The Twitter hackers who compromised more than a dozen celebrity accounts on Wednesday appear to be consolidating their funds to an address that had earlier sent money to BitPay and Coinbase.

According to research from Whitestream, a blockchain analytics company, three transactions originating from the “1Ai5” address lead to wallets associated with Coinbase and BitPay, both of which provide merchant solutions. The legacy address was the first to be offered by the hackers, who later switched to a Bech32 address when targeting non-crypto accounts.

However, the original address is now the consolidation point of all the proceeds gotten through the attack. It received 14.75 Bitcoin (BTC), worth about $135,000.

Three transactions are believed to be leading to Coinbase and Bitpay. The first involves a transfer of about 1.2 BTC in May 2020, worth about $11,000 at the time. The latter two were sent two days before the hack and are for much smaller amounts.

Notably, the latter transactions are much more sophisticated as the change address is always of a different type than any of the other inputs. This makes it more difficult to trace, though it is possible that the hacker was simply in the process of switching to a Bech32 address.

According to Whitestream, the first transaction sent a small amount of funds to a BitPay-associated address, while the other two were sent to Coinbase. 

The hackers’ address appears to be clearly traceable for those companies, possibly exposing their identity. It is however likely that these transactions are related to merchant usage, which could make investigations more difficult.

It is also unclear why the hackers used an old address to perform the attack, as it appears to be giving unnecessary clues for the future investigation. Furthermore, given that the hackers owned at least $11,000 before the attack, such a massive account compromise could have been used to publish market-moving announcements. By entering heavily leveraged positions before the tweets, the hackers likely would have made much more money.

Twitter employees getting exploited

As Cointelegraph reported extensively on Wednesday, dozens of Twitter accounts from crypto exchanges and influencers, tech companies, politicians and celebrities progressively fell to the hackers. The accounts published a well-known crypto scam that promised to double the money of anyone who sent Bitcoin to a certain address.

Twitter said that the issue was due to a social engineering attack performed on high-rank employees with admin access. Through the admin panel, hackers took control of the accounts by changing their passwords and recovery emails.

This is similar to a BlockFi data breach in May, where criminals used a SIM swap attack to gain access to internal customer records.