If anybody here ever finds themselves in the same dilemma, use Morphtoken over TOR to swap to XMR, a completely different blockchain.
This makes all the chain analysis companies and the armchair blockchain sleuths simply follow transactions on the bitcoin blockchain forever, thinking they are doing something productive with their lives, while you have hopped over to another chain that they can't track assuming they even noticed that you swapped.
That was a viable last decade solution and is unfortunately centralized, this decade in 2020 you can also use the decentralized renBTC to permissionlessly lock up and mint your bitcoin as an erc20 token on the Ethereum blockchain. So now you are really liquid and have access to the entire decentralized finance economy.
But again, if you really want to get government bucks and an unlinked trail, you need to sell the renBTC token for Ether and move that Ether into either Tornado.cash for a little while, or go back to the centralized solution like Morphtoken and swap the Ether for XMR as XMR has an inherently stronger anonymity set than anything else.
No, as it doesn't detail necessary reintegration into the economy. You will need to offer a service for crypto which you report taxes on. Your "customers" either pay directly in XMR which there is no trail on, or they swap the XMR back for a more likely used cryptocurrency like bitcoin or Ether, and pay you with that. So now it is.
In any case as your lawyer might tell you: if the origin is illicit it is money laundering. If the origin is not illicit then its not money laundering.
The irony being that it is the onus of the accuser to determine the origin, and if you do it right that is not possible to know in any scenario. Typically money laundering then is a tacked on charge, after other clear evidence is already known, to help ensure a conviction.
But really at this point, its probably better if your public resources weren't spent on flagging transactions in the first place, and if the private sector was not burdened with doing this work for the state.
What should someone do if they want to turn legal funds into anonymous crypto? Do you think BTC->XMR is a sketchy thing to do if the BTC is linked to your identity?
I'd like to have some anonymous money just in case the future gets really dark, but I'm not sure if it's wise to flag myself as a BTC purchaser that changes to XMR.
Define sketchy? Many of us buy and sell XMR under our real identities regularly, and don't have any problems.
Of course, if the future is dark enough for a list of everyone who has ever bought XMR to be compiled, then your name would be on it, along with mine.
If you're worried about that, I suppose you could distribute the XMR to a bunch of different addresses over some length of time. (All addresses you control, unbeknownst to the authorities.) Then if they do hunt you down you have a plausible story that you spent it all.
stop using surveillance coins to begin with and just use Monero natively instead of as a conduit
In the mean time pollute the pool by doing more lawful transactions in monero, monero is half as old as bitcoin and has only been used on darknet markets for half of that due to its older user experience challenges
Just swap to the more fungible asset. Its a flight to liquidity the market always chooses that.
The state just figured out how to use transparent blockchains as a tool a decade late and the market has already moved on
You have the right ratio of technical knowledge and command of language to potentially make anything you write, believable. Do you have a blog of sorts?
I'm glad to read that, I just hope it is enough information for everyone reading this to be able to independently corroborate, without any further knowledge of my credentials.
Best way is to find someone on a service like local bitcoins who can meet you in a public place and sell you btc for cash. You can wait a bit to get a couple confirmations.
It's too time-consuming and/or dangerous to do any meaningful amounts, and it is monitored. You would probably have to wear a mask at the drop as well and things like that. Safer to just coinjoin + mix + xmr.
^ this right here if you're patient and only need to break even.
even in hot climates where power isn't cheap enough, buying digital asset mining computers to breakeven or even take a 5-8% loss is the best way to convert any amount of money from that local economy into the global digital economy.
For small amounts, to pay for VPNs or whatever, find an exchanger who you trust, and ~anonymously mail cash to them. Then anonymize the cryptocurrency. For Bitcoin, mix multiple times, via Tor (Whonix) and using a different wallet and mixing service for each mix. If you lose some, it's no big deal.
For real money, hire someone who knows what they're doing.
yes, people need to be aware of the universe of illicit origins. When I was working for the US government most of the people indicted under these laws (structuring, avoiding reporting thresholds, and then obfuscation so money laundering) were not terrorists or drug dealers. They were people like landlords freaking out because a tenant was suing them and they wanted to move their money without triggering a real or imagined $10,000 threshold. Whoops structuring is illegal straight to jail and we’ll take the money too! Tenant lawsuit still pending lol.
