scoundreller wrote:
| Here's a link to make your life easier:
|
| https://twitter.com/search?q=bc1qxy2kgdygjrsqtzq2n0yrf2493p8...
|
| They'll all say "Twitter Web App" as the tweet source.
|
| If you search through all accounts (ie: also the unverified
| ones), you see plenty that say Twitter for iPhone or Twitter
| for Android. Those are likely trolls.
|
| Those are here:
| https://twitter.com/search?q=bc1qxy2kgdygjrsqtzq2n0yrf2493p8...
| rvz wrote:
| Thanks, but they have now moved to another address and the
| hackers are at it again:
|
| Replace the old BTC address with this one:
| bc1qwr30ddc04zqp878c0evdrqfx564mmf0dy2w39l
| 21eleven wrote:
| Hopefully most of this bitcoin is just the attacker sending their
| own funds to make it look legitimate.
| beervirus wrote:
| How many people who would fall for this scam would also know
| how to look at the blockchain data?
| paulpauper wrote:
| it is amazing given how long twitter has been around that such a
| powerful exploit still existed, assuming it was not an insider
| job. It also shows that bug bounties will not prevent the really
| bad stuff. The payoff from exploiting such a huge bug is in the
| millions, which no bug bounty program will ever pay,
| celticninja wrote:
| This hack isn't going to generate millions for the attackers.
| But you're right that it was still outweigh any bug bounty
| Tenoke wrote:
| I'm guessing they'll end up with ~100-300k total after all is
| done and they tumble, launder etc. the coins.
|
| I am not sure how much that is for them but there are claims that
| the 'regular' version of that scam already nets millions a year.
| aeternum wrote:
| Better payout than the $2.9k for disclosing this to Twitter via
| bug bounty.
| thephyber wrote:
| Do you have any evidence this is a Twitter flaw and not a 3rd
| party app?
| lytedev wrote:
| OP's point holds. A third party likely has a less-rewarding
| bug bounty, doesn't it?
| manquer wrote:
| If the twitter security model allows third party apps
| access to verified high profile accounts without auditing
| the security of that app it is still a flaw in Twitter's
| processes.
|
| Twitter after all has a lot higher risk than the 3rd party
| app, it is in their interest to make sure partners dealing
| with high profile accounts or partners handling a large
| volume of accounts are also secure.
| 1-6 wrote:
| Can Twitter put up a banner warning folks not to submit crypto???
| blisseyGo wrote:
| It's been at least 3 years and they still haven't made a fix
| for the spam comments until Elon Musk's tweets for crypto scam
| from user account names of "Elon_Musk" or others. This should
| be such an easy way to block. Don't even allow new user
| accounts with "Elon" and "Musk" in it unless verified. I have
| been seeing this for over 3 years and no fix.
| Nextgrid wrote:
| Crypto scams that are trivial to block have been going on for
| years. There is no reason to believe Shitter cares about the
| well-being of their users, and frankly they were right because
| people kept using this rotten platform despite that.
|
| Maybe _now_ things will change.
| dredmorbius wrote:
| Numerous dupe submissions, primary discussion:
| https://news.ycombinator.com/item?id=23851275
| mikeyouse wrote:
| Seems like it would have been more profitable to take a huge
| short position in TSLA and hack Elon's Twitter to post something
| about a SEC investigation for accounting fraud and that you'd
| need to restate multiple years' worth of earnings.
| paulpauper wrote:
| yeah and then the SEC freeze your account and you go to jail
| and get $0
| spyder wrote:
| Or they could have been doing something similar with cryptos
| without risking SEC or requiring ID on exchanges: using the
| twitter accounts to announce partnerships with one of the
| cryptocurrencies. Probably less gain then with stocks but more
| than with this simple scam.
| ealexhudson wrote:
| More profitable but more likely to be caught.
| mikeyouse wrote:
| Probably true - though there's already a ton of short
| interest in the company. Seems like you could take a few
| million in profits and still blend in fairly seamlessly.
| puranjay wrote:
| The stock market is way more regulated and you'd be caught
| ve55 wrote:
| They do use a lot more addresses than just this one too
| [deleted]
| throwaway888abc wrote:
| Fascinating to see the transactions going up (refresh the page)
| every minute as the scam propagate
| baal80spam wrote:
| Someone just sent 4.5 BTC...
| [deleted]
| jolmg wrote:
| At 13:47 PDT, there's a 60.4 BTC one[1]. That alone is half a
| million USD.
|
| EDIT: Replies are right. Now I see that the majority of it
| went to the same address as the source.
