How the FBI tracked down the Twitter hackers


Image: Volodymyr Hryshchenko, ZDNet, Twitter

After earlier today US law enforcement charged three individuals for the recent Twitter hack, with the help of court documents released by the DOJ, ZDNet was able to piece together a timeline of the hack, and how US investigators tracked down the three suspected hackers.

The article below uses data from three indictments published today by the DOJ against:

  • Mason Sheppard, aka “Chaewon,” 19, of Bognor Regis, in the United Kingdom [indictment].
  • Nima Fazeli, aka “Rolex,” 22, of Orlando, Florida [indictment].
  • Graham Ivan Clark, believed to be “Kirk,” 17 of Tampa, Florida [indictment, courtesy of Motherboard].

According to court documents, the entire hack appears to have begun on May 3, when Clark, a teen from Tampa, but living in California, gained access to a portion of Twitter’s network.

twitter-hack-3rd-may.png

Image: ZDNet

Here, the timeline gets murky and it is unclear what happened between May 3 and July 15, the day of the actual hack, but it appears that Clark wasn’t immediately able to pivot from his initial entry point to the Twitter admin tool that he later used to take over accounts.

However, reporting from the New York Times days after the Twitter hack suggests Clarke initially gained access to one of Twitter’s internal Slack workspaces, and not to Twitter itself.

NYT reporters, citing sources from the hacking community, said the hacker found credentials for one of Twitter’s tech support tools pinned to one of the company’s Slack channels.

Images of this tool, which allowed Twitter employees to control all facets of a Twitter account, later leaked online on the day of the hack.

twitter-admin-tool.jpg

Image: Reddit

However, the credentials for this tool weren’t enough to access the Twitter backend. In a Twitter blog post detailing the company’s investigation into the hack, Twitter said accounts for this administrative backend were protected by two-factor authentication (2FA).

It is unclear how much time it took Clark to do it, but the same Twitter investigation says the hacker used “a phone spear phishing attack” to trick some of its employees and gain access to their accounts, and “getting through [Twitter’s] two-factor protections.”

According to Twitter, this happened on July 15, the same day of the hack.

Clark, who went on Discord by Kirk#5270, didn’t wait around to be detected, and according to Discord chats obtained by the FBI, the hacker contacted two other individuals to help him monetize this access.

Chat logs included in court documents showed Clark (Discord user “Kirk#5270”) approaching two other users from the Discord channel of OGUsers, a forum dedicated to hackers selling and buying social media accounts.

In chat logs, Clark approached two other hackers (Fazeli as Discord user “Rolex#037” and Sheppard as Discord user “ever so anxious#0001”) and claimed to work at Twitter.

He proved his claims by modifying the settings of an account owned by Fazeli (Rolex#037) and also sold Fazeli access to the @foreign Twitter account.

twitter-hack-chat1.png

Image: ZDNet

Clarke also sold Sheppard access to multiple short-form Twitter accounts, such as @xx, @dark, @vampire, @obinna, and @drug.

twitter-hack-chat2.png

Image: ZDNet

As Clark convinced the other two of his level of access, the three struck a deal to post ads on the OGUsers forum to promote Clark’s ability to hijack Twitter accounts.

twitter-hack-chat3.png

Image: ZDNet
twitter-hacker-chaewon.png

Image: KrebsOnSecurity

Following the posting of these ads, it is believed that multiple people bought access to Twitter accounts. In a recorded message posted on YouTube by the Executive Office for United States Attorneys, investigators said they are still looking into multiple users who participated in the hack.

It is believed that one of these parties is responsible for buying access to celebrity verified Twitter accounts on July 15, and posting a cryptocurrency scam message.

The message, spotted on accounts belonging to Barrack Obama, Joe Biden, Bill Gates, Elon Musk, Jeff Bezos, Apple, Uber, Kanye West, Kim Kardashian, Floyd Mayweather, Michael Bloomberg, and others, asked users to send Bitcoin to several addresses.

twitter-accounts-of-elon-musk-bill-gates-5f11c4c35129505ee26e5a5a-1-jul-20-2020-14-20-37-poster.jpg

Court documents say hackers operating wallets used in this scam received 12.83 bitcoin, or around $117,000. A subsequent investigation also revealed that cryptocurrency exchange Coinbase took matters in its own hands on the day of the hack to block transactions to the scam addresses, eventually preventing another $280,000 from being sent to the scammers.

It’s at this point that the hack became visible to everyone, including Twitter’s staff, who intervened to block verified Twitter accounts from tweeting while they kicked Clark out of their network.

Twitter’s subsequent investigation discovered that Clark interacted with 130 accounts while he had access to the Twitter admin tool, initiated a password reset for 45, and accessed private messages for 36.

The day following the hack was also when Twitter filed a formal criminal complaint with authorities, and the FBI and Secret Service started an investigation.

Per court documents, the FBI used data shared on social media and by news outlets to get chat logs and user details from Discord.

Since some of the hacker ads were posted on OGUsers, the FBI also used a copy of the OGUsers forum database that leaked online in April this year after the forum got hacked. This database contained details on registered forum users, such as emails and IP addresses, but also private messages.

Authorities, with the help of the IRS, also obtained data from Coinbase about the Bitcoin addresses involved in the hacks, and addresses used and mentioned by the three hackers in the past in Discord chats and OGUsers forum posts.

Correlating data from the three sources, the FBI was able to track hacker identities on the three sites, and link them to email and IP addresses.

For example, authorities tracked Fazili down after he linked his Discord username from his OGUsers page, an obvious operational security (OpSec) mistake.

twitter-rolex-ogusers.png

Image: ZDNet

Fazili also made multiple other mistakes in hiding his identity. For starters, he used the damniamevil20@gmail.com address to register an account on the OGUsers forum and the chancelittle10@gmail.com email address to hijack the @foreign Twitter account.

He also used the same two email addresses to register Coinbase accounts, which he later verified with a photo of his driver’s license.

Furthermore, Fazili also used his home connection to access accounts on the three sites, leaving his home IP address in connection logs on all three services — Discord, Coinbase, and OGUsers.

The same goes for Sheppard (ever so anxious#0001), who went on OGUsers as Chaewon. Investigators said they were able to connect Sheppard’s Discord user with his OGUsers persona thanks to the ad he posted on the site on the day of the hack, but they also got confirmation going through the OGUsers leaked database, where they found Chaewon buying a video game username with a Bitcoin address that was connected to addresses used on the day of the Twitter hack.

twitter-hack-chaewon-payments.png

Image: ZDNet

Just like in Fazili’s case, Sheppard managed accounts at Coinbase, where he, too, used his real-world driver’s license to verify multiple accounts.

Authorities didn’t link Clark directly to the Kirk#5270 Discord user, but details shared today by different US government sources suggest he’s the same individual.

First, Hillsborough State Attorney Andrew Warren claimed the 17-year-old Tampa teen (Clark) they arrested today was the “mastermind” of the entire hack — the role that Kirk#5270 played in the entire scheme.

Second, in a press release from the Northern District of California, authorities said they referred the third hacker, the juvenile, to the State Attorney for the 13th Judicial District (Hillsborough County) in Tampa, Florida.

The same Florida office announced today the hacker’s arrest and revealed his real name as Graham Ivan Clark.