From Tweet to Theft: Tracing the Flow of Stolen Cryptocurrency

This paper presents a case study of a cryptocurrency scam that utilized coordinated and inauthentic behavior on Twitter. In 2020, 143 accounts sold by an underground merchant were used to orchestrate a fake giveaway. Tweets pointing to a fake blog post lured victims into sending Uniswap tokens (UNI) to designated addresses on the Ethereum blockchain, with the false promise of receiving more tokens in return. Using one of the scammer's addresses and leveraging the transparency and immutability of the Ethereum blockchain, we traced the flow of stolen funds through various addresses, revealing the tactics adopted to obfuscate traceability. The final destination of the funds involved two deposit addresses. The first, managed by a well-known cryptocurrency exchange, was likely associated with the scammer's own account on that platform and saw deposits exceeding $3.5 million. The second address was linked to a popular cryptocurrency swap service. These findings highlight the critical need for more stringent measures to verify the source of funds and prevent illicit activities.