The authorities accused three people on Friday of orchestrating Twitter's epic hack this month, generating more than $ 100,000 in a Bitcoin scam promoted by kidnapped politician, executive, and celebrity accounts.
Prosecutors in San Francisco accused 19-year-old Mason Sheppard, 22-year-old Nima Fazeli, and an unnamed youth in the July 15 injury. The Florida state attorney's office, where the juvenile defendant lives, identified him as 17-year-old Graham Ivan Clark and accused him of 30 crimes. Prosecutors said Sheppard used the hacking names "Chaewon" and "Always like this"
anxious # 001 ”and lives in the British town of Bognor Regis. Fazeli, who was supposed to call himself "Rolex", "Rolex # 0373", "Rolex # 373" and "Nim F", is from Orlando, Florida.
The three suspects are accused of using social engineering and other techniques to gain access to internal Twitter systems. They then reportedly used their control to take over what Twitter called 130 accounts. A small selection of account holders included former Vice President Joe Biden, Tesla founder Elon Musk, pop star Kanye West, and philanthropist and Microsoft founder, former CEO and chairman Bill Gates.
The defendants, the prosecutor said, caused the high-profile accounts – many of them with millions of followers – to promote fraud that promised to double the return when people deposited bitcoins in attackers-controlled purses. The program generated more than $ 117,000. The hackers also took over accounts with short usernames, which are in high demand in a criminal hacking forum called OGusers.
"These crimes were committed using the names of famous people and celebrities, but they are not the main victims here," said Hillsborough Prosecutor Andrew Warren. "This & # 39; Bit-Con & # 39; was designed to steal money from regular Americans across the country, including here in Florida. This massive scam was staged right here in our back yard, and we won't stand up for it. "
Careful education, social engineering and carefully coordinated phishing
A security researcher who worked actively with the FBI to investigate the violation earlier this month told Ars that the hack was the result of careful research about Twitter employees, their social engineering over the phone, and carefully phishing phishing.
Allison Nixon, chief research officer of security firm Unit 221B, said the evidence so far shows that Clark and hackers he worked with first searched LinkedIn to find Twitter employees who were likely to have access to the account tools. Using features that LinkedIn provides to recruiters, the attackers were then given these employees' cell phone numbers and other private contact information.
The attackers then called the employees and used the information from LinkedIn and other public sources to convince them that they were authorized Twitter employees. Work-at-home agreements caused by the COVID-19 pandemic also prevented employees from using normal procedures such as face-to-face contact to verify the identity of the callers.
With the trust of the target employees, the attackers directed them to a phishing site that imitated an internal Twitter VPN. The attackers then received credentials when the target agents entered them. To circumvent the two-factor authentication protection that Twitter has set up, the attackers entered the credentials into the real Twitter VPN portal within seconds after the employees entered their information into the fake one. After the employee entered the one-time password, the attackers were in.
Mark Rasch, Chief Legal Officer of Nixon and Unit 221B, described the hackers' tactics, techniques, and procedures in a post that was published shortly after the indictment was filed.
ID & # 39; d through a hacked database
Prosecutors said they followed Sheppard and Fazeli through an OGusers forum database that was stolen and released by a group of rival hackers. The database that the FBI had received in early April, more than three months before the Twitter hack, contained public forum posts, private messages, IP addresses, email addresses, and other user information from forum participants.
On the day of the Twitter violation, someone with the OGusers account name "Chaewon" announced that he would change the email addresses associated with a Twitter account for $ 250 and have direct access to accounts for $ 2,500 to $ 3,000 can grant. Chaewon advised buyers to contact the Discourt user who was so concerned # 0001.
The OGusers database showed that in early February, a user by the name of Chaewon offered to buy a compromised video game account. FBI investigators found that the wallet address that made the payment belonged to the same Bitcoin cluster that # 001 used on July 15 to receive payments before being sent to an address from Kirk # 5270. A Bitcoin cluster is a group of wallets that can be forensically linked to a single person or entity.
Investigators also used IP addresses that Chaewon used to connect to OGusers to link to another OGuser account called "Mas", which was linked to the email address email@example.com. Records received by investigators from the Coinbase wallet showed that the address was linked to a Matthew Sheppard account. A driver's license provided by the user of the Coinbase account belonged to Sheppard.
Investigators identified Fazeli when the hacked OGuser database showed someone with the username "Rolex" who proved that he was in control of a Discord account registered with a "Rolex # 0373". In Discord chats that took place on the day of the Twitter violation, Rolex # 0373 had acted as a broker for accounts that another suspected hacking participant with the Discord username Kirk # 5270 had offered for sale.
At OGusers, Rolex used the email address firstname.lastname@example.org several times in 2018 to receive PayPal payments from other users. The same discussion about Discord revealed that Rolex # 0373 Kirk # 5270 pays $ 500 to control the kidnapped Twitter account @foreign. Rolex # 0373 instructed to change the address associated with the Twitter account to email@example.com.
"Calculated as an adult"
Sheppard is charged with a count of support and assistance for deliberately accessing and receiving information on a protected computer, the conspiracy to commit cable fraud, and the conspiracy to commit cable fraud. Fazeli is burdened with a single number of computer interventions. The Hillsborough County Attorney General, which Clark identified as the thought leader of the violation, accused him of a number of organized fraud cases, eleven cases of fraudulent use of personal information, one case of unauthorized access to a computer or electronic device, and 17 cases of communication fraud.
Clark's law enforcement takes place in Tampa, where he lives, "because Florida law allows minors to be charged as adults with financial fraud in such cases," Warren's office said.