None of the roughly 13 bitcoin (BTC) acquired through Wednesday’s Twitter hack have been laundered, according to chain analysis conducted by Samourai Wallet.
“Confirmed, no signs of mixing. Majority of funds spent 1 or two hops and [are] now parked,” Samourai said in a Twitter DM to CoinDesk. “Really curious what their cash-out plan is.”
As of 14:00 UTC, the funds in at least one address are already under the control of Coinbase, Samourai added.
Read more: Full coverage of Twitter Hack 2020
“Based on the history of the first destination address of the cryptoforhealth scam addresses, the scammers have a history of gambling on Bitmex and Coinbase usage,” Samourai researcher Ergo said in a Tweet.
“This is peak crypto,” Ergo added.
No coin-mixing involvement (yet)
Overall, Samourai says the hacker only used three Bitcoin addresses and has not sent any funds through a mixing service, as data provider CryptoQuant had previously tweeted. (CryptoQuant has since told CoinDesk that they no longer believe the funds have been mixed.)
“Always a possibility the address is an unlabeled mixer, but I don’t see any hints, and one time use addresses are very common in general and not a definitive pattern for mixers,” Ergo told CoinDesk.
Those addresses, however, linked to other addresses which Samourai tracked to the popular crypto derivatives platform BitMEX.
“Everything from the first address is being spent to this address 1Ai52Uw6usjhpcDrwSmkUvjuqLpcznUuyF which looks to have been first funded via BitMex,” Samourai said.
Tracking the Twitter hack funds through Bitcoin exchanges
On-chain data allows services to track where funds are moving. In this case, the address had previously been used by a BitMEX trader for moving funds on and off the platform. However, BitMEX has less stringent ID policies, also known as Know Your Customer (KYC), for trading on its domain. So, BitMEX may not be so helpful in finding the perpetrator.
BitMEX did not return requests for comment by press time.
“At best investigators can subpoena any relevant account info including IP addresses, from there, they can glean some additional info from on-chain data including source of funds,” Ergo said in a private message.
Coinbase, on the other hand, has very strict KYC policies. Ergo said the best chance of identifying the hacker comes from Coinbase.
“One spend 2 hops to Binance. Other than that there is the first spend destination reused address that has sent to Coinbase in the past. If they control this address it’s already over and chain analysis knows it,” Samourai said.
The leader in blockchain news, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups.