From Tweet to Theft: Tracing the Flow of Stolen Cryptocurrency

TL;DR

This study traces the flow of stolen cryptocurrency from a Twitter scam, revealing how scammers obfuscate transactions and identifying the final destinations of illicit funds using blockchain analysis.

Contribution

It demonstrates a method to track stolen funds through blockchain analysis, linking social media scams to actual illicit transactions and final destinations.

Findings

Stolen funds exceeded $3.5 million deposited into a major exchange.

Scammers used obfuscation tactics to hide the flow of illicit funds.

Final destinations included exchange and swap service addresses.

Abstract

This paper presents a case study of a cryptocurrency scam that utilized coordinated and inauthentic behavior on Twitter. In 2020, 143 accounts sold by an underground merchant were used to orchestrate a fake giveaway. Tweets pointing to a fake blog post lured victims into sending Uniswap tokens (UNI) to designated addresses on the Ethereum blockchain, with the false promise of receiving more tokens in return. Using one of the scammer's addresses and leveraging the transparency and immutability of the Ethereum blockchain, we traced the flow of stolen funds through various addresses, revealing the tactics adopted to obfuscate traceability. The final destination of the funds involved two deposit addresses. The first, managed by a well-known cryptocurrency exchange, was likely associated with the scammer's own account on that platform and saw deposits exceeding $3.5 million. The second address was linked to a popular cryptocurrency swap service. These findings highlight the critical need for more stringent measures to verify the source of funds and prevent illicit activities.