Government

America's IRS Wants Cryptocurrency Exchanges Declared on Tax Forms (morningstar.com) 100

America's dreaded tax-collecting agency is sending "a strong warning to millions of crypto holders who aren't complying with the law that they must file required forms," reports the Wall Street Journal. The front page of this year's tax forms — just below "Name" and "Address" — will ask filers to declare whether they've received or exchanged any virtual currencies.

The Journal calls it "setting a trap for cryptocurrency tax cheats." "This placement is unprecedented and will make it easier for the IRS to win cases against taxpayers who check 'No' when they should check 'Yes, '" says Ed Zollars, a CPA with Kaplan Financial Education who updates tax professionals on legal developments... The change to the crypto question and other recent actions show the IRS is taking cryptocurrencies seriously as a threat to the tax system, whether the noncompliance is by enthusiasts who owe little or by sophisticated international criminals. In two recent nontax criminal cases — one involving theft by North Korea and the other involving the sale of child pornography by a Dutch national — the IRS has provided key assistance because of its growing expertise in cryptocurrencies....

For their part, many crypto users are angry with the IRS's guidance, which treats bitcoin, ether and their kin as property rather than currency. So if a crypto holder uses it to buy something or exchanges one cryptocurrency for another, there's usually a capital gain or loss to report on the tax return. "Buying a sandwich with cryptocurrency shouldn't be a taxable event," says Sean Cover, a New York City cryptocurrency holder who works in finance for a nonprofit group. He says that in 2017 he had more than 500 transactions on several platforms, and it took him 10 hours to prepare his crypto tax forms even though he paid for special software. Like some members of Congress, Mr. Cover supports a $200 threshold before crypto transactions would need to be reported. The IRS says it's up to Congress to change the law....

Meanwhile, the IRS is forging ahead with other crypto compliance measures. Earlier this month, it offered rewards up to $625,000 to code-breakers who can crack so-called privacy coins like Monero that attract illicit activity because they claim to be untraceable... The IRS is also sending a new round of letters to crypto holders who may not have complied with the tax rules, expanding on last year's mailing of about 10,000 letters. Tax specialists say the recipients are often customers of Coinbase, which was ordered by a federal court to turn over information on some accounts to the IRS.

EU

EU To Launch Blockchain Regulatory Sandbox by 2022 (decrypt.co) 9

The European Commission will team up with the European Blockchain Partnership (EBP) to launch a new regulatory sandbox focused on cryptocurrencies and blockchain by 2022, according to an announcement published today. From a report: The commission is the executive branch of the European Union and the initiative is part of its newly adopted Digital Finance Package that aims to provide greater clarity for cryptocurrency companies. "By making rules safer and more digital friendly for consumers, the Commission aims to boost responsible innovation in the EU's financial sector, especially for highly innovative digital start-ups, while mitigating any potential risks related to investor protection, money laundering and cyber-crime," the commission stated. According to the commission, some digital assets already fall under EU legislation, however, these rules "most often predate the emergence of crypto-assets and DLT." This could result in various roadblocks on the way of innovations and make it difficult to apply existing frameworks to blockchain and cryptocurrencies in the financial sector.
Bitcoin

Swiss Region To Take Cryptocurrency For Tax Payments In 2021 (go.com) 22

A Swiss region that has billed itself as a hub for high-tech finance said Thursday that it plans to accept cryptocurrencies Bitcoin and Ether for tax payments starting next year. ABC News reports: Switzerland's Zug canton joins its eponymous main city and several Swiss towns in agreeing to take tax payments in cryptocurrency. Zug is thought to be the first region in the rich Alpine country to make the decision. The canton, which bills itself as home to "Crypto Valley," said it would accept taxes from companies or individuals of up to 100,000 Swiss francs (about $110,000) paid in Bitcoin or Ether as of February. A pilot program is expected to be launched in the coming weeks. Taxpayers who want to pay in cryptocurrency would notify tax authorities, who in return would send a digitized QR code that allows for such payments.
Twitter