All while HSBC completely undermined the ‘purity’ of the licit financial system in the tune of billions over many years on behalf of the LITERAL CARTEL. Guys, 9/11 wasn’t that expensive to pull off, and today’s compliance measures wouldnt have flagged those wire transfers, so who is this for?
Stigmatizing the whole concept of having money and moving money has been an expensive and unnecessary and fruitless exercise. While increasing the costs of offering a financial service.
Also obfuscating money can be important for an individual's safety. For example for victims of domestic abuse or human rights activists in repressive countries.
Also the safety of individuals against government overreach, like people living in Xinxiang or Hong Kong.
Non-political checks on the power of the state, like cash and its electronic corollary, private digital currencies, are needed in case of the failure of the political system to prevent the state from becoming oppressive.
An institution like physical cash can be powerful/deeply-embedded enough to survive totalitarian governments.
In the US, "tax avoidance" is a term which describes procedures that are always legal. When you stated "avoiding taxes" I believe you really meant "tax evasion".
> That said, obfuscation per se is not illegal in most jurisdictions.
And it can't be, as long as fiat money exists. There's no tracing involved in passing notes around. The only times fiat transactions become suspicious is if you try and cross a border with a lot of cash or valuables on hand, which is where crypto comes in because it knows no borders. This makes law enforcement nervous.
I'm sure that besides crypto there's many ways to move large amounts of money or valuables across borders though. The rich do it, they just set up shell companies and pay licenses for intellectual property, paying a token amount of corporate taxes.
> The irony being that it is the onus of the accuser to determine the origin
Not really, you need to be able to justify to the tax authority how you got in possession of any amount of assets you have and prove you pay taxes on it.
So if a large amount of money eventually show up in your bank account (or you buy a house or any other "visible" asset) and it is not compatible with your previous tax returns it is likely the tax authority will notice it and at that point you are fried
You run a very successful fly-by-night VPS service paid for only in crypto. There is a decent sized market for that by the way. Too bad most of your customers are fake, anyway be diligent and actually mimic your customer behavior over TOR.
Run a subscription service.
Figure it out. Some to all of your customers will be fake because it will just be you making more accounts and paying yourself.
Report taxes on your wildly successful SaaS cloud business.
Assuming you even want govbucks, you deposit the clean crypto into your business and personal bank accounts.
No different than cash based services except its online/digital native and not constrained by local market liquidity and brick and mortar overhead.
How do you explain your business suddenly failing after you're done transferring your old funds into it?
And isn't it easier to simply cash out XMR you've allegedly mined back in 2014? Long-term held. cost basis zero, capital gains rate 20% max in the US. That's even better than the 21% corporate income tax.
You are right; also I would imagine the tax authority does not even care too much about where the money came from, they just want to make sure you paid enough taxes.
Criminal investigation agencies of course do care.
The IRS has a criminal enforcement department, and they absolutely investigate criminals and press charges that have nothing to do with tax evasion. Often they work with other branches, but they are fully fledged FBI agents and can prosecute any crime they want.
Usually they do that when they stumble upon them during tax/laundering investigations, but they'll prosecute anything.
Illicit money that you pay taxes on is generally not problematic, at least to the IRS. You probably still need to worry about other three letter agencies, though, depending on how it is illicit.
Edited to add: I’ve heard of drug dealers doing it. Whether it’s true or not I can’t say.
According to the IRS[1] "income from illegal activities, such as money from dealing illegal drugs, must be included in your income on Schedule 1 (Form 1040 or 1040-SR), line 8, or on Schedule C (Form 1040 or 1040-SR) if from your self-employment activity." So I guess you'd just count it as "other income" on your 1040.
Indeed. As the old saying goes, Al Capone got nailed on tax evasion. As I understand it, the IRS is more interested in the amount than where it came from.
Capone got nailed for evasion because his brother got nailed for evasion and he got scared so he tried to preemptively normalize his own tax situation but in doing so indirectly admitted that he hadn't paid taxes, so they busted him with no further evidence required.
But they also were trying to bust him for evasion because he declared zero income and lived a visibly lavish lifestyle. The government was gathering evidence on his spending to estimate his income and how much he evaded.
You can't sustainably solve that problem by simply paying lots of tax on magic illegal money, especially not in today's interconnected world. Laundering is core to the solution.
Isn’t that the purpose of money laundering, to create an income stream so that you can pay taxes on it? I don’t know tax law in depth, but it seems like if one could just report to the IRS anonymous money it would largely obviate the need for money laundering at all. Of course there’s the question of other gov agencies.