|
| [1] https://www.blockchain.com/btc/tx/4df1391d936d3256ce84a86
| 7e1...
| dnprock wrote:
| In this transaction, there's only 0.00291948 BTC sent to
| the scamming address:
| bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh.
|
| It's time to learn more about Bitcoin. :)
| [deleted]
| [deleted]
| baal80spam wrote:
| Wait, where do you see that? On the linked page, I can see
| the following:
|
| Total Received: 11.39184745 BTC
|
| edit: OK, either this is strange or I don't understand how
| it works.
| jolmg wrote:
| Yeah, I also don't understand how one can have multiple
| destination addresses in a single transaction.
| oarsinsync wrote:
| As a a sender, you have a coin of amount X, and you split
| it up and send it wherever you like
|
| If your coin is 1 and you want to send one person 0.2 and
| another person 0.3, you can do that as a single
| transaction to three destinations, one with 0.2, another
| with 0.3 (to the people you're sending to) and a final
| one with 0.5 back to one of your own addresses (aka a
| change wallet)
| oarsinsync wrote:
| You're fine. The GP doesn't understand. Only 0.00291948
| BTC was sent to the hacker wallet. The remainder went to
| other wallets. The vast majority went back to the person
| making the transaction (IE nowhere)
| puranjay wrote:
| What kind of heat would the person or party that started this
| hack get? What could be the expected consequences? Going after
| political figures, including the former President of the US,
| should, I think, trigger a digital man hunt.
| blisseyGo wrote:
| This could also impact the stock market I think.
| ex3ndr wrote:
| It actually looks like all targets are enemies of current POTUS
| bayesbot wrote:
| not Kanye
| wh-uws wrote:
| Elon Musk is not.
| [deleted]
| paulpauper wrote:
| this is motivated by profit. nothing political. potus being
| hacked would escalate to national security threat and
| possibly force twitter to shutdown by decree. which the
| hacker is smart enough to know not to tread
| monokh wrote:
| I really didn't imagine a purely financially motivated hack
| could be turned into politics. I guess I underestimate the
| levels of innovation.
| ex3ndr wrote:
| Current administration is purely financially motivated
| though
| odomojuli wrote:
| Is it significant at all that this is happening on US Tax Day?
| paulpauper wrote:
| looks sms porting..been 3 years now and still no one has a good
| fix for this
| rodiger wrote:
| ...no, you aren't going to get access to all these high profile
| accounts at the same time with sms porting. This is almost
| definitely internal.
| paulpauper wrote:
| i didn't realize the extent until now. Way more than just 4
| ..more like 40+
| dang wrote:
| The general thread about the hack is
| https://news.ycombinator.com/item?id=23851275.
|
| Please discuss the general aspects there and the BTC aspects
| here.
| sleepybrett wrote:
| Seems like they could have sold this hack for way more than this
| will make them.
| logicslave wrote:
| Its almost suspicious how poorly this turned out for them. I
| suspect theres more going on than this
| rcpt wrote:
| It's such a dumb way to make money with this kind of power
| that I'm more likely to believe that Elon really is sending
| back 2x BTC
| manquer wrote:
| It is perhaps a proof of ability, burning a zero day might
| be worth it, if you have others you can sell, also if the
| zero day was one time use or likely getting closed soon ,
| the value might be not as high as it may look.
| jdminhbg wrote:
| Via Tyler Cowen [0]:
|
| > If you've ever watched _Goldfinger_ , you have to wonder if
| the real ploy isn't somewhere else, such as auctioning off DMs,
| blackmail, etc., and the bitcoin thing just proof of concept.
|
| 0: https://twitter.com/tylercowen/status/1283518906041278468
| 1f60c wrote:
| I wasn't sure what I was looking at, until I googled the Bitcoin
| address (bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh):
|
| Several high-profile Twitter users, including Elon Musk, Bill
| Gates, and the official Uber account appear to have been hacked,
| and all promoted that address, saying any funds sent to it will
| be doubled.
| gruez wrote:
| >Several high-profile Twitter users, including Elon Musk, Bill
| Gates, and the official Uber account appear to have been
| hacked, and all promoted that address, saying any funds sent to
| it will be doubled.
|
| speculation time: How did those accounts get hacked? Did they
| all get spearphished? Did twitter get compromised?
| o-__-o wrote:
| Or was it a marketing platform that was owned? I worked for
| one a few years back and they used the same fb key for all of
| their 500 musicians they represented. One day facebook
| enforced key rotation and a bunch of fan sites went dark.