Twitter Hack May Have Had Another Mastermind: A 16-Year-Old (nytimes.com) 34

When authorities arrested Graham Ivan Clark, who they said was the "mastermind" of the recent Twitter hack that ensnared Kanye West, Bill Gates and others, one detail that stood out was his age: He was only 17. Now authorities have homed in on another person who appears to have played an equal, if not more significant role, in the July 15 attack, New York Times reported Tuesday, citing four people involved in the investigation who declined to be identified because the inquiry was ongoing. They said the person was at least partly responsible for planning the breach and carrying out some of its most sensitive and complicated elements.His age? Just 16, public records show. From the report: On Tuesday, federal agents served the teenager with a search warrant and scoured the Massachusetts home where he lives with his parents, said one of the people involved in the operation. A spokesman for the FBI confirmed a search warrant had been executed at the address. The search warrant and other documents in the case are under seal and federal agents may decide not to charge the youth with a crime. If he is ultimately arrested, the case is likely to be handed over to Massachusetts authorities, who have more leverage than federal prosecutors in charging minors as adults. (The New York Times is not naming the teenager at this point because of his age and because he has not been charged.)
Bitcoin

Is Blockchain 'the Amazing Solution for Almost Nothing'? (thecorrespondent.com) 155

Long-time Slashdot reader leathered shares an investigation from the Correspondent about blockchain -- and " what's so terribly revolutionary about it? What problem does it solve...? I can tell you upfront, it's a bizarre journey to nowhere. I've never seen so much incomprehensible jargon to describe so little... And I've never seen so many people searching so hard for a problem to go with their solution...." [Y]ou can't do much with bitcoin. But blockchain, on the other hand: it's the technology behind bitcoin, which makes it cool. Blockchain generalises the bitcoin pitch: let's not just get rid of banks, but also the land registry, voting machines, insurance companies, Facebook, Uber, Amazon, the Lung Foundation, the porn industry and government and businesses in general. They are superfluous, thanks to the blockchain. Power to the users...!

The only thing is that there's a huge gap between promise and reality. It seems that blockchain sounds best in a PowerPoint slide. Most blockchain projects don't make it past a press release, an inventory by Bloomberg showed... Out of over 86,000 blockchain projects that had been launched, 92% had been abandoned by the end of 2017, according to consultancy firm Deloitte. Why are they deciding to stop? Enlightened — and thus former — blockchain developer Mark van Cuijk explained: "You could also use a forklift to put a six-pack of beer on your kitchen counter. But it's just not very efficient...."

[I]nformation and communications technology is like the rest of the world — a big old mess. And that's something that we — outsiders, laypeople, non-tech geeks — simply refuse to accept. Councillors and managers think that problems — however large and fundamental they are — evaporate instantaneously thanks to technology they've heard about in a fancy PowerPoint presentation. How will it work? Who cares! Don't try to understand it, just reap the benefits!

This is the market for magic, and that market is big. Whether it's about blockchain, big data, cloud computing, AI or other buzzwords...

Maybe this is blockchain's greatest merit: it's an awareness campaign, albeit an expensive one. "Back-office management" isn't an item on the agenda in board meetings, but "blockchain" and "innovation" are... Yes, it took a few wild, unmet promises, but the result is that administrators are now interested in the boring subjects that help make the world run a bit more efficiently — nothing spectacular, just a bit better.

Twitter

The Attack That Broke Twitter Is Hitting Dozens of Companies (wired.com) 32

An anonymous reader quotes a report from Wired: Phone spear phishing" attacks have been on the rise since a bitcoin scam took over the social media platform in July. When law enforcement arrested three alleged young hackers in the US and the UK last month, the story of the worst-known hack of Twitter's systems seemed to have drawn to a tidy close. But in fact, the technique that allowed hackers to take control of the accounts of Joe Biden, Jeff Bezos, Elon Musk, and dozens of others is still in use against a broad array of victims, in a series of attacks that began well before Twitter's blowup, and in recent weeks has escalated into a full-blown crime wave.

But Twitter is hardly the only recent target of "phone spear phishing," also sometimes known as "vishing," for "voice phishing," a form of social engineering. In just the past month since the Twitter hack unfolded, dozens of companies -- including banks, cryptocurrency exchanges, and web hosting firms -- have been targeted with the same hacking playbook, according to three investigators in a cybersecurity industry group that's been working with victims and law enforcement to track the attacks. As in the Twitter hack, employees of those targets have received phone calls from hackers posing as IT staff to trick them into giving up their passwords to internal tools. Then the attackers have sold that access to others who have typically used it to target high-net-worth users of the company's services -- most often aiming to steal large amounts of cryptocurrency, but also sometimes targeting non-crypto accounts on traditional financial services.
"Simultaneous with the Twitter hack and in the days that followed, we saw this big increase in this type of phishing, fanning out and targeting a bunch of different industries," says Allison Nixon, who serves as chief research officer at cybersecurity firm Unit 221b and assisted the FBI in its investigation into the Twitter hack. "I've seen some unsettling stuff in the past couple of weeks, companies getting broken into that you wouldn't think are soft targets. And it's happening repeatedly, like the companies can't keep them out."