You can always cash out "Bitcoin you [allegedly] bought back in 2010", or Monero you mined back in the day so there's no way to even prove its source, and declare that to the IRS. With a cost basis of almost zero, you'll pay long term capital gains tax, 15% or 20%.
BTW when you declare your crypto gains, the IRS not only does not care about the source, there's not even a place on the forms to list the source.
There are other reasons why someone would want financial privacy other than to commit financial crime, just as there are other reasons why someone would want communication privacy other than to conspire to commit a crime.
I'm betting Gemini also blacklisted that BTC address, especially considering that they were in the first wave of fake tweets.
Really wondering now just how much BTC the attacker effectively left on the table by reusing a single wallet address, especially considering that lots of people who deal in crypto use just a handful of exchanges to send it. Would be pretty difficult to quantify, though.
One of my former employers used a security company to regularly send out very well designed phishing emails with personalized links. Clicking a link or opening an attachment got you a call with IT plus a mandatory class in how to avoid phishing.
The success rate of those simulated attacks dropped drastically after the first few tries. Maybe if more companies did this it would also help fewer people to fall for it outside of work.
People who use exchanges are traders (retail or professional) and hodlers who don't want to deal with the intricacies of managing 100+ coins on 50+ blockchain networks. The decentralization of cryptocurrencies is not an all-or-nothing proposition - users can choose the level of decentralization they would like based on their preferences.
What I like most about decentralization is that anyone in the world can create a new crypto business on the blockchain rails, integrate with everyone else, and attract users. Of course there are real-world repercussions if your physical entity is in a locale with laws that you violate, but it is orders of magnitude easier to start a crypto exchange than a traditional bank.
Won't this end up like email, though? Sure, anyone can set up their own business... however, 90% of people will be on a few large providers, and those providers will end up blocking transactions coming from unknown new providers (to prevent scams). Decentralization doesn't stop consolidation.
It is much easier to set up your own cryptocurrency wallet than it is to set up your own trusted email server. Your metaphor is similar but off by a large amount. The major difference is that blockchain deals primarily with money, so email spam (useless worthless messages) is inherently less worthy of sending because doing so actually pays me, in addition to the fees you pay the network.
It used to be pretty easy to run your own email server, back when a lot of people did it. If someone is worried about a future where most cryptocurrency runs through a small number of providers, as email does today, I don't think they should find your comparison heartening.
I see what you are saying, I know SMTP fairly well, used to run my own server, and looked fairly deeply at DKIM / SPF / DMARC. However I also know blockchain protocols intimately, and I can say with certainty that the Bitcoin protocol and SMTP are completely different (as well as Ethereum, Monero, Stellar, Ripple, EOS, Tron, and on and on). It is just a completely different thing.
If you are worried about other wallets not accepting "my" wallet, as is the typical problem with hosting your own email, you don't need to worry. Money is money, if I receive it I receive it. It's just completely different from receiving a text-based message like the wide-open and free SMTP is.
It's not that easy to setup your own wallet. Most require you to download the entire blockchain if you want to be completely independent of a third-party.
Bitcoin is around 270GB. Monero is around 64GB. These aren't trivial downloads, and then you'll need to leave the wallet running to stay in sync or you'll have lengthy waits while it catches up the next time you run.
Most people can open a credit card or bank account in 30 minutes or less. Waiting a week for a blockchain to download is a non-starter for most.
Actually, it's over 300GB for Bitcoin and almost 85GB for Monero today.
Regardless of that, I recently synced Monero from scratch in 3 hours, over a 802.11n network that never seems to do better than ~75Mbps. We can extrapolate that Bitcoin would be done in something like 9.5 hours. So I don't know where you got a week from.
If you still don't like that, you can always use a remote node, in which case you can begin using a new account literally immediately, even better than your 30 minutes at a bank.
IMHO that is a perfectly fine tradeoff for a new user who doesn't want to commit to syncing the blockchain. Nevertheless, when I deal with new, non-technical users in the Monero community, I find that they almost always prefer to run their own fully synced node, even though they understand the tradeoff (i.e., that using a remote node is probably fine). I even had a guy that has no computer, phone only, looking for help on setting up a full node on his phone.
Anecdotal perhaps, but it certainly makes me skeptical of the claim that blockchain size is a big hurdle for many people at all.
Oh yeah, and just for completeness: you can prune the blockchain with both Bitcoin and Monero if storage space is a concern, reducing it by something like 70%.
