From Tweet to Theft: Tracing the Flow of Stolen Cryptocurrency
Guglielmo Cola, Michele Mazza, Maurizio Tesconi
TL;DR
This study analyzes a Twitter-driven UNI fake giveaway scam and employs Ethereum blockchain forensics to trace stolen tokens from a single scammer address through consolidation, a DEX swap, and two deposit addresses. It reveals that funds ultimately reached a centralized exchange deposit and a no-account swap service, highlighting obfuscation techniques that challenge on-chain traceability. The work demonstrates the value of blockchain analytics for linking social-media fraud to real-world fund movement and discusses implications for exchanges and policy, including the potential for automated detection. The findings emphasize the need for stricter source-of-funds verification and continued development of graph-based methods to identify illicit on-chain activity.
Abstract
This paper presents a case study of a cryptocurrency scam that utilized coordinated and inauthentic behavior on Twitter. In 2020, 143 accounts sold by an underground merchant were used to orchestrate a fake giveaway. Tweets pointing to a fake blog post lured victims into sending Uniswap tokens (UNI) to designated addresses on the Ethereum blockchain, with the false promise of receiving more tokens in return. Using one of the scammer's addresses and leveraging the transparency and immutability of the Ethereum blockchain, we traced the flow of stolen funds through various addresses, revealing the tactics adopted to obfuscate traceability. The final destination of the funds involved two deposit addresses. The first, managed by a well-known cryptocurrency exchange, was likely associated with the scammer's own account on that platform and saw deposits exceeding $3.5 million. The second address was linked to a popular cryptocurrency swap service. These findings highlight the critical need for more stringent measures to verify the source of funds and prevent illicit activities.