The hackers who carried out the massive kidnapping of Twitter on July 15 don’t seem to be very experienced users of Bitcoin (BTC), as they left traces that lead to and from the main exchanges that are said to contain the keys to to find their identity. .
Summary of the bc1qxy address. Source: crystal block chain.
The Bitcoin address at which hackers requested illegal donations is: bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh. A few hours after the event, the perpetrators started moving Bitcoin in other directions. The bitcoin trail they leave indicates that they’re not exactly sophisticated about blockchain technology. They reuse the same addresses, they do not blur their tracks to and from the exchange. They have hardly used any other methods that make persecution difficult.
Agree With the chain evidence we collected, several large exchanges should be able to find out the identity of the perpetrators.
Coinbase and BitMex
We will focus on a direction that differs from the original: 1Ai52Uw6usjhpcDrwSmkUvjuqLpcznUuyF. This address received 14.76 BTC, most of it on July 15th; however the direction sIt was first activated on May 3. About Half of the BTC came from the original (bc1qxy). The rest came from various sources.
Trace on Coinbase and Bitmex. Source: crystal block chain.
Part of the incoming Bitcoin came from the Coinbase and BitMex exchanges. Crystal Blockchain has identified two addresses as belonging to Coinbase. 37p3PS1hKqzYhiVswbqN6nxbwyUoTZvf1E and 32V6a7K46pSb1XQNGdrmdE2wjgndVfJPet, are two jumps away the second (1Ai52), The same address that received direct transactions from the original hacker’s address.
On the morning of July 15th, a 10 BTC coinbase excerpt took place. A few hours later 0.4 BTC from the alleged withdrawal from Coinbase ended up at 1Ai52U. Since it’s not a direct path, There is a possibility that coins will change hands in this interval. Given this, however, this seems highly unlikely No important units are involved.
What appears as a withdrawal on BitMex from the address 3BMEXqT4yGBFiVBeJFHF4Ak5PyhqTnidKP are three jumps from the address 1Ai52. On April 27, 2:18 p.m., BTC withdrew from this address, until May 3 they landed at 1Ai52U.
BitGo, Luno and Binance
Hackers also used the address: 1NWJd7BfJLJrEcfGiGfFqbhyaiusWwaZS1 to move the backgrounds from the original address. The first one also got a small amount of BTC from the address: 14kWuX37tgLdYZDSudHuch35NtuGgJqqnz, what on the other hand Receive BTC from various addresses that appear to belong to BitGo. The same transaction: 89a4ba84043d043d212216718dae4ac3b74e6d08fd4575edab532c1c188dd961 sent small amounts of BTC to various exchanges, including Bittrex, Luno and Binance (BNB).
The trail on BitGo, Bittrex, Binance and Luno. Source: crystal block chain.
On July 16, 0.0011 BTC ended at 16ftSEQ4ctQFDtVZiUBusQUjRrGhM3JY, which was identified as one of Binance’s deposit addresses. There are three hops from the hacker’s original address with no major entities in between.
The way at Binance. Source: crystal block chain.
Hackers seem to be using a proxy because transactions come from different parts of the world. Bitcoin addresses generated by hackers come in various formats, some in the newer Bech32 format, others in the older formats P2PKH and P2SH. If our analysis is correct, several of the leading cryptocurrency entities should be able to identify hackers.