Using any third-party removes the benefit of not using a third-party.
Also I'd test your speed report, but ultimately I don't want waste 300GB or 85GB of my monthly download cap on that experiment. In the past download was slow and CPU usage was high while syncing. I don't see people running to devote a large portion of their internal storage or download cap for crypto, unless they are crypto enthusiasts.
> Using any third-party removes the benefit of not using a third-party.
No, it doesn't. Why would you make such an absurd statement? Using a remote node is nothing like using a centralized payment processor. For one thing, they can't gain access to your funds. For another, there are thousands that you can use interchangeably.
It's as simple as it sounds. Relying on a third-party means you're relying on a third-party.
If you're relying on a completely hosted webwallet, then you really don't know that they don't have access to your funds. If you use something like Electrum then there is less risk, but you're still relying on a third-party to relay accurate information to you about the blockchain, which could possibly open yourself up for attacks(albeit complex and likely limited in scope). Every new tool/service adds more layers, and means more trust of third parties is required.
> which could possibly open yourself up for attacks(albeit complex and likely limited in scope)
It's laughable to compare this to using a third party which can hold your funds indefinitely and censor your transactions with no recourse for you. That's very simple, and unlimited in scope.
Sure, running a local node is even better, but using a remote one doesn't "remove the benefit." That's nonsense. It removes maybe the bottom 1% of the benefit while leaving the other 99% intact.
There are conveniences associated with the banking system, such as someone compromising your account, there is a large chance you'll get your money back. Unless you're friends of the crypto devs to force a fork, then you're likely screwed with crypto if your wallet is compromised.
I didn't say it removed all benefit, but removed the benefit of "not relying on a third party", because you are. It sounds like you're saying "you can most likely trust those third parties", which is not the point of being independent.
No, that isn't what I'm saying at all. What I'm saying that the level of trust required in a remote node is so minimal as to be almost negligible. Realistically, the worst they could do is deny you service, at which point you can just switch to any other of the thousands of nodes out there.
It's simply not comparable to trusting a third party that can block your transaction without recourse and/or hold your funds indefinitely.
Sure, but even with E-Mail there are a lot of smaller service providers. It's not _ideal_, yes, but the situation is at least a tad better and one failing company will not destroy the whole ecosystem.
Kinda similar to like under a gold standard you don't actually pay with gold. You can, but most people just use centralised "wrappers" around gold in the form of bank notes.
Well, it's not there's no physical gold, but there's still a shortage. So it's pretty easy to get spot price, even from a local shop. And if you have substantial amounts to sell, you may get spot price plus several percent.
Also, I've read that silver is hot now, given the likely surge in the silver/gold ratio.
Also protects the stupid. You can still send this address BTC. You just need to withdraw it to your own wallet first. Which buys the user time in which to discover it's a scam
The weak link here is: to run a successful scam, you need to publicize the incoming address widely. That allows exchanges to block it. If you keep the address in secret, you can't get the gullible masses to fall for it.
It would be reasonable for exchanges to parse Twitter feeds and other social channels for anti money laundering and fraud signal, similar to Github shipping AWS secrets accidentally exposed in commits to AWS for triage/suspension.
Once you’ve got the infra in place, you can have AML and other compliance staff triage and action from a dashboard (blocking suspect transfers until further review has been performed, and releasing transfers of a review shows nothing suspect).
(Have done some AML/KYC work in the fiat finance space)
One thing I've learned in life is that nothing is as polished or automated as you'd think. I would be surprised if anybody was doing this except maybe high tier law enforcement.
Only because I've seen first-hand how advanced their taint analysis is, so I'm already over that surprise.
You can, but typical spam target won't, because they don't think they need to - they think it's a legit thing so they don't need to make any effort to hide it.
That doesn't sound very decentralized and trustless. If I want to get scammed in this brave new world, shouldn't I be allowed to? Maybe I want to fund the Nigerian Prince's get-out-of-jail efforts.
You're allowed to, but if you intentionally get yourself scammed knowing full well, you don't get to demand your money back.
In the traditional banking and commerce system, if you get scammed on, say, ebay, they will refund you. If someone hacks into your online banking, the warranties set by your bank will refund you (to a point). If your bank goes tits up, the national bank will compensate you.
Yes you pay a fee, but it's insurance.
