(Bloomberg) -- Whoever is behind the security incident involving some of the most prominent business and political leaders on Twitter -- a scam that raised about $120,000 worth of Bitcoin -- is shifting the spoils around online accounts, creating the beginnings of a digital paper trail that investigators are scouring for clues.

Hackers gained access to the Twitter accounts of executives including Amazon.com Inc. Chief Executive Officer Jeff Bezos and Tesla Inc. Founder Elon Musk, asking users to direct Bitcoin to one of three different accounts, said Tom Robinson, co-founder of Elliptic, which helps law-enforcement agencies track Bitcoin-related crime.

Bitcoin offers users a degree of anonymity, making it a popular vehicle for criminal behavior. But investigators can glean valuable information in cases where the cryptocurrency is moved to accounts, or wallets, that have carried out transactions with certain U.S. exchanges or services. That’s because U.S. exchanges typically take pains to verify user identity.

“Sharing this information fast with the authorities worldwide and with companies from the ecosystem, will help us stop the stolen funds and find more info about the attackers,” said Itsik Levy, co-founder of Whitestream, a Bitcoin researcher.

The attackers received just over 400 payments, valued at $121,000, according to Elliptic. The largest payment came from a Japan-based exchange, and totaled about $42,000.

Soon after they were initially collected in the three accounts, the funds started moving around. About $65,000 of the $120,000 quickly moved to other Bitcoin addresses, one of which has been active in the past and has transacted with a U.S. exchange, Robinson said.

Of the amount moved, about $60,000 was directed to a Bitcoin address that has been active since May, Whitestream said. That address had interacted with Coinbase Inc., the largest U.S. crypto exchange, as well as payment processors BitPay and CoinPayments, Whitestream said.

BitPay confirmed that a small purchase was made in May by one of the hacker addresses. “Available details are being shared with appropriate parties including law enforcement,” a spokesperson for BitPay said. Coinbase declined to comment, and CoinPayments didn’t return requests for comment.

The money that was initially collected in three Bitcoin addresses has now been moved to 12 new addresses, according to Elliptic.

The U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCEN) issued an advisory Thursday saying crypto exchanges and other financial institutions should report any suspicious activities related to the hack as soon as possible. New York Governor Andrew Cuomo said the New York Department of Financial Services will investigate the incident, and, according to Reuters, the Federal Bureau of Investigation is also on the case.