While the perpetrators don't appear to be state-sponsored hackers or foreign cybercrime organizations, it may be only a matter of time until they're adopted by these foreign groups who contract out the phone calls to English-speaking phone phishers.
Bitcoin

The Quest To Liberate $300,000 of Bitcoin From an Old ZIP File (arstechnica.com) 38

A few quintillion possible decryption keys stand between a man and his cryptocurrency. From a report: In October, Michael Stay got a weird message on LinkedIn. A total stranger had lost access to his bitcoin private keys -- and wanted Stay's help getting his $300,000 back. It wasn't a total surprise that The Guy, as Stay calls him, had found the former Google security engineer. Nineteen years ago, Stay published a paper detailing a technique for breaking into encrypted zip files. The Guy had bought around $10,000 worth of bitcoin in January 2016, well before the boom. He had encrypted the private keys in a zip file and had forgotten the password. He was hoping Stay could help him break in. In a talk at the Defcon security conference this week, Stay details the epic attempt that ensued.

[...] "If we find the password successfully, I will thank you," The Guy wrote with a smiley face. After an initial analysis, Stay estimated that he would need to charge $100,000 to break into the file. The Guy took the deal. After all, he'd still be turning quite the profit. "It's the most fun I've had in ages. Every morning I was excited to get to work and wrestle with the problem," says Stay, who today is the chief technology officer of the blockchain software development firm Pyrofex. "The zip cipher was designed decades ago by an amateur cryptographer -- the fact that it has held up so well is remarkable." But while some zip files can be cracked easily with off-the-shelf tools, The Guy wasn't so lucky. That's partly why the work was priced so high. Newer generations of zip programs use the established and robust cryptographic standard AES, but outdated versions -- like the one used in The Guy's case -- use Zip 2.0 Legacy encryption that can often be cracked. The degree of difficulty depends on how it's implemented, though. "It's one thing to say something is broken, but actually breaking it is a whole different ball of wax," says Johns Hopkins University cryptographer Matthew Green.

The Almighty Buck

Richard Stallman Discusses Privacy Risks of Bitcoin, Suggests 'Something Much Better' (cointelegraph.com) 168

Richard Stallman gave a new interview to the site Cointelegraph, which asked him his feelings about cryptocurrencies. "I'm not against them," Stallman answers "I'm not campaigning to eliminate them, I just don't particularly want to use them."

Cointelegraph then asks Stallman how he feels about tests underway for the Chinese government's own central bank digital currency: Richard Stallman: "Digital payment systems are fundamentally dangerous if they are not engineered to ensure privacy. China is the enemy of privacy. China shows what totalitarian surveillance is like. I consider that hell on earth. That's part of why I haven't used cryptocurrencies that are issued by the community. If the cryptocurrency is issued by a government, it would surveille people just the way credit cards do and PayPal does, and all those other systems meaning completely unacceptable."
Stallman later says "I don't do any kind of digital payments, and the reason is the systems that exist do not respect the user's privacy, and that includes Bitcoin. Every Bitcoin transaction is published." But when Cointelegraph asks about various Bitcoin modifications designed for privacy, Stallman answers "I am not convinced about them." Richard Stallman: In any case, the GNU project has developed something much better, which is GNU Taler. GNU Taler is not a cryptocurrency. It is not a currency at all. It is a payment system designed to be used for anonymous payments to businesses to buy something. It is anonymous through a blind signature for the payer. However, the payee has to identify itself for every purchase in order to get money out of the system. So the idea is you can use your bank account to get Taler Tokens, and you can spend them and the payee won't be able to tell who you are.

It won't be able to tell that you got the token from a particular bank account at a particular time, even though you did so. To convert your payment into money in its own bank, the store (the payee) will have to identify itself. So this gives privacy in a much more reliable way than cryptocurrencies do, and it blocks the idea of using this system to enable tax evasion.