Anyway, your statement + the actual scam in question just reminds me of eve online, where the money doubling scam is old as balls. The funny thing is that the operators of the game allow it - nobody stole money from you, you gave it away. Some scams there are long hauls, people slowly working their way up in the ranks of a corporation before liquidating the assets and taking the money. Again, the company behind the game will do nothing because their systems have not been compromised - YOU gave the person access to the company wallet. It's funny.
Bitcoin is the same, you're responsible for your own actions, you don't pay an insurance fee, you bear all the risk yourself. If you give your BTC to an exchange and they get hacked, that's on you because you moved your money out of your own wallet. They may compensate you (or print their own money to do so), but they may not have to.
I am glad I am not the only one who saw this and immediately thought of Eve. I was always surprised at how many people got suckered into this scam on eve even after it was well known.
CCP's policy on allowing this type of grift is fair, if greed overtakes rational thinking then the 'victim' has no one to blame. Granted in this case they used trusted twitter users to trojan their scam, not sure that has happened on eve.
The block only affects people moving coins from an exchange account. Those coins are, in the final analysis, still controlled by the exchange. It doesn't affect anyone who is moving coins from an account they directly control (i.e. have the keys to).
How can you justify a statement like that? Anyone can control their transactions if they want as was just explained to you. If anything it is decentralization with extra steps.
In this context not at all. No one controls who you give physical cash to. If someone promises you magic beans in a bar and you give them $1000, no one stops you, just as when you control a balance, nothing stops you from sending it to any address you want. I'm not actually sure what part of this is not clear.
- You still don't know who (which individual) is behind the BTC address, because bitcoin is anonymous.
- It is decentralized, but some exchanges process big percentages of conversions. Transferring the coins to other BTC wallets is decentralized. Moving it out of the BTC blockchain is often done through exchanges though, but there's a lot of them, and you can avoid the exchanges as well.
- No, everybody controls it; it's a consensus-based system, so if enough people agree on taking things in one or another direction it will. Look up "hard fork" in the context of BTC.
So strange that twitter can't automatically filter these. The message format is pretty consistent. Surely they could write something to at least put tweets matching this pattern in a moderation queue.
Facebook Messenger is blocking me from sending any string containing the attacker's wallet address bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh. I'm trying to send blockchain explorer URL's to friends and it's failing.
Facebook messenger has extremely sensitive filters. It seems to block most links I try to send. Most recently, I tried to send a GIF of a beautiful city on a river to my girlfriend. Nope, blocked. The link was a GIF sharing site, I don't remember which one, but it's highly unlikely there's any malware on it so it must be a porn filter.
And as for sending links to my staging site to a couple of tech friends... forget about it.
Reminds me of a thing years ago where a virus used a Twitter account's messages as its command & control system. Said twitter account encoded the commands in base64 I believe.
That dude is talking the exact way a lot of execs think. If this is due to one person's screw-up, that person is going to get railroaded out of the company's back door.
I saw this happen before. A newish IT guy accidentally deployed a script to a few hundred machines that took down the whole worldwide intranet for a multi-billion dollar juggernaut for an hour or so. He was supposedly forgiven, but ended up on a "performance improvement plan" where he had a bunch of impossible tasks, and every shortcoming was documented to use against him until he was fired.
I wish things worked the way you think they do, or if not that way, I wish they'd at least just shitcan the dude on the spot (with a few months' severance) and be done with it.
If you ever get put on a PIP for a reason that's obviously to get rid of you as fast as possible, have a quiet word with someone in power and float the idea of a settlement agreement.
You might even get a free laptop out of it..
(This comment is only considering employment in the UK)
In the US it's true companies get indemnity for this, but they also usually have better lawyers than you do, so most will play hardball and you lose and then when a company does a background search on you and see litigiousness... it's better to take your losses and move on.
I don’t know what form it would or even should take but these kinds of “Performance Improvement Plans” where the person being coached is set up for failure needs some kind of alternative that incentivizes employers to either responsibly dismiss the person or otherwise be genuine with “performance improvement”.
These tactics are hard to prove if someone goes to court over it (probably) but are just as hard to recover emotionally from and can stunt a person all the way to their next job or many.
So when you see those impossible job descriptions that no one can possibly meet, that is your cover. It's not fair, but sometimes you just don't fit in and the team has to get rid of the fly in the ointment.
While I agree 100% with your response in general, Twitter are suggesting this is an inside job (the "social engineering" line looks like a cover for "someone has been paid for internal access"). If that's true, then someone is definitely getting fired today, and a whole lot more than fired to follow!
