How the FBI tracked down the Twitter hackers

clicks | 12 days ago | Google AI sentiment -0.20 | comments: discuss | tags: bitcoin cryptocurrency

Article preview (bot search)

(Original link:

Post Tags
Image: Volodymyr Hryshchenko, ZDNet, Twitter
After earlier today US law enforcement charged three individuals for the recent Twitter hack , with the help of court documents released by the DOJ, ZDNet was able to piece together a timeline of the hack, and how US investigators tracked down the three suspected hackers.
The article below uses data from three indictments published today by the DOJ against: Mason Sheppard , aka “ Chaewon ,” 19, of Bognor Regis, in the United Kingdom [ indictment ]. Nima Fazeli , aka “ Rolex ,” 22, of Orlando, Florida [ indictment ]. Graham Ivan Clark , aka “ Kirk ,” 17 of Tampa, Florida [ indictment , courtesy of Motherboard].
According to court documents, the entire hack appears to have begun on May 3, when Clark, a teen from Tampa, but living in California, gained access to a portion of Twitter’s network.
Image: ZDNet
Here, the timeline gets murky and it is unclear what happened between May 3 and July 15, the day of the actual hack, but it appears that Clark wasn’t immediately able to pivot from his initial entry point to the Twitter admin tool that he later used to take over accounts.
However, reporting from the New York Times days after the Twitter hack suggests Clarke initially gained access to one of Twitter’s internal Slack workspaces, and not to Twitter itself.
NYT reporters, citing sources from the hacking community, said the hacker found credentials for one of Twitter’s tech support tools pinned to one of the company’s Slack channels.
Images of this tool, which allowed Twitter employees to control all facets of a Twitter account, later leaked online on the day of the hack.
Image: Reddit
However, the credentials for this tool weren’t enough to access the Twitter backend.
In a Twitter blog post detailing the company’s investigation into the hack, Twitter said accounts for this administrative backend were protected by two-factor authentication (2FA).
It is unclear how much time it took Clark to do it, but the same Twitter investigation says the hacker used “a phone spear phishing attack” to trick some of its employees and gain access to their accounts, and “getting through [Twitter’s] two-factor protections.”
According to Twitter, this happened on July 15, the same day of the hack.
Clark, who went on Discord by Kirk#5270, didn’t wait around to be detected, and according to Discord chats obtained by the FBI, the hacker contacted two other individuals to help him monetize this access.
Chat logs included in court documents showed Clark (Discord user “Kirk#5270”) approaching two other users from the Discord channel of OGUsers, a forum dedicated to hackers selling and buying social media accounts.
In chat logs, Clark approached two other hackers (Fazeli as Discord user “Rolex#037” and Sheppard as Discord user “ever so anxious#0001”) and claimed to work at Twitter.
He proved his claims by modifying the settings of an account owned by Fazeli (Rolex#037) and also sold Fazeli access to the @foreign Twitter account.
Image: ZDNet
Clarke then followed up by selling Sheppard access to multiple short-form Twitter accounts, such as @xx, @dark, @vampire, @obinna, and @drug.
Image: ZDNet
As Clark convinced the other two of his level of access, the three struck a deal to post ads on the OGUsers forum to promote Clark’s ability to hijack Twitter accounts.
Image: ZDNet
Image: KrebsOnSecurity
Following the posting of these ads, it is believed that multiple people bought access to Twitter accounts. In a recorded message posted on YouTube by the Executive Office for United States Attorneys, investigators said they are still looking into multiple users who participated in the hack.
It is believed that one of these parties is responsible for buying access to celebrity verified Twitter accounts on July 15, and posting a cryptocurrency scam message.
The message, spotted on accounts belonging to Barrack Obama, Joe Biden, Bill Gates, Elon Musk, Jeff Bezos, Apple, Uber, Kanye West, Kim Kardashian, Floyd Mayweather, Michael Bloomberg, and others, asked users to send Bitcoin to several addresses.
Court documents say hackers operating wallets used in this scam received 12.83 bitcoin, or around $117,000. A subsequent investigation also revealed that cryptocurrency exchange Coinbase took matters in its own hands on the day of the hack to block transactions to the scam addresses, eventually preventing another $280,000 from being sent to the scammers .
It’s at this point that the hack became visible to everyone, including Twitter’s staff, who intervened to block verified Twitter accounts from tweeting while they kicked Clark out of their network.
Twitter’s subsequent investigation discovered that Clark interacted with 130 accounts while he had access to the Twitter admin tool, initiated a password reset for 45, and accessed private messages for 36.
The day following the hack was also when Twitter filed a formal criminal complaint with authorities, and the FBI and Secret Service started an investigat...