How will the Twitter hackers cash out the Bitcoin they scammed from users following Wednesday’s epic breach? Put the coins through Bitcoin mixers to obfuscate their trail, and they’ve already started, according to crypto tracing firm Elliptic.
The blockchain analytics company published a report earlier today that states it has uncovered evidence that the Twitter hackers have sent a portion of the Bitcoin they stole to an address it believes to be linked to a Wasabi wallet. Wasabi is a Bitcoin mixing service that uses the CoinJoin privacy technique to conceal transaction trails on the pseudonymous Bitcoin blockchain.
According to Elliptic, such techniques make it “difficult for law enforcement investigators or financial institutions to trace funds on the blockchain,” though they are not illegal.
The tracing firm said it believes the Twitter hackers have so far put 2.89 Bitcoin, approximately 22% of the $120,000 worth of BTC stolen, through the Bitcoin mixer.
“The use of this type of wallet by those laundering the proceeds of the Twitter hack is not surprising,” Elliptic said in its report. “One of the most common techniques used by law enforcement to identify the perpetrators of this kind of attack is to follow the money trail to the point of cash-out.”
The report’s authors went on to note that most crypto exchanges use KYC checks to identify their clients. It’s this type of identifiable information that can be used by law enforcement to link the crime to the hackers’ real-life identities. But using a Wasabi wallet or another such service makes that harder, said the firm.
Leading US-based crypto exchange Coinbase, which took steps to block transactions associated with the Twitter hack, is among Elliptic’s clients.
Meanwhile, according to a story in the New York Times Friday afternoon, the hack appears to have been the work of a group of at least four, young people—and not a "nation-state or a sophisticated group of hackers." In its interview with the hackers, the Times learned that one hacker lives on the US West Coast and is in his 20s, while another said he was 19 and lives in south England.
The hackers told the Times, as they told VICE prior, that the hack was orchestrated by an individual (Discord screen name "Kirk") who claimed to work at Twitter.