They used the edit function to walk back their comment as a 'joke' after my post was submitted, and managed to make things worse in the process.
Would you joke about firing someone for a mistake during an interview? I would consider that a dealbreaker if I were interviewing someone, as in "this interview is over, go home".
Do you consider HN an appropriate forum for pithy one-liner jokes that do not contribute to the discussion? Reconsider.
It depends, same as it does for an employee. Is there a history of negligence? Did they refuse to consider warnings of risk that were presented? Did they or their peers brief their management on the risk?
Unlikely. That isn't how hacks or outages are punished in large software service orgs, unless it was intentional or due to negligence like disabling a failing test to get something shipped to prod.
They should have used unique wallets for each tweet and A/B tested the gullibility of the victim's audience.
Would have made them more difficult to track and shut down as well. More hallmarks that this wasn't probably something they lucked into, rather than some sophisticated attack.
Seems like it would have been more profitable to take a huge short position in TSLA and hack Elon's Twitter to post something about a SEC investigation for accounting fraud and that you'd need to restate multiple years' worth of earnings.
Or they could have been doing something similar with cryptos without risking SEC or requiring ID on exchanges: using the twitter accounts to announce partnerships with one of the cryptocurrencies. Probably less gain then with stocks but more than with this simple scam.
This would have been excellent. It's really shocking that the offenders had the knowledge/power to get into the twitter account but didn't do something like this.
Probably true - though there's already a ton of short interest in the company. Seems like you could take a few million in profits and still blend in fairly seamlessly.
The problem with that is that the market assimilates new information rather quickly, so the downward spike in price would be rather short lived. It would be rather trivial for the SEC to figure out a short list of suspects from those who bought to close a large short position in that small timeframe, even in a highly liquid security such as TSLA.
I wasn’t sure what I was looking at, until I googled the Bitcoin address (bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh):
Several high-profile Twitter users, including Elon Musk, Bill Gates, and the official Uber account appear to have been hacked, and all promoted that address, saying any funds sent to it will be doubled.
If I had to guess, it was an internal job from a disgruntled employee with access to hijack users’ email address. Change their email address, reset password, open the email and then you can login. They might also need access to change the 2FA phone number if it was set.
Users of the middleware likely want to hide the fact that they're scheduling their tweets, I would imagine the tool sets this value explicitly to have the tweets appear more genuine. </postulating>
It's a wide enough range of accounts that it's most likely an internal admin panel.
Special protected accounts (e.g., Trump's) seem unaffected, whereas hundreds (thousands?) of "regular" accounts, high profile and small, are compromised.
>Several high-profile Twitter users, including Elon Musk, Bill Gates, and the official Uber account appear to have been hacked, and all promoted that address, saying any funds sent to it will be doubled.
speculation time: How did those accounts get hacked? Did they all get spearphished? Did twitter get compromised?
Or was it a marketing platform that was owned? I worked for one a few years back and they used the same fb key for all of their 500 musicians they represented. One day facebook enforced key rotation and a bunch of fan sites went dark. Imagine if someone got access to our codebase, this same type of nefarious action would have happened
The curtain has been pulled back for some. Their favorite tweeters aren’t actually tweeting themselves
Edit: I also wonder if it’s an elaborate money laundering scheme. Mix coins with deniability. Combine with the Epstein drama, maybe there’s more to what meets the eye. Either way it’s popcorn time
I do not think this is true. Please tell me what marketing company would both manage Obama's very professional twitter, and at the same time commit fraudulent manipulation of Tesla's stock price.
If what you are saying was true, there would be some sort of evidence. Plus musicians/pop stars are very different from Official corporate twitter.
It would be interesting if the scammers started sending back twice as many bitcoins, as promised, from the same address. It could be a real-time ponzi scheme!
That's how it's done in Eve Online, the money duplication scam is common there.
How it works is that the scammer announces in an area (usually the trade hub system Jita) that they're quitting and giving away all their money. They link to a webpage that (they claim)_shows all of their bank transactions, using Eve's API.
You send them 100K just to try it out, they send you back 200K, both transactions show up in the webpage. "Ha it works!", you say, sending them 1M, they send you 2M back.
