U.S. law enforcement today indicted three suspects in connection with the Twitter attack in the middle of last month. According to court documents disclosed by the U.S. Department of Justice,media ZDNet cobbled together a timeline of the attack and how U.S. investigators tracked down the three hackers.
According to three indictments filed today by the U.S. Department of Justice, the three suspects involved in the case are all included.
Mason Sheppard: Net name Chaewon, 19, from Bognor Regis, UK
Nima Fazeli: The online name Rolex, 22, from Orlando, Florida, USA
Graham Ivan Clark: Net name Kirk, 17, tampa, Florida, USA
According to court documents, the entire hack began on May 3, when Graham Ivan Clark, who was living in California, gained access to parts of his Twitter network. However, it is not clear what happened between May 3 and July 15, the day the hackers actually launched the attack, but Clark did not appear to have taken immediate action after gaining authority.
According to the New York Times, Clark initially gained access to one of Twitter’s internal Slack workspaces, not Twitter itself. The New York Times reported that the hacker discovered that credentials from one of Twitter’s technical support tools were pinned to the company’s Slack channel.
Images of the tool, which went viral on the day of the hack, allow Twitter employees to control all aspects of Twitter’s account. But the tool’s credentials are not enough to access Twitter’s background, which it says is protected by two-factor authentication (2FA), according to twitter’s official blog.
It’s unclear how much time Clark spent doing this, but in the same report it said hackers used “phone spear phishing attacks” to defraud some employees and gain access to their accounts, “through the two-factor protection of Twitter.” According to Twitter, it happened on July 15, the day of the hack.
After the attack, the FBI discovered that Clark’s online name on Discord was called “Kirk 5270.” At the time, he contacted two other people to help convert the stolen bitcoins into cash.
Chats included in court documents shows that Clark (Discord user “Kirk?5270”) contacted two other users of OGUsers’ Discord channel, a forum dedicated to selling and buying social media accounts for hackers.
In the chat, Clarke approached two other hackers (Fazeli for Discord user “Rolex?037” and Sheppard for Discord user “Ever so anxious?0001”) and claimed to be working on Twitter.
He proved his claim by modifying the settings of an account owned by Fazeli (Rolex?037) and sold Fazeli access to @foreign Twitter account.
In addition, Clark has sold access to several short Twitter accounts to Sheppard, including @xx, @dark, @vampire, @obinna and @drug.
As Clark convinced the other two about his level of authority, the trio reached an agreement to advertise Clark’s ability to hijack his Twitter account on the OGUsers forum.
After the ads were posted, several people are believed to have purchased access to Twitter accounts. In a recording posted on YouTube by the U.S. Attorney’s Office, investigators said they were still investigating several users involved in the hack.
One of the parties is believed to have been responsible for buying celebrities to verify access to Twitter accounts on July 15 and posting a crypto-currency scam.
Accounts of Barack Obama, Joe Biden, Bill Gates, Elon Musk, Jeff Bezos, Apple, Uber, Kanye West, Kim Kardashian, Floyd Mayweather, Michael Bloomberg and others were later found, requiring users to send Bitcoins to several addresses.
The hackers who operated the wallets used in the scam received 12.83 bitcoins, or about $117,000, court documents said. Subsequent investigations also revealed that coinbase, the cryptocurrency exchange, blocked trading to fraudulent addresses on the day of the hack, eventually preventing another $280,000 from being sent to the fraudsters.