Coinbase, Binance and BitGo may know the identity of the hackers

The hackers who carried out the massive kidnapping of Twitter on July 15 don’t seem to be very experienced users of Bitcoin (BTC), as they left traces that lead to and from the main exchanges that are said to contain the keys to to find their identity. .

Address bc1qxy summary

Summary of the bc1qxy address. Source: crystal block chain.

Coinbase, Binance and BitGo may know the identity of the hackers
Coinbase, Binance and BitGo may know the identity of the hackers

The Bitcoin address at which hackers requested illegal donations is: bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh. A few hours after the event, the perpetrators started moving Bitcoin in other directions. The bitcoin trail they leave indicates that they’re not exactly sophisticated about blockchain technology. They reuse the same addresses, they do not blur their tracks to and from the exchange. They have hardly used any other methods that make persecution difficult.

Agree With the chain evidence we collected, several large exchanges should be able to find out the identity of the perpetrators.

Coinbase and BitMex

We will focus on a direction that differs from the original: 1Ai52Uw6usjhpcDrwSmkUvjuqLpcznUuyF. This address received 14.76 BTC, most of it on July 15th; however the direction sIt was first activated on May 3. About Half of the BTC came from the original (bc1qxy). The rest came from various sources.

Coinbase  BitMex Trail

Trace on Coinbase and Bitmex. Source: crystal block chain.

Part of the incoming Bitcoin came from the Coinbase and BitMex exchanges. Crystal Blockchain has identified two addresses as belonging to Coinbase. 37p3PS1hKqzYhiVswbqN6nxbwyUoTZvf1E and 32V6a7K46pSb1XQNGdrmdE2wjgndVfJPet, are two jumps away the second (1Ai52), The same address that received direct transactions from the original hacker’s address.

On the morning of July 15th, a 10 BTC coinbase excerpt took place. A few hours later 0.4 BTC from the alleged withdrawal from Coinbase ended up at 1Ai52U. Since it’s not a direct path, There is a possibility that coins will change hands in this interval. Given this, however, this seems highly unlikely No important units are involved.

What appears as a withdrawal on BitMex from the address 3BMEXqT4yGBFiVBeJFHF4Ak5PyhqTnidKP are three jumps from the address 1Ai52. On April 27, 2:18 p.m., BTC withdrew from this address, until May 3 they landed at 1Ai52U.

BitGo, Luno and Binance

Hackers also used the address: 1NWJd7BfJLJrEcfGiGfFqbhyaiusWwaZS1 to move the backgrounds from the original address. The first one also got a small amount of BTC from the address: 14kWuX37tgLdYZDSudHuch35NtuGgJqqnz, what on the other hand Receive BTC from various addresses that appear to belong to BitGo. The same transaction: 89a4ba84043d043d212216718dae4ac3b74e6d08fd4575edab532c1c188dd961 sent small amounts of BTC to various exchanges, including Bittrex, Luno and Binance (BNB).

BitGo, Bittrex, Binance  Luno Trail

The trail on BitGo, Bittrex, Binance and Luno. Source: crystal block chain.


On July 16, 0.0011 BTC ended at 16ftSEQ4ctQFDtVZiUBusQUjRrGhM3JY, which was identified as one of Binance’s deposit addresses. There are three hops from the hacker’s original address with no major entities in between.

Binance Trail

The way at Binance. Source: crystal block chain.

Last observations

Hackers seem to be using a proxy because transactions come from different parts of the world. Bitcoin addresses generated by hackers come in various formats, some in the newer Bech32 format, others in the older formats P2PKH and P2SH. If our analysis is correct, several of the leading cryptocurrency entities should be able to identify hackers.

Similar Posts