GNU Taler recently had an exciting milestone. A few months ago the eurozone banking system became interested in supporting Taler payments, and just recently they succeeded using a test setup in obtaining Taler tokens with one bank account and paying them to another bank account through the Taler system. Now, it's not something that anybody can use but it will be, and that will be really exciting.

And in response to a question about Facebook's "Libra" digital currency project, Stallman says he hasn't study the details "because the most important thing about it I already know. It's connected with Facebook, and Facebook means surveillance.

"I urge people to join me in absolutely refusing to use Facebook or rather be used by Facebook. Because Facebook doesn't have users. Facebook has used. So don't be a sucker, don't be used by Facebook."
Security

NetWalker Ransomware Gang Has Made $25 Million Since March 2020 (zdnet.com) 20

The operators of the NetWalker ransomware are believed to have earned more than $25 million from ransom payments since March this year, security firm McAfee said today. From a report: Although precise and up-to-date statistics are not available, the $25 million figure puts NetWalker close to the top of the most successful ransomware gangs known today, with other known names such as Ryuk, Dharma, and REvil (Sodinokibi). McAfee, who recently published a comprehensive report about NetWalker's operations, was able to track payments that victim made to known Bitcoin addresses associated with the ransomware gang. However, security experts believe the gang could have made even more from their illicit operations, as their view wasn't complete.
Twitter

A 17-Year-Old's Journey: Minecraft, SIM-Swapping Bitcoin Heists, Breaching Twitter (chicagotribune.com) 135

The New York Times tells the story of the 17-year-old "mastermind" arrested Friday for the takeover of dozens of high-profile Twitter accounts.

They report that Graham Ivan Clark "had a difficult family life" and "poured his energy into video games and cryptocurrency" after his parents divorced when he was 7, and he grew up in Tampa, Florida with his mother, "a Russian immigrant who holds certifications to work as a facialist and as a real estate broker." By the age of 10, he was playing the video game Minecraft, in part to escape what he told friends was an unhappy home life. In Minecraft, he became known as an adept scammer with an explosive temper who cheated people out of their money, several friends said.... In late 2016 and early 2017, other Minecraft players produced videos on YouTube describing how they had lost money or faced online attacks after brushes with Mr. Clark's alias "Open...."

Mr. Clark's interests soon expanded to the video game Fortnite and the lucrative world of cryptocurrencies. He joined an online forum for hackers, known as OGUsers, and used the screen name Graham$... Mr. Clark described himself on OGUsers as a "full time crypto trader dropout" and said he was "focused on just making money all around for everyone." Graham$ was later banned from the community, according to posts uncovered by the online forensics firm Echosec, after the moderators said he failed to pay Bitcoin to another user who had already sent him money to complete a transaction.

Still, Mr. Clark had already harnessed OGUsers to find his way into a hacker community known for taking over people's phone numbers to access all of the online accounts attached to the numbers, an attack known as SIM swapping. The main goal was to drain victims' cryptocurrency accounts. In 2019, hackers remotely seized control of the phone of Gregg Bennett, a tech investor in the Seattle area. Within a few minutes, they had secured Mr. Bennett's online accounts, including his Amazon and email accounts, as well as 164 Bitcoins that were worth $856,000 at the time and would be worth $1.8 million today... In April, the Secret Service seized 100 Bitcoins from Mr. Clark, according to government forfeiture documents... Mr. Bennett said in an interview that a Secret Service agent told him that the person with the stolen Bitcoins was not arrested because he was a minor... By then, Mr. Clark was living in his own apartment in a Tampa condo complex...

[L]ess than two weeks after the Secret Service seizure, prosecutors said Mr. Clark began working to get inside Twitter. According to a government affidavit, Mr. Clark convinced a "Twitter employee that he was a co-worker in the IT department and had the employee provide credentials to access the customer service portal."

The plan was to sell access to the breached Twitter accounts, but Clark apparently began cheating his customers again, the Times reports — "reminiscent of what Mr. Clark had done earlier on Minecraft..."

