On July 15th, 2020, several verified, high-profile cryptocurrency Twitter accounts were being leveraged to send users to a phishing site. Subsequently, multiple high-profile verified users – including Bill Gates, Elon Musk, and Barack Obama – were compromised and began posting tweets calling for money to be sent to a bitcoin wallet address (bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh) and double would be sent back in turn. All in all, over $100,000 was sent to the address mentioned in one of the most successful of these types of scams. Later, cybersecurity firm RiskIQ released a list of almost 400 domains that through on-page similarities they tied to the phishing domain originally mentioned. Between those domains and the original tweets, the DomainTools Security Research Team used both the Iris Investigate platform and OSINT sources to gain insights into the infrastructure, trends, and financials behind these scams.
Follow the History
The earliest domains in this data set were registered in 2018. Many of the domains cluster around specific email addresses, TLS certificates, and other registration details. With the spread of hosting providers, registrars, and infrastructure fingerprints behind all of these domains we can say with high confidence that the domains in this data set belong to multiple sets of scams and likely multiple actors.
Expanding on historical email addresses associated with these domain’s registration data, we can expand the list to just under 600 domains and clusters begin to appear.
One early cluster tied to an email address (olegolegoleg1@bk[.]ru) crops up older CS:GO (a popular FPS game) container key resale scams which Valve, the company behind CS:GO, disabled in 2019 as the majority of the traffic they were seeing was to launder money through the game.
Another cluster ties the actor behind it to several known blocklisted phishing domains that have gone offline in 2019.
While yet another cluster links back 82 domains to almost two years of these exact kinds of bitcoin scams leveraging Elon Musk and Tesla lures.
With the prevalence and ease of these scams it comes as no surprise that there are dozens of clusterings of likely independent actors and a history of these low-hanging fruit scams targeting cryptocurrency.
Follow the Naming Patterns
After running the list of domain names released by RiskIQ through a probabilistic-based word splitter, we can figure out what words were used most by the people that registered these domains. Below is the list of words from the dataset, sorted by their frequency of use.
When looking across this list there are terms that are obviously related to each other
- Apple related: airdrop (4), woz (3), apple (4)
- Bill Gates: bill (9), gates (28)
- Elon Musk: elon (25), musk (16), tesla (9), space (12), x (17)
I decided to pick one of the more popular, but less obvious words to investigate deeper; mcafee which occurred 27 times. The theory is that people who register multiple domains based on a single term will use some of the same registration/infrastructure patterns.
Mcafee domain patterns
Most of the mcafee domains are registered anonymously through “regprivate.ru” or “reg.ru”
Many domains that are not registered via a russian registrar, have russian sounding names: Vyach Kapustin, Igor Smirnov, John Vladimir (found 5 domains from John)
One registrant, Masis069 Arutunyan, links to the domain binance-cryptovaganza.org, which isn’t part of the mcafee set of domains. But the naming pattern is similar to other domains in the RiskIQ dataset; “binance” occurring 52 times and “ganza” occurring 4 times. So including all “ganza” domains into the list of “mcafee” domains.
Using the registrant Masis069 Arutunyan, and the terms “mcafee” and “ganza” to expand the list of domains, another name surfaced; “John Vladimir”, which is associated with 3 domains in the RiskIQ dataset.
Another strong pattern among the mcafee domains is the registrar Hostinger. Looking back at the full list of RiskIQ domains, the majority of them that were registered by Hostinger were registered around 260 and 360 days ago.
13 of the 27 mcafee domains have their own mail server configured.
This investigation into the mcafee domains pulled together around 40 domains from the RiskIQ dataset that were highly related to each other.
I then dove into the “elon musk” related domains and was able to find a group of domains that were highly related to each other as well. But what was interesting is that the mcafee domain set had no connections to the registration or infrastructure patterns of the elon musk domains.
Follow the Money
Diving into the known associated Bitcoin wallet addresses associated with the Twitter compromise, let’s establish a baseline for our investigation.
|Wallet Address||Number of Transactions||Total Balance|
Investigating on the Bitcoin wallet with the most transactions (390) and with the total received balance being over $117K USD, let’s dig into any interesting transactions that have occurred. Walletexplorer.com helps us highlight these wallet transactions, specifically with observing how much Bitcoin was transferred, when it was transferred and to which wallets.
We can see a total of 4 transactions of Bitcoin transfer for multiple values to multiple wallets.
The timestamps for these transfers all occur within the same window of time, generally, July 15th 2020 21:02 to July 15th 2020 21:29. That’s about 17 minutes.
One possible theory behind the transactions is that they are paying off those involved with the incident from an attacker’s perspective. This attack was likely not conducted by a single individual. There could have been an initial threat group that compromised Twitter and then sold the access off to another bidder who leveraged that access to conduct the cryptocurrency scam. There are theories that an insider threat was involved in providing internal access to systems/tools to the attackers, and this could be a possible documentation of the payments received for that to happen. Cybercriminals are rarely just a single threat actor, and there are several running theories behind this attack.
|Associated TX Bitcoin Wallets to Bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh|
The money is moving pretty fast, and we can see that in some high value transfers from the originating wallet to other associated wallets all associated with the threat group behind the Twitter attack.
We have uncovered several additional IOCs and insights into this prolific attack against Twitter and its users. Stay tuned for further information as we uncover it.