The hackers who conducted the massive Twitter hijacking on July 15 do not appear to be sophisticated Bitcoin (BTC) users, as they left trails leading to and from major exchanges that presumably hold the keys to their identities.
The Bitcoin address that hackers used to solicit illicit donations is bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh. A couple of hours into the hack, the perpetrators started moving Bitcoin into other addresses. The Bitcoin trail they are leaving behind suggests that they are not terribly sophisticated when it comes to blockchain technology. They are reusing the same addresses, they are not covering their tracks from and to exchanges sufficiently enough. They have barely used any mixing services.
According to the on-chain evidence we collected, several major exchanges should have their identities.
We will focus on an address one hop away from the original — 1Ai52Uw6usjhpcDrwSmkUvjuqLpcznUuyF. This address received 14.76 BTC, most of it on July 15; however, the address was first activated on May 3. Approximately half of the BTC came from bc1qxy, the rest from various other sources.
Some of the incoming Bitcoin originated from Coinbase and BitMex exchanges. Two addresses identified as belonging to Coinbase by Crystal Blockchain, 37p3PS1hKqzYhiVswbqN6nxbwyUoTZvf1E and 32V6a7K46pSb1XQNGdrmdE2wjgndVfJPet, are two hops away from 1Ai52, the same address that received direct transactions from the original hacker address.
What appears to be a 10 BTC Coinbase withdrawal occurred in the morning of July 15. A couple of hours later, 0.4 BTC originating from the presumed Coinbase withdrawal ended up in 1Ai52U. Since it is not a direct route, there is a possibility of the coins changing hands in the interval. However, this seems unlikely, considering there are no major entities in between.
What appears to be a BitMex withdrawal from 3BMEXqT4yGBFiVBeJFHF4Ak5PyhqTnidKP is three hops away from 1Ai52. On April 27, 14.18 BTC was moved from that address, by May 3, it ended up in 1Ai52U.
The hackers also used the address 1NWJd7BfJLJrEcfGiGfFqbhyaiusWwaZS1 to move the funds from the original address. The former has also received a small amount of BTC from 14kWuX37tgLdYZDSudHuch35NtuGgJqqnz, which, in turn, received BTC from several addresses that appear to belong to BitGo. — The same transaction 89a4ba84043d043d212216718dae4ac3b74e6d08fd4575edab532c1c188dd961 sent small amounts of BTC to several other exchanges, including Bittrex, Luno and Binance (BNB).
On July 16, 0.0011 BTC ended up in 16ftSEQ4ctQFDtVZiUBusQUjRrGhM3JY identified as one of Binance’s deposit addresses. It is three hops away from the original hacker address with no major entities in between.
The hackers appear to be using a proxy as transactions originate from different parts of the world. The Bitcoin addresses generated by hackers come in different formats, some are of the newest Bech32 format, others in the older P2PKH and P2SH formats. If our analysis is correct, then several major crypto entities should be able to identify the hackers.