"Mr. Clark, who prosecutors said worked with at least two others to hack Twitter but was the leader, is being charged as an adult with 30 felonies."
Bitcoin

Steve Wozniak Sues YouTube Over Twitter-Like Bitcoin Scam (bloomberg.com) 39

Apple co-founder Steve Wozniak says YouTube has for months allowed scammers to use his name and likeness as part of a phony bitcoin giveaway similar to the one that was quickly extinguished by Twitter last week. Scammers used images and video of Wozniak, who left Apple in 1985, to convince YouTube users that he was hosting a live giveaway and anyone who sent him bitcoins will get double the number back, according to a lawsuit filed Tuesday in state court in San Mateo County, California. "But when users transfer their cryptocurrency, in an irreversible transaction, they receive nothing back," Wozniak said. From a report: The scam also uses the names and images of other tech celebrities, including Microsoft co-founder Bill Gates and Tesla Chief Executive Officer Elon Musk, according to the suit. YouTube has been "unresponsive" to Wozniak's repeated requests to take down the fraudulent videos, he said. By contrast, Twitter reacted "that same day" after the accounts of Barack Obama, Joe Biden and high-profile users were hacked last week as part of a similar phony bitcoin giveaway, he said. "YouTube has been unapologetically hosting, promoting, and directly profiting from similar scams." Wozniak sued along with 17 other alleged victims of the scam. They are asking the court to order YouTube and its parent company Alphabet to immediately remove the videos and to warn users about the scam giveaways. They are also seeking compensatory and punitive damages.
Bitcoin

Coinbase Says It Prevented Over 1,000 Customers From Sending $280,000 Worth of Bitcoin To Twitter Hackers (theblockcrypto.com) 30

Crypto exchange Coinbase has said that it prevented little over 1,100 customers from sending bitcoin to Twitter hackers who hijacked high-profile accounts to advertise a bitcoin scam last week. From a report: If Coinbase didn't take the step, these customers would have collectively sent 30.4 bitcoin (currently worth about $278,000) to hackers, the exchange's chief information security officer, Philip Martin, told Forbes. Notably, this amount is more than twice the actual amount ($121,000) that hackers collected via victims. Despite Coinbase's action, its 14 customers still fell prey to the scam and sent around $3,000 worth of bitcoin to hackers before the exchange blacklisted their addresses, said Martin. Gemini, Kraken, and Binance users also tried sending bitcoins to the addresses, but not as much as Coinbase's customers, per the report. All these exchanges moved to block the addresses as soon as the scam came to light.
Bitcoin

John McAfee Loses Bet: Bitcoin Hasn't Hit $500K (mashable.com) 49

Slashdot reader Charlotte Web quotes Mashable: Three years ago on this date, on July 17, 2017, McAfee, the eccentric founder of the antivirus software company bearing his name, made the bet of a lifetime. McAfee made a bet that in three years a single bitcoin (1 BTC) would be worth $500,000.

Now while most people would throw down money to make this bet, McAfee had a very different idea. "if not, I will eat my **** on national television...."

Fast forward to July 17, 2020, three years from the day McAfee made his bet. Today, a bitcoin is worth around $9,150. It's certainly up from three years ago, sure. But we're far away from $500,000. The world may be very different from the one we were living in three years ago, but a bet is a bet.

Many on Twitter reminded McAfee that it was time to make good on his bet.

McAfee's response? He appears to be chickening out... "The bet was the end 8f 2020."

McAfee also tweeted that at the end of 2020, he'd still honor the bet.

"Myself, or, perhaps, a subcontractor :)"
Twitter

Many New Details Emerge About Twitter's Breach (nytimes.com) 32

The New York Times claims to have traced the origins of a Twitter security breach to "a teasing message between two hackers late Tuesday on the online messaging platform Discord." [The Times' article was also republished here by the Bangkok Post.] "yoo bro," wrote a user named "Kirk," according to a screenshot of the conversation shared with The New York Times. "i work at twitter / don't show this to anyone / seriously." He then demonstrated that he could take control of valuable Twitter accounts — the sort of thing that would require insider access to the company's computer network. The hacker who received the message, using the screen name "lol," decided over the next 24 hours that Kirk did not actually work for Twitter because he was too willing to damage the company. But Kirk did have access to Twitter's most sensitive tools, which allowed him to take control of almost any Twitter account...

