News

The recent hacking of dozens of prominent Twitter accounts as part of a broad attempt to bilk victims out of bitcoins shows the difficulty of disguising cryptocurrency payments and social media’s role in helping U.S. exchanges detect fraud, sources told ACAMS moneylaundering.com.

On July 15, hackers armed with inside knowledge of the social media platform took control of the accounts of former President Barack Obama, celebrity entrepreneur Elon Musk and at least 30 others, then used them to promote a fraudulent marketing scheme in which those figures appeared to claim in tweets that they would match or even double the sum of bitcoins victims sent to certain wallet addresses.

Other hacked Twitter accounts belonged directly to cryptocurrency exchanges such as Binance, Gemini, Coinbase, Bitfinex and AngeloBTC. The social media platform halted the attack within hours, but not before at least 400 victims reportedly sent an estimated $120,000 in bitcoins to the wallets referenced by the fraudulent tweets.

On July 16, one day after the hack, the U.S. Treasury Department’s Financial Crimes Enforcement Network, or FinCEN, published a list of six red flags that cryptocurrency firms and other companies should use to identify proceeds from the scheme.

None of the red flags pertain directly to transactions but five of the six refer to social media: one warns of customers “soliciting payments with misspellings or messages out of profile for the counterparty,” another warns of the use of unverified Twitter accounts for promotional purposes and a third draws attention to clients who use several accounts to send the same message.

FinCEN’s guidance does not appear to recommend that cryptocurrency exchanges proactively monitor the social media presence of every customer, Gregory Lisa, a former senior FinCEN official, told moneylaundering.com.

Exchanges that flag a payment as suspicious will sometimes review social media posts and other online resources if the counterparty’s wallet address is not clearly hosted by a regulated firm, or if the underlying transaction has no obvious business purpose.

For certain high-risk clients, however, social-media data mining has become an “essential part of customer due diligence and customer onboarding,” Lisa, now an attorney with Hogan Lovells in Washington, D.C., said.

Exchanges should automatically screen social media to identify any of their customers who promote that same exchange as a vehicle for transferring funds, said Carol Van Cleef, a Washington, D.C.-based attorney with the Bradley Arant Boult Cummings law firm.

“If you find a [wallet] address that people are sending to, and you’re seeing a lot going in quickly, you will want to run it against social media,” Van Cleef said. “In the old days you had some time—at least a few days before people became aware of what the latest scheme was.”

The scheme

On Friday, federal prosecutors in San Francisco accused three individuals of orchestrating the fraud: a 17-year-old resident of Tampa, Florida; Orlando resident Nima Fazeli, 22; and Mason Sheppard, a 19-year-old U.K. national who was also charged with money laundering conspiracy.

State prosecutors in Tampa identified the 17-year-old as Graham Ivan Clark and accused him of acting as the scheme’s “mastermind.”

During the scheme, Sheppard, the U.K. national, used a “cluster” of addresses to send one of the conspirators, “Kirk#5270,” a total of $33,000 in bitcoins in exchange for the login credentials of hacked Twitter accounts, which he then sold to strangers on internet message boards for a profit, federal prosecutors said.

Various news reports and independent analysis identify “Kirk” as Clark, the 17-year-old “mastermind,” but federal prosecutors stopped short of drawing that connection in court records.

Investigators found that Sheppard’s wallet addresses sent and received money from accounts at Binance, a cryptocurrency exchange founded in China but later thought to operate from Malta.

Binance’s location was thrown into doubt in February after its chief executive denied any connections to Malta. Despite those vagaries, the exchange provided detailed know-your-customer data to an IRS investigator who subsequently identified Sheppard as the controller of two accounts linked to the scheme.

“Binance also provided a photograph that was provided by Sheppard to Binance which contains an image of Sheppard holding a driver’s license in the name of Mason John Sheppard, which appears to be the same driver’s license provided to Coinbase,” federal prosecutors claimed in the indictment.

The alleged conspirators transferred funds to at least a dozen new wallets within two days of the hack and also appeared to have used a mixing service that combines and redistributes assets from several customers to muddy the blockchain, a public ledger of Bitcoin transactions, said Robert Whitaker, a former federal investigator who analyzed the scheme for moneylaundering.com.

But they stopped short of using more advanced cryptocurrency-laundering strategies such as “peel chains,” the process of automatically breaking bitcoins into smaller, less-noticeable transactions, said Whitaker, now an El Paso-based executive for BIGG Digital Assets, a cryptocurrency analysis firm.

Peel chains have allegedly been used by the Lazarus Group, a collective of North Korean government-sponsored hackers whom U.S. prosecutors accused in March 2018 of stealing and laundering at least $100 million from cryptocurrency exchanges in South Korea and elsewhere.

“The [Twitter] hackers didn’t think this out too well,” Whitaker said.

Contact Daniel Bethencourt at dbethencourt@acams.org