Until at any point, they stop sending you money back. Their outgoing transaction shows up in the webpage, but ingame you never received anything. When you message them they go "must be a bug, I sent the money because look at my transaction log. Contact support, not my problem, the money left my account"
You'd think it just doesn't work, why would anyone fall for that, but plenty fall from it. Plenty of people try and outsmart them as well, making use of it to earn some money. But as another commenter pointed out, it can be like a game of roulette.
Iirc, ponzi schemes used to be welcomed on the bitcointalk forums. And people would sign up, knowing they were ponzis. Kinda like people playing roulette at a casino knowing they are playing a losing game but do it anyway for the thrill.
They're not always losing schemes (i.e. only some people lose), it just depends on if you're at the end or not. The reason they were encouraged is because people enjoyed gambling on how long they would last, and it was extra incentive to use BTC, etc.
These are bitcoin eater addresses (essentially receive only addresses), you can create addresses like these if you bruteforce the checksum bytes however you dont have the private key for them. I think the more famous one is 1BitcoinEaterAddressDontSendf59kuE
Maybe I'm missing something, but I'm assuming someone is critiquing the scammer as foolish for using bitcoin instead of Monero because it is more difficult to cash out, as bitcoin is less anonymous than Monero?
Agreed. They are basically telling the scammer(s) to use a more anonymous & untraceable crypto next time, as everyone will be following the coins in that BTC wallet now, which makes it much more difficult to "launder".
I guess the choice of BTC but the scammer(s) was based on its much bigger popularity relative to Monero (many people have a few satoshis somewhere, but not many have some monero lying around)
> Can anyone explain what happened in this block of transactions to me?
These transactions were sent from a vanity address(es) [1], and in this case they're used to spam the recipient with implied messages, specifically about their poorly viewed scam--take it as a 'l33t' way of sending a message, hence the amount on the last tx. Another notable one was the EnjoySochi, as in the Olympics, transactions that spammed the network for a while 6 years ago [2].
Fascinating. I've seen political organizations using a zcash address for collecting donations, is that technically any better? I'm aware that creating bit tumblers for laundering currencies in cycles is largely out of practice now, has there been any recently development towards traceless transactions? How does is traceability compatible or incompatible with the process of verifying transactions via chaining blocks?
Basically, the chaff transactions go to/from wallets actually owned by people. If you analyze enough of the chaff transactions, especially when the XMR that made them up is respent, you can deanonmyize users.
This is why people recommend you do not reuse wallets often but that still does not solve the problem.
Zcash I think is secure, or is per most analyses I've read.
Basically, the chaff transactions go to/from wallets actually owned by people. If you analyze enough of the chaff transactions, especially when the XMR that made them up is respent, you can deanonmyize users.
This is why people recommend you do not reuse wallets often but that still does not solve the problem.
Zcash I think is secure, or is per most analyses I've read.
What kind of heat would the person or party that started this hack get? What could be the expected consequences? Going after political figures, including the former President of the US, should, I think, trigger a digital man hunt.
this is motivated by profit. nothing political. potus being hacked would escalate to national security threat and possibly force twitter to shutdown by decree. which the hacker is smart enough to know not to tread
> If you've ever watched Goldfinger, you have to wonder if the real ploy isn't somewhere else, such as auctioning off DMs, blackmail, etc., and the bitcoin thing just proof of concept.
Motherboard is reporting some screenshots that apparently show some Twitter admin panel that allowed these hackers to take control. Assuming this panel has that kind of power, they potentially could see all DMs as well. However, why expose yourself if you can get in and out of these accounts and collect the info. I'm not sure I buy the diversion explanation.
>However, why expose yourself if you can get in and out of these accounts and collect the info. I'm not sure I buy the diversion explanation.
Perhaps they felt as though they already had everything they needed and didn't mind ending their access? That would be weird, though, because I imagine long-term, continued access to DMs would likely be more valuable than just cutting out now.
I'm being charitable to the hackers, but maybe using only one wallet is part of the ploy? You can prove your identify by sending 0.001 to an address if someone doubts you. But then again if you have the info you can reveal some of it as a proof. Maybe a way to get street cred by having a proof you did the attack?
this makes a lot of sense. The bitcoin is actually a proof of authenticity -- send a small quantity from that address to prove that your screenshots of the DMs are authentic.
It is perhaps a proof of ability, burning a zero day might be worth it, if you have others you can sell, also if the zero day was one time use or likely getting closed soon , the value might be not as high as it may look.