[F]our people who participated in the scheme spoke with The Times and shared numerous logs and screen shots of the conversations they had on Tuesday and Wednesday, demonstrating their involvement both before and after the hack became public. The interviews indicate that the attack was not the work of a single country like Russia or a sophisticated group of hackers. Instead, it was done by a group of young people — one of whom says he lives at home with his mother — who got to know one another because of their obsession with owning early or unusual screen names, particularly one letter or number, like @y or @6... "lol" did not confirm his real-world identity, but said he lived on the West Coast and was in his 20s. "ever so anxious" said he was 19 and lived in the south of England...

The group began by selling access to highly-coveted Twitter handles for bitcoin, according to the Times, including the accounts @dark, @w, @l, @50 and @vague.

Brian Krebs had suggested tweets of Twitter's internal tools came from "notorious SIM swapper" PlugWalkJoe — but the Times spoke to the 21-year-old (real name: Joseph O'Connor) who says his only involvement was taking possession of the breached Twitter account @6. "I don't care. They can come arrest me. I would laugh at them. I haven't done anything." Mr. O'Connor said other hackers had informed him that Kirk got access to the Twitter credentials when he found a way into Twitter's internal Slack messaging channel and saw them posted there, along with a service that gave him access to the company's servers. People investigating the case said that was consistent with what they had learned so far.
Meanwhile, Twitter has said, "The attackers successfully manipulated a small number of employees and used their credentials to access Twitter's internal systems, including getting through our two-factor protections. As of now, we know that they accessed tools only available to our internal support teams."

But Mashable brings more bad news: In an update posted on Friday night, Twitter ran down what its internal investigation has discovered so far. One piece of previously unknown information: the hacker(s) downloaded the personal account data for up to eight of the accounts which they had access to.

I should make this clear up front: that data includes direct messages...

As rumors spread around the platform as to which eight accounts could have been targeted, Twitter released an additional clarification... "[T]o address some of the speculation: none of the eight were Verified accounts..." Twitter also says 130 Twitter accounts were targeted... The company said that hackers gained access to 45 of them via a password reset and, for a second time, reiterated that the passwords used on the accounts were not accessed.

An article shared by Slashdot reader kimmmos notes that one account that went untouched was that of U.S. president Donald Trump. The Verge reports "it could be because Twitter has implemented extra protections for his account." But responding to the other account breaches, "A Twitter spokesperson confirmed the company has been in touch with the FBI," reports CNN. "We're acutely aware of our responsibilities to the people who use our service and to society more generally," Twitter added in a blog post.

"We're embarrassed, we're disappointed, and more than anything, we're sorry."
Social Networks

What Twitter's Worst Hack Means For Its Bottom Line (bloomberg.com) 42

The breach revealed Twitter's engineering prowess and management practices as subpar. Hedge fund Elliott Management can't be happy about its investment. From a report: Even if Twitter's user growth is relatively unaffected, shareholders shouldn't overlook what the latest in a long series of security incidents says about the how the company works and why its stock has been such a disappointment: Twitter's engineering prowess and management practices are simply second-rate. On Wednesday, numerous Twitter accounts from business leaders, celebrities to major companies -- including Elon Musk, Barack Obama, Jeff Bezos and Apple -- were hacked and posted cryptocurrency scam messages, promising to double the amount of any funds sent to a specific Bitcoin address. Twitter later admitted to the unprecedented nature of the breach, saying it believes it fell victim to a "coordinated social engineering attack," where hackers were able to take control of its internal systems. CEO Jack Dorsey tweeted, "Tough day for us at Twitter. We all feel terrible this happened."

Certainly, hedge fund Elliott Management must not be pleased with the turn of events. The activist hedge fund and Twitter stakeholder reached an agreement with the company earlier this year to restructure the company's board, standing down on an initial goal of replacing management including Dorsey. The lackluster security is more ammunition for Twitter's critics who have long questioned the company's efficacy in using its engineering resources. Even as Chinese super-apps such as WeChat have expanded upon core messaging services to build vast consumer internet empires, and Facebook has transformed its platforms into advertising money machines, the basic nature of Twitter's offering hasn't changed much over the past decade. That, even as the company spends an incredible amount in research and development annually -- including nearly $700 million last year alone. Where does all the money go?

