You may have heard about the Elon Musk Bitcoin scam doing the rounds on Twitter this past week. In this article I will explain how the scam was orchestrated and then walk through some of the Open Source Intelligence (OSINT) gained through using some simple but effective techniques.

The Scam

Let’s first quickly walk through the scam itself and how it played out. Here’s an example of one of the promoted tweets:

Aside from the nature of the Tweet (Musk giving away Bitcoin, seriously?), the grammatical errors, the fake Tesla domain name and the mismatch between the Twitter account and name, people still fell for it.

In short, the attackers compromised a number of genuine, verified Twitter accounts such as Capgemini, Target and Google’s G Suite, then changed the name and profile picture to that of Musk’s. To deliver the message to the masses they then used promoted tweets like the one above, linking to websites where the Bitcoin transfer could be made by the victims. And it worked. Despite the obvious indicators: grammatical errors, mismatch between the Twitter user name, name and domain name, apparently over $180,000 worth of Bitcoin was sent to the scammers. Incredible.

Of course, Bitcoin scams on Twitter are nothing new, yet when I came across this live in my Twitter feed this week, I couldn’t resist performing some OSINT on the domain names involved, just to see what might turn up. Being the author of SpiderFoot, I’m always looking for opportunities to test it out to identify areas for improvement, so this seemed like the perfect opportunity. I plugged the domain names into SpiderFoot, selected all 150 modules so as to collect as much data as possible, and let it run.

Alongside the automated data collection by SpiderFoot, I performed some manual analysis to supplement it. I’ll be covering that here too.

Goals of the Analysis

To be honest, I had no goals to begin with except to collect all the data and browse through it in SpiderFoot to see how the tool could be improved. Some things did however catch my eye which is where the inspiration for this article came from. I figured that if I was going to do a write-up, I should put some structure to it and explain the process. So in short, the goals are to:

Find all the entities (hostnames, IP addresses, e-mail addresses, names, domain names, etc.) relevant to the scam with the goal of finding those which might reveal the true identities of those behind it, or at least hints towards those identities

Learn any characteristics of the scam which might be useful when identifying/investigating future scams or support the investigation of the entities identified

Suggest potential next steps for further investigation which may help in this particular investigation, or others in the future

Before continuing, I need to provide the disclaimer that I am not making any claims as to the identity/origin of the scammers, nor even claiming my analysis is comprehensive. This post is intended to provide further insight into the scam as well as guidance for those doing similar investigations.

So let’s get into it…

The Analysis

The starting point for the analysis itself is what we can target for the automated OSINT collection. The Twitter accounts used were compromised legitimate accounts, so investigating them would provide little value. Second, the name behind the scam (Elon Musk) is also fake in the sense that it is obviously not him (although to be fair, that can’t be ruled out either!) So, all we have to go off initially is the domain name mentioned in the tweets themselves. The tweets I saw made reference to these domains, but there were surely more:

m-tesla[.]me

elonmusk[.]id

m-tesla[.]pw

Starting with the Domain Names

What kind of techniques are available to us if we are starting with domain names for OSINT? Well, a domain name should resolve to an IP address, has a Whois record with the registrar for that domain and so on. Let’s call these “chains of information”, which could look something like this:

Domain name -> IP address -> Search passive DNS -> Co-hosted sites

Domain name -> Whois lookup -> Extract e-mail addresses

Domain name -> Fetch web content -> Extract names, etc.

And so on…

Obviously the chains above are very simplistic but you get the idea: one piece of information leads to another which can lead to another and so on. In any investigation you could be looking at tens of layers of depth for analysis, depending on the data sources available to you and the quality of each link in the chain.