Bitcoin payments and IP addresses led investigators to two of the alleged perpetrators in just over two weeks.
On July 15, a Discord user with the handle Kirk#5270 made an enticing proposition. “I work for Twitter,” they said, according to court documents released Friday. “I can claim any name, let me know if you’re trying to work.” It was the beginning of what would, a few hours later, turn into the biggest known Twitter hack of all time. A little over two weeks later, three individuals have been charged in connection with the heists of accounts belonging to Bill Gates, Elon Musk, Barack Obama, Apple, and more—along with nearly $120,000 in bitcoin.
Friday afternoon, after an investigation that included the FBI, IRS, and Secret Service, the Department of Justice charged UK resident Mason Sheppard and Nima Fazeli, of Orlando, Florida in connection with the Twitter hack. A 17-year-old, Graham Ivan Clark, was charged separately with 30 felonies in Hillsborough County, Florida, including 17 counts of communications fraud. Together, the criminal complaints filed in the cases offer a detailed portrait of the day everything went haywire—and how poorly the alleged attackers covered their tracks. All three are currently in custody.
Despite his claims on the morning of July 15, Kirk#5270 was not a Twitter employee. He did, however, have access to Twitter’s internal administrative tools, which he showed off by sharing screenshots of accounts like “@bumblebee,” “@sc,” “@vague,” and “@R9.” (Short handles are a popular target among certain hacking communities.) Another Discord user who went by “ever so anxious#0001” soon began lining up buyers; Kirk#5270 shared the address of a Bitcoin wallet where proceeds could be directed. Offers included $5,000 for “@xx,” which would later be compromised.
That same morning, someone going by “Chaewon” on the forum OGUsers started advertising access to any Twitter account. In a post titled “Pulling email for any Twitter/Taking Requests,” Chaewon listed prices as $250 to change the email address associated with any account, and up to $3,000 for account access. The post directs users to “ever so anxious#0001” on Discord; over the course of seven hours, starting at around 7:16 am ET, the “ever so anxious#0001” account discussed the takeover of at least 50 user names with Kirk#5270, according to court documents. In that same Discord chat, “ever so anxious#0001” said his OGUsers handle was Chaewon, suggesting the two were the same individual.
Kirk#5270 allegedly received similar help from a Discord user going by Rolex#0373, although that person was skeptical at first. “Just sounds too good to be true,” he wrote, according to chat transcripts investigators obtained via warrant. Later, to help back up his claim, Kirk#5270 appears to have changed the email address tied to the Twitter account @foreign to an email address belonging to Rolex#0373. Like Chaewon, Rolex#0373 then agreed to help broker deals on OGUsers—where his user name was Rolex—with prices starting at $2,500 for especially sought-after account names. In exchange, Rolex got to keep @foreign for himself.
By around 2 pm ET on July 15, at least 10 Twitter accounts had been stolen, according to the criminal complaints, but the hackers still seemed focused on short or desirable handles like @drug and @xx and @vampire, rather than celebrities and tech moguls. And the takeovers were an end unto themselves, rather than in service of a cryptocurrency scam. The deals brokered by Chaewon netted Kirk#5270 around $33,000 in bitcoin, according to the criminal complaint; Chaewon took in another $7,000 for his role as intermediary.
The FBI believes that Rolex is Fazeli, and it charged him with one count of aiding and abetting the intentional access of a protected computer. They believe Sheppard is Chaewon, who is charged with conspiracy to commit wire fraud, conspiracy to commit money laundering, and the intentional access of a protected computer.
The criminal complaints against Sheppard and Fazeli leave off here. Neither complaint identifies the individual behind Kirk#5270 or explicitly links that account to a named individual. But court documents in Clark’s case allege that it was the 17-year-old who had gained access to Twitter’s systems, and who went on to take over the high-profile accounts in service of a bitcoin scam. The Justice Department has referred the case to the Hillsborough State Attorney’s Office, which is prosecuting Clark, according to the office’s website, “because Florida law allows minors to be charged as adults in financial fraud cases such as this when appropriate.”
“He gained access to Twitter accounts and to the internal controls of Twitter through compromising a Twitter employee,” Hillsborough state attorney Andrew Warren said in a videoconference Friday. “He sold access to those accounts. He then used the identities of prominent people to solicit money in the form of bitcoin, promising in return that he would send