The Twitter Botnet Bitcoin Con: Why Is It So Easy To Steal Cryptocurrency?
Amidst all the controversy about Russian bots interfering with the U.S. presidential election, Twitter botnets are being used with a much more straightforward goal: making money. If you follow crypto news, by now you’ve likely heard of the infamous Twitter impersonation con. The concept is simple: a scammer “piggybacks” a tweet from a popular Twitter account (such as Elon Musk or Donald Trump), using a copycat account with a nearly identical username and profile. The copycat makes a proposition: send a small amount of crypto to my wallet address, and I will send back a much bigger sum as a reward. The scammer then mobilizes a botnet to upvote the copycat’s reply, pushing it to the top of the Twitter thread — so it’s the first thing a user sees when reading the original post.
Last week, Buzzfeed reported on an escalated version of the scam, involving the @TronFoundation ($TRX) Twitter: hackers hijacked a “verified” Twitter account belonging to a totally unrelated organization (a non-profit called LiteracyBridge), and changed the account’s name to @TronFoundationl — a difference of a single character. The “verified” checkmark badge, plus the username, adds enough credibility to the post to lure unsuspecting users into the trap.
The scam shows no sign of slowing. On February 28, blockchain startup @Waltonchain was accused of rigging a crypto giveaway after somebody on the Walton team pulled a “Kevin Durant” and posted this tweet from their official Twitter account:
The price of $WTC instantly plummeted, and @Waltonchain issued an official apology — but within minutes, the apology post was hijacked by an account called @Weltonchain, promising to make amends with angry $WTC investors by paying out free $ETH. An army of bots arrived to “thank” @Weltonchain for their generosity:
It’s a clever spin on an age-old con, the “advance-fee scam.” The scammer promises a target a large sum of money, in return for a small up-front payment. You may have received e-mails from a Nigerian prince promising similar riches via Western Union bank transfers. What’s different about the Twitter botnet crypto scam?
It’s easy to blame Twitter’s user interface for failing to effectively detect impersonation accounts and warn users of potentially fraudulent activity. Even Twitter’s established protocols are not functioning properly: Twitter’s stated policy is to revoke the “verified” badge if the account’s username is changed, but this policy was clearly not enforced in the case of the @TronFoundation scam (and others). The scale of crypto fraud on the social media platform has gotten so high that Twitter CEO Jack Dorsey issued a short statement claiming “we are fixing process.” However, reporting and deleting scam accounts on a case-by-case basis is impractical given the ease with which copycat accounts are generated; Ethereum founder Vitalik Buterin observed that there are more than 800 permutations of his username by changing one character (and 350,000 permutations by changing two characters).
But the problem goes beyond Twitter’s flawed UI and porous security protocols. Consider similar confidence tricks involving fiat currency, like the aforementioned hustles involving Nigerian princes. These con artists invest huge amounts of time studying their marks, to assess their value and earn their trust — and ultimately persuade them to open up their bank accounts. In the past several years, people have become more wary of this sort of (now infamous) e-mail fraud — so why is it so easy to trick people into giving up their cryptocurrency?
A recent article on The Outline described a “savviness gap” between different generations of internet users. According to a recent study at Dartmouth College, older Americans are at the highest risk of internet fraud; Americans over the age of 60 were the most likely to choose to read “fake news” during the 2016 presidential election, regardless of their political affiliation.
Perhaps you regard yourself as “savvy” enough to avoid low-level scams on Twitter — but consider this fake cryptocurrency exchange site, which employs a similar method of deception as the social media con artists:
Binance is a popular China-based crypto exchange that trades more than sixty different currencies and boasts low transaction fees. Last month, an attentive Reddit user stumbled upon a site that looks almost exactly like the Binance exchange — can you tell the difference? If you look closely at the URL on the left, you’ll notice a small dot under each “ṇ” in Biṇaṇce, a diacritic mark usually reserved for dictionaries and linguistics textbooks. Those without eagle-eyed awareness are only seconds away from giving up their login credentials (and potentially a share of their life savings).
Cryptocurrencies and blockchain-based technologies are still in a nascent stage, and we currently lack effective institutions to ensure the safety of people transacting on these networks. A Reuters report from December 2017 estimated that several billions of dollars worth of cryptocurrency has been stolen through various forms of scams and hacks. Unfortunately, the pervasiveness of fraud and theft on blockchains has contributed to widespread public perception that cryptocurrencies are themselves a form of “confidence trick,” and an illegitimate medium of exchange; on March 2, British Shadow Home Secretary Diane Abbott claimed that “bitcoin… is just a gigantic Ponzi scheme.”
To open a bank account for fiat currencies, you must provide your “true name” and other personal information; federal law requires a physical address and a taxpayer identification number, so that there is some form of accountability in your transactions with banks and others. Of course, these laws do not fully protect consumers or prevent identity theft — in fact, they are required under the PATRIOT Act in the name of fighting terrorism and money laundering. However, if in the long-term we seek to build a durable public trust in cryptocurrencies, long strings of wallet addresses are not sustainable as the sole identifiers for individuals transacting on blockchains. Although blockchains remove the central bank or financial institution from the equation, there is still a fundamental need to “know your customer” and perform due diligence in any economic exchange: as a community, we need to develop protocols and standards for effectively authenticating the entities we are exchanging with.
Trustroot is an open protocol for security and reputation management on blockchains. The first component of Trustroot is identity verification: a certificate that assures you that the party you are transacting with is who they claim to be. Each company undergoes an extensive background check before being issued a certificate — once a company or entity has been thoroughly vetted, you can use the Trustroot browser extension or mobile application to confirm their identity before deciding to transact with them. The second component is a reputation feedback tool (currently under development) so that users can write reviews of their transactions, allowing the community to collectively weed out “bad actors.”
Our mission is to develop tools that function at all levels of transaction on blockchains — from wallets to exchanges, chain explorers, and browsers — so that individuals can transact their cryptocurrencies with confidence. We think that open-source software is the best path to building secure infrastructure, and we are planning a decentralized system that allows the community of blockchain developers to build their own certificate authorities on top of our basic protocols. We are excited about the enormous potential of blockchains, and we want to do our part to make sure that these networks are safe for everybody: stay on top of our progress and learn more at trustroot.io.