Security

Who's Behind Wednesday's Epic Twitter Hack? (krebsonsecurity.com) 75

Brian Krebs has written a blog post with clues about who may have been behind yesterday's Twitter hack, which had some of the world's most recognizable public figures tweeting out links to bitcoin scams. An anonymous reader shares an excerpt from the report (though we strongly recommend you read the full analysis here): There are strong indications that this attack was perpetrated by individuals who've traditionally specialized in hijacking social media accounts via "SIM swapping," an increasingly rampant form of crime that involves bribing, hacking or coercing employees at mobile phone and social media companies into providing access to a target's account. In the days leading up to Wednesday's attack on Twitter, there were signs that some actors in the SIM swapping community were selling the ability to change an email address tied to any Twitter account. In a post on OGusers -- a forum dedicated to account hijacking -- a user named "Chaewon" advertised they could change email address tied to any Twitter account for $250, and provide direct access to accounts for between $2,000 and $3,000 apiece. "This is NOT a method, you will be given a full refund if for any reason you aren't given the email/@, however if it is revered/suspended I will not be held accountable," Chaewon wrote in their sales thread, which was titled "Pulling email for any Twitter/Taking Requests."

Hours before any of the Twitter accounts for cryptocurrency platforms or public figures began blasting out bitcoin scams on Wednesday, the attackers appear to have focused their attention on hijacking a handful of OG accounts, including "@6." That Twitter account was formerly owned by Adrian Lamo -- the now-deceased "homeless hacker" perhaps best known for breaking into the New York Times's network and for reporting Chelsea Manning's theft of classified documents. @6 is now controlled by Lamo's longtime friend, a security researcher and phone phreaker who asked to be identified in this story only by his Twitter nickname, "Lucky225."[...] But around the same time @6 was hijacked, another OG account -- @B -- was swiped. Someone then began tweeting out pictures of Twitter's internal tools panel showing the @B account. Another Twitter account -- @shinji -- also was tweeting out screenshots of Twitter's internal tools. Minutes before Twitter terminated the @shinji account, it was seen publishing a tweet saying "follow @6," referring to the account hijacked from Lucky225.

Cached copies of @Shinji's tweets prior to Wednesday's attack on Twitter are available here and here from the Internet Archive. Those caches show Shinji claims ownership of two OG accounts on Instagram -- "j0e" and "dead." KrebsOnSecurity heard from a source who works in security at one of the largest U.S.-based mobile carriers, who said the "j0e" and "dead" Instagram accounts are tied to a notorious SIM swapper who goes by the nickname "PlugWalkJoe." Investigators have been tracking PlugWalkJoe because he is thought to have been involved in multiple SIM swapping attacks over the years that preceded high-dollar bitcoin heists. Now look at the profile image in the other Archive.org index of the @shinji Twitter account (pictured below). It is the same image as the one included in the @Shinji screenshot above from Wednesday in which Joseph/@Shinji was tweeting out pictures of Twitter's internal tools.

This individual, the source said, was a key participant in a group of SIM swappers that adopted the nickname "ChucklingSquad," and was thought to be behind the hijacking of Twitter CEO Jack Dorsey's Twitter account last year. The mobile industry security source told KrebsOnSecurity that PlugWalkJoe in real life is a 21-year-old from Liverpool, U.K. named Joseph James Connor. The source said PlugWalkJoe is in Spain where he was attending a university until earlier this year. He added that PlugWalkJoe has been unable to return home on account of travel restrictions due to the COVID-19 pandemic. [...] If PlugWalkJoe was in fact pivotal to this Twitter compromise, it's perhaps fitting that he was identified in part via social engineering.

Bitcoin

TikTok Traders Are Pumping Joke Cryptocurrency Dogecoin -- and the Price is Up 95% (fortune.com) 29

Day traders on viral video app TikTok are encouraging people to speculate on a joke cryptocurrency called Dogecoin. Based on an old Internet meme -- an overly sincere and whimsically grammar-challenged Shiba Inu dog -- the digital coin was developed as a Bitcoin-spinoff in 2013, after which it quickly rose to prominence as a gag. From a report: The shenanigans of the cryptocurrency-pumpers appear to be working, at least for now. The price of Dogecoin has nearly doubled since July 6th, rising 95% to $0.00448 from $0.0023, according to data from OnChainFX, a cryptocurrency data tracker. The price of Dogecoin peaked in January 2018 at $0.013 before promptly crashing. It appears a flood of stuck-at-home market hypers is behind the push to hype the cryptocurrency. "Go invest in Dogecoin, make me rich," wrote one pumper. "They cant stop us all," encouraged another. Yet one more: "worth it. i swear #stocks #coins #dogecoin #money"
Businesses

Venture Capitalists' Critiques of Journalism Secretly Leaked to Journalists (vice.com) 118

A confrontation between venture capitalists and journalists has been slowly playing out on Twitter — and in an incendiary article on VICE US.

