Tweeting your transactions - Twitter hack proceeds traceable
On Wednesday 15 July 2020, a number of high profile Twitter accounts were hacked including Joe Biden, Barack Obama, Elon Musk, Bill Gates, Jeff Bezos and Apple. Unidentified hackers used these high profile accounts to post a common bitcoin scam post.
Other compromised Twitter accounts reported included Twitter Support, Kim Kardashian West, Kanye West, Michael Bloomberg, Uber and a number of cryptocurrency exchanges and organisations.
This unprecedented hack led to Twitter temporarily suspending verified accounts from posting for approximately two hours. An example of the scam tweet is below:
Twitter announced that the security breach was:
...a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools... We're looking into what other malicious activity they may have conducted or information they may have accessed...
What has not been well publicised is that, since all bitcoin transactions are permanently recorded on the Bitcoin blockchain, any bitcoin received by the Twitter hackers into their bitcoin wallet address are recorded, regardless of their jurisdiction. It will be closely watched and be the focus of intense tracing efforts when they try to move the bitcoin to another wallet address.
At the time of writing, there were approximate 12 bitcoin received valued at approximately AUD$156,000 over 377 transactions (but many of these are sending the Bitcoin to further wallets. This seems like a pretty poor haul given the mammoth reach of the Twitter accounts hacked and the scrutiny which will now come down on these addresses.
One famous past hack which led to a concerted tracing of stolen funds was the Mt Gox hack where Wizsec compared Bitcoin transfers on the public Bitcoin blockchain and used that data to reconstruct wallet balances and find hidden relationships between multiple bitcoin wallets and public sources.
Wizsec was able to identify people associated with those wallets and assisted in the ultimate arrest of Alexander Vinnik in July 2017 in Greece at the request of US authorities.
The extent of the Twitter security breach is yet to be seen as it is ongoing. The extent that it could impact any Australian's personal information information is unclear.
When personal information is accessed or disclosed without authorisation or is lost, the data breach may need to be reported to the Office of the Australian Information Commissioner (OAIC) under the Notifiable Data Breach set out in the Privacy Act 1988.
More details are sure to unfold, and the long term reputational damage to Twitter from this hack is sure to vastly exceed the paltry sums gained by the hackers. What is not known is how much sensitive personal information connected to these high profile accounts is now in the hands of bad actors, and just how far the security breach went.