Early in the day, U.S. law enforcement agencies charged 3 other people with the recent Twitter hack, with the help of court documents published through the Department of Justice, ZDNet was able to analyze in combination the time of the hacking and how U.S. investigators tracked the 3 suspected hackers.
The following article uses the knowledge of 3 allegations issued through the Department of Justice against:
According to court documents, the entire hacking appears to have begun on May 3, when Clark, a teenager from Tampa still living in California, became part of the Twitter network.
Here, the timeline becomes murky and you don’t know what happened between May 3 and July 15, the day of the hack, however, it turns out that Clark was not able to pivot from his initial access point to the Twitter management tool that he later used to resume accounts.
However, New York Times reports a few days after the Twitter attack recommend that Clarke first had access to one of Twitter’s internal Slack workspaces, not Twitter itself.
NYT reporters, who mentioned the resources of the hacker community, said the hacker had discovered credentials for one of Twitter’s technical teams anchored to one of the company’s Slack channels.
The images of the tool, which allowed Twitter workers to access all aspects of a Twitter account, were filtered online on the day of the attack.
However, the credentials of this tool were not enough to access the Twitter backend. In a Twitter blog post detailing the company’s investigation into piracy, Twitter said that the accounts of this administrative backend were via two-factor authentication (2FA).
It is not known how long it took Clark to do so, but the same research on Twitter indicates that the hacker used “a phishing attack over the phone” to deceive some of his workers and their accounts, and “go through [Twitter] two – protections opposed to factors.”
According to Twitter, this happened on July 15, the day of the hack.
Clark, who entered Discord through Kirk 5270, did not wait to be detected and, according to Discord discussions received through the FBI, the hacker contacted two other people to monetize this access.
Discussion records included in the court documents showed that Clark (Discord user “Kirk – 5270”) approached two users of the OGUsers Discord channel, a forum committed to hackers who sell and purchase social media accounts.
In the discussion logs, Clark approached two hackers (Fazeli as Discord user “Rolex 037” and Sheppard as Discord user “always so concerned -0001”) and claimed to be running on Twitter.
He proved his claims by converting the configuration of an account belonging to Fazeli (Rolex – 037) and also sold Fazeli to the Twitter account @foreign.
Clarke also sold Sheppard to several abbreviated Twitter accounts, including @xx, @dark, @vampire, @obinna and @drug.
While Clark convinced the other two of his access point, all three agreed to run ads on the OGUsers forum to announce Clark’s ability to hijack Twitter accounts.
As a result of the posting of those ads, it is believed that several other people have purchased access to Twitter accounts. In a recorded message posted on YouTube through the Executive Office of The Federal Prosecutors, investigators said they were still by several users who participated in the attack.
One of those parties is believed to be guilty of acquiring celebrity-verified Twitter accounts on July 15 and posting a cryptocurrency scam message.
The message, seen on accounts belonging to Barrack Obama, Joe Biden, Bill Gates, Elon Musk, Jeff Bezos, Apple, Uber, Kanye West, Kim Kardashian, Floyd Mayweather, Michael Bloomberg and others, asked users to send Bitcoin to addresses.
The court documents imply that the hackers who exploit the wallets used in the scam earned 12.83 bitcoins, or about $117,000. An upcoming investigation also revealed that the Coinbase cryptocurrency exchange took issues into its own hands on the day of the hack to block transactions with fraudulent addresses, in the end preventing another $280,000 from being sent to scammers.
It was then that visual hacking for everyone, adding Twitter staff, that he intervened to prevent verified Twitter accounts from tweeting when they kicked Clark out of his network.
Twitter’s following research revealed that Clark had interacted with 130 accounts while the Twitter admin tool had introduced a password reset for forty-five and accessed personal messages for 36.
The day after the attack, Twitter also filed an official criminal complaint with the authorities, and the FBI and the secret opened an investigation.
According to court documents, the FBI used shared knowledge on social media and media to download discussion logs and main points of Discord users.
Since some of the classified hacker ads were posted on OGUsers, the FBI also used a copy of the OGUsers forum database that was leaked online in April of this year after the forum was hacked. This database contained main points about registered forum users, such as emails and IP addresses, as well as personal messages.
The authorities, with the IRS, also received information from Coinbase about Bitcoin addresses involved in the hacks and addresses used and discussed through the 3 hackers in the afterlife in The Discord discussions and OGUsers forum messages.
By correlating knowledge from the 3 sources, the FBI was able to track the identities of the hackers on the 3 sites and link them to email and IP addresses.
For example, the government discovered Fazili after it connected its Discord username from its OGUsers page, an operational security error (OpSec).
Fazili also made several other mistakes in concealing his identity. To get started, he used the [email protected] domain to create an account in the OGUsers forum and the email [email protected] to hijack the Twitter @foreign account.
He used the same two email addresses to log in to Coinbase accounts, which he then verified with a photo of his driver’s license.
In addition, Fazili also used the connection of his home to access the accounts on all 3 sites, leaving his private IP in the records of the 3: Discord, Coinbase and OGUsers.
The same goes for Sheppard (always as worried as 0001), who went to OGUsers as Chaewon. The researchers said they were able to link Sheppard’s Discord user to their OGUsers character through the announcement he posted on the site on the day of the attack, but also got confirmation through the OGUsers leak database, where they discovered that Chaewon was buying a video game. username with a Bitcoin layer that is connected to the layer that was used on the day of Twitter hacking.
As in The case of Fazili, Sheppard controlled accounts at Coinbase, where he also used his real driver’s license for various accounts.
Authorities have not connected Clark directly with user Kirk 5270 Discord, however, the main points shared today through U.S. government resources recommend that he be the same person.
First, Hillsborough State Prosecutor Andrew Warren claimed that the 17-year-old from Tampa (Clark), whom he had arrested today, was the “brain” of all the hacking, the role Kirk 5270 played in the total plan.
Second, in a northern District of California press, the government said they had referred the third hacker, the youngest, to 13. Judicial District (Hillsborough County) in Tampa, Florida.
Florida himself today announced the hacker’s arrest and revealed his genuine call as Graham Ivan Clark.
For six months, security researchers secretly distributed an Emotet vaccine worldwide.
A jar of phone honey won 1.5 million automatic calls in 11 months
Belarusian police raid Uber and Yandex in Minsk
FBI and NSA release new Linux Drovorub malware used by Russian hackers
By registering, you agree to the terms of use and knowledge practices defined in the privacy policy.
You’ll get a loose subscription to ZDNet’s Tech Update Today and ZDNet Announcement newsletters. You may opt out of receiving these newsletters at any time.
You agree to get CBS circle updates, alerts and promotions from business family members by adding ZDNet Tech Update Today and ZDNet Announcement. You can choose to leave at any time.