It started when...
  • A luggage startup's co-CEO complained on Instagram about young reporters who "forgo their personal ethics."
  • A New York Times reporter called the posts "incoherent" and "disappointing."
  • Angel investor Balaji S. Srinivasan (also the former CTO of Coinbase) later said the reporter "attacked" the co-CEO, who he then needed to defend — calling the reporter a sociopath in a multi-tweet thread.
  • The New York Times reporter tweeted that investor had "been ranting about me by name for months now."

The reporter and the angel investor both finally ended up on Clubhouse, an elite invitation-only audio social network popular with venture capitalists, but the reporter left early. Later Vice published leaked audio of the subsequent conversation, which included Srinivasan and several other Andreessen Horowitz venture capitalists, in which Vice says participants "spent at least an hour talking about how journalists have too much power to 'cancel' people and wondering what they, the titans of Silicon Valley, could do about it."

Then things got really ugly...


Security

New Mac Ransomware Is Even More Sinister Than It Appears (wired.com) 49

An anonymous reader quotes a report from Wired: The threat of ransomware may seem ubiquitous, but there haven't been too many strains tailored specifically to infect Apple's Mac computers since the first full-fledged Mac ransomware surfaced only four years ago. So when Dinesh Devadoss, a malware researcher at the firm K7 Lab, published findings on Tuesday about a new example of Mac ransomware, that fact alone was significant. It turns out, though, that the malware, which researchers are now calling ThiefQuest, gets more interesting from there. In addition to ransomware, ThiefQuest has a whole other set of spyware capabilities that allow it to exfiltrate files from an infected computer, search the system for passwords and cryptocurrency wallet data, and run a robust keylogger to grab passwords, credit card numbers, or other financial information as a user types it in. The spyware component also lurks persistently as a backdoor on infected devices, meaning it sticks around even after a computer reboots, and could be used as a launchpad for additional, or "second stage," attacks. Given that ransomware is so rare on Macs to begin with, this one-two punch is especially noteworthy.

Though ThiefQuest is packed with menacing features, it's unlikely to infect your Mac anytime soon unless you download pirated, unvetted software. Thomas Reed, director of Mac and mobile platforms at the security firm Malwarebytes, found that ThiefQuest is being distributed on torrent sites bundled with name-brand software, like the security application Little Snitch, DJ software Mixed In Key, and music production platform Ableton. K7's Devadoss notes that the malware itself is designed to look like a "Google Software Update program." So far, though, the researchers say that it doesn't seem to have a significant number of downloads, and no one has paid a ransom to the Bitcoin address the attackers provide. [...] Given that the malware is being distributed through torrents, seems to focus on stealing money, and still has some kinks, the researchers say it was likely created by criminal hackers rather than nation state spies looking to conduct espionage.

Bitcoin

Someone Mysteriously Sent Almost $1 Billion In Bitcoin (vice.com) 147

Someone transferred bitcoins worth close to $1 billion on Tuesday morning, a move that was public for everyone to see while the identities of the sender and receiver remain unknown. Motherboard reports: Big money moves hiding in plain sight tend to be events of some interest among Bitcoiners. Decrypt noted that the sending wallet was recognized as the largest Bitcoin wallet not known to be associated with a business such as an exchange. This means that it could belong to a wealthy private individual, or it could really belong to an exchange, investor, or other business that is simply currently unknown. There's no obligation to publicize which Bitcoin addresses one controls, and if nobody else puts two and two together, one's activities may remain shrouded in pseudonymity.

If the Bitcoin wallet belongs to someone legit, then it's likely the transfer was internal to the business, or it represents a large purchase of goods or services, or the sale of bitcoins. Regardless of what it was, the business would be expected to pay taxes in any relevant circumstances. If the transfer wasn't legit, well, pseudonymity and the ability to freely move money without the pre-approval of an authority is the point of Bitcoin. That being said, law enforcement is certainly aware of Bitcoin at this stage in the game and if I'm talking about this transfer then I'm sure more important people could be, too.

Slashdot Top Deals