| Imagine if someone got access to our codebase, this same type
| of nefarious action would have happened
|
| The curtain has been pulled back for some. Their favorite
| tweeters aren't actually tweeting themselves
|
| Edit: I also wonder if it's an elaborate money laundering
| scheme. Mix coins with deniability. Combine with the Epstein
| drama, maybe there's more to what meets the eye. Either way
| it's popcorn time
| milofeynman wrote:
| It's got to be a 3rd party authed w/ the Twitter account, I'd
| guess.
| Barrin92 wrote:
| Sounds more like Twitter itself has been compromised on their
| end at that point.
| [deleted]
| Kye wrote:
| It's much more likely a common social media marketing
| platform was compromised.
| lkbm wrote:
| It's a wide enough range of accounts that it's most likely
| an internal admin panel.
|
| Special protected accounts (e.g., Trump's) seem unaffected,
| whereas hundreds (thousands?) of "regular" accounts, high
| profile and small, are compromised.
| Kye wrote:
| A lot happened in the 32 minutes since I posted that.
| Scoundreller wrote:
| But then wouldn't these tweets say something other than
| "Twitter Web App" ?
| bowmessage wrote:
| Users of the middleware likely want to hide the fact that
| they're scheduling their tweets, I would imagine the tool
| sets this value explicitly to have the tweets appear more
| genuine. </postulating>
| PeterisP wrote:
| It seems a total account takeover, not just the ability to
| send tweets in their name - the email addresses have been
| reset, see
| https://twitter.com/sniko_/status/1283485972286656517
| paulpauper wrote:
| tons of account hacked. like every single high profile account
| hacked. either inside job or major exploit
| paulpauper wrote:
| and to think you could have just bought those bitcoin for like
| $2000 in 2016 without all the work of having to hack
|
| Bill gates and Bezos not showing up on twitter search. Twitter
| ghosting some of the affected accounts
| byteshock wrote:
| They reposted it on the cash app account but with a different
| address. The exchanges are going to have a field day monitoring
| twitter.
|
| New address: bc1qwr30ddc04zqp878c0evdrqfx564mmf0dy2w39l
|
| Tweet:
| https://mobile.twitter.com/CashApp/status/128352200769559757...
| ben174 wrote:
| So strange that twitter can't automatically filter these. The
| message format is pretty consistent. Surely they could write
| something to at least put tweets matching this pattern in a
| moderation queue.
| ageitgey wrote:
| They are blocking tweets with that address now. I'm guessing
| that they still have no idea what the root cause is.
| byteshock wrote:
| Somebody is getting fired today...
|
| Edit: I was only making a joke, relax. Most likely it's not
| a single person's mistake. It's just something you say when
| shit hits the fan.
| floatingatoll wrote:
| Promoting, praising, or otherwise endorsing the kind of
| reaction you state is inexcusable in IT Operations. Your
| unstated assumptions-by-framing are:
|
| 1) A single person is responsible for the flaw.
|
| 2) A single person is either already under performance
| review or committed gross neglect of duties.
|
| 3) The above single person will be terminated rather than
| retrained.
|
| If this is how you would speak about your own employees
| during a security incident, your business deserves to
| fail.
|
| If this is how you expect to be treated by your employer
| during a security incident, you should seek employment
| elsewhere.
| kgraves wrote:
| jeez, they said it's just a joke...
| floatingatoll wrote:
| They used the edit function to walk back their comment as
| a 'joke' _after_ my post was submitted, and managed to
| make things worse in the process.
|
| Would you joke about firing someone for a mistake during
| an interview? I would consider that a dealbreaker if I
| were interviewing someone, as in "this interview is over,
| go home".
|
| Do you consider HN an appropriate forum for pithy one-
| liner jokes that do not contribute to the discussion?
| Reconsider.
| VectorLock wrote:
| So saying one person should be fired is not okay, but
| saying a whole business should be fired is okay?
| secondcoming wrote:
| Calm down
| ahelwer wrote:
| Unlikely. That isn't how hacks or outages are punished in
| large software service orgs, unless it was intentional or
| due to negligence like disabling a failing test to get
| something shipped to prod.
| mc32 wrote:
| I'd be curious to find out which one of the accounts proved to
| be the better "sales lead"
| VectorLock wrote:
| They should have used unique wallets for each tweet and A/B
| tested the gullibility of the victim's audience.
|
| Would have made them more difficult to track and shut down as
| well. More hallmarks that this wasn't probably something they
| lucked into, rather than some sophisticated attack.
___________________________________________________________________
(page generated 2020-07-15 23:00 UTC)