I've been thinking about this for a bit. Perhaps these were crypto scammers that discovered a God mode and used it. To actually monetize this hack in another way would mean getting in touch with some truly powerful/evil people and possibly putting yourself in danger.
Creating a couple of wallets and a website can be done mostly anonymously. Sure, the money is a lot less, but so is the risk.
They wouldn't know how much profit there'd be beforehand. If this was 2017-2018 I can imagine this being much more profitable. Plus it's lower risk compared to others.
You can see the high profile Twitter accounts hacked here by searching the address in Twitter with the verified filter: bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh filter:verified
They'll all say "Twitter Web App" as the tweet source.
If you search through all accounts (ie: also the unverified ones), you see plenty that say Twitter for iPhone or Twitter for Android. Those are likely trolls.
This may be an unpopular opinion to voice here, but if we take a time-tested construct X and remove physical proximity constraints restricting its scale, we must hold the resulting technology to much, much higher standards than the old X—because scale, along with potentially unbounded yet-unknown upsides, brings potentially unbounded yet-unknown negative implications, and we should be concerned about the latter more than the former.
I think the gist is, "Electronic payment platforms, including cryptocurrency, need more built-in consumer protection than cash money does, because they're much bigger pots of honey."
In general, we (humans) are not great at assessing the potential of negative/positive effects beyond certain scale (black swans and all), and analogies along the lines of “like X, but digital” are just too attractive. Those analogies are dangerous, since the scale makes Y an entirely new thing with effects that cannot be predicted based on its outside similarity to X.
This applies to many concepts including infosec (e.g., likening remotely exploitable vulnerabilities to faulty door locks), cryptocurrency, mass media, though when I was writing the above I mainly was specifically thinking about cryptocurrency. It is misleadingly similar to “cash, but digital and not backend by government”, but its scale makes it something we actually have never had to deal with before, with unknown implications that go both ways.
Considering the potential effects can be unbounded, limiting it in order to bound the downsides ones might be a rational (but both unpopular, boring and ambiguous) thing to do, even if it also limits the upsides.
yea there are a lot of people on twitter poking fun at the fact that there were probably MUCH more lucrative things you could have done with that kind of access. Seems like a quick smash and grab by some teenagers or something
You’re fine. The GP doesn’t understand. Only 0.00291948 BTC was sent to the hacker wallet. The remainder went to other wallets. The vast majority went back to the person making the transaction (IE nowhere)
Say you have 1 BTC on an address and you want to send 0.1 to someone, you still need to send all of the money. So wallets "split" the 1 BTC into 0.1 and 0.9 outputs, sending the 0.9 to yourself to another address you control. It's called a change address.
Modern wallets do this automatically, but it can be confusing to look at it on a blockchain explorer.
As a a sender, you have a coin of amount X, and you split it up and send it wherever you like
If your coin is 1 and you want to send one person 0.2 and another person 0.3, you can do that as a single transaction to three destinations, one with 0.2, another with 0.3 (to the people you’re sending to) and a final one with 0.5 back to one of your own addresses (aka a change wallet)
If the twitter security model allows third party apps access to verified high profile accounts without auditing the security of that app it is still a flaw in Twitter's processes.
Twitter after all has a lot higher risk than the 3rd party app, it is in their interest to make sure partners dealing with high profile accounts or partners handling a large volume of accounts are also secure.
That's not true. The hackers made about $100k (assuming everything in the wallet is a real transaction from someone who was scammed), and Twitter's revenue in 2019 was $3.46 billion. Twitter's been posting a profit since 2018.
This has to be the biggest advertising flop in history!
The hackers basically ran an advertisement on the most followed Twitter users in the world, and had 374 conversions (based on the number of transactions as of the time of this post).
It's been at least 3 years and they still haven't made a fix for the spam comments until Elon Musk's tweets for crypto scam from user account names of "Elon_Musk" or others. This should be such an easy way to block. Don't even allow new user accounts with "Elon" and "Musk" in it unless verified. I have been seeing this for over 3 years and no fix.
Crypto scams that are trivial to block have been going on for years. There is no reason to believe Shitter cares about the well-being of their users, and frankly they were right because people kept using this rotten platform despite that.
it is amazing given how long twitter has been around that such a powerful exploit still existed, assuming it was not an insider job. It also shows that bug bounties will not prevent the really bad stuff. The payoff from exploiting such a huge bug is in the millions, which no bug bounty program will ever pay,
Please discuss the general aspects there and the BTC aspects here.