Twitter Hacker Is a BitMEX Trader, On-Chain Data Suggests

Whoever is responsible for Wednesday's Twitter hack was deep into the cryptocurrency space, with the BitMEX receipts to prove it.

AccessTimeIconJul 16, 2020 at 5:38 p.m. UTC
Updated Mar 2, 2023 at 10:32 p.m. UTC

Presented By Icon

Election 2024 coverage presented by

Stand with crypto

None of the roughly 13 bitcoin (BTC) acquired through Wednesday's Twitter hack have been laundered, according to chain analysis conducted by Samourai Wallet. 

But whoever it was is deep into the cryptocurrency space, with the BitMEX receipts to prove it, according to preliminary analysis from Samourai Wallet's research arm, OXT Research. (A pastebin can be found here.)

  • Bitcoin Mining in the U.S. Will Become 'a Lot More Decentralized': Core Scientific CEO
    13:18
    Bitcoin Mining in the U.S. Will Become 'a Lot More Decentralized': Core Scientific CEO
  • Binance to Discontinue Its Nigerian Naira Services After Government Scrutiny
    05:10
    Binance to Discontinue Its Nigerian Naira Services After Government Scrutiny
  • The first video of the year 2024
    04:07
    The first video of the year 2024
  • The last regression video of the year 3.67.0
    40:07
    The last regression video of the year 3.67.0
  • “Confirmed, no signs of mixing. Majority of funds spent 1 or two hops and [are] now parked,” Samourai said in a Twitter DM to CoinDesk. “Really curious what their cash-out plan is.”

    As of 14:00 UTC, the funds in at least one address are already under the control of Coinbase, Samourai added. 

    “Based on the history of the first destination address of the cryptoforhealth scam addresses, the scammers have a history of gambling on Bitmex and Coinbase usage,” Samourai researcher Ergo said in a Tweet

    “This is peak crypto,” Ergo added.

    No coin-mixing involvement (yet)

    Overall, Samourai says the hacker only used three Bitcoin addresses and has not sent any funds through a mixing service, as data provider CryptoQuant had previously tweeted. (CryptoQuant has since told CoinDesk it no longer believes the funds have been mixed.)

    "Always a possibility the address is an unlabeled mixer, but I don't see any hints, and one-time use addresses are very common in general and not a definitive pattern for mixers," Ergo told CoinDesk.

    Those addresses, however, linked to other addresses that Samourai tracked to the popular crypto derivatives platform BitMEX.

    “Everything from the first address is being spent to this address 1Ai52Uw6usjhpcDrwSmkUvjuqLpcznUuyF, which looks to have been first funded via BitMex,” Samourai said.

    Tracking the Twitter hack funds through Bitcoin exchanges

    On-chain data allows services to track where funds are moving. In this case, the address had previously been used by a BitMEX trader for moving funds on and off the platform. However, BitMEX has less stringent ID policies, also known as Know Your Customer (KYC), for trading on its domain. So BitMEX may not be so helpful in finding the perpetrator. 

    BitMEX did not return requests for comment by press time.

    Blockchain transactions leave a web of information as they move from address to address.
    Blockchain transactions leave a web of information as they move from address to address.

    “At best investigators can subpoena any relevant account info including IP addresses[;] from there, they can glean some additional info from on-chain data including source of funds,” Ergo said in a private message.

    Coinbase, on the other hand, has very strict KYC policies. Ergo said the best chance of identifying the hacker comes from Coinbase.

    "OXT Reasearch has also noted a small spend of scammed coins to Binance. Other than the history of 1Ai52Uw6usjhpcDrwSmkUvjuqLpcznUuyF, the links to exchanges and known entities remain minimal," Ergo said.

    coindesk-twitter-hack-2560x854-03a

    Disclosure

    Please note that our privacy policy, terms of use, cookies, and do not sell my personal information have been updated.

    CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. CoinDesk has adopted a set of principles aimed at ensuring the integrity, editorial independence and freedom from bias of its publications. CoinDesk is part of the Bullish group, which owns and invests in digital asset businesses and digital assets. CoinDesk employees, including journalists, may receive Bullish group equity-based compensation. Bullish was incubated by technology investor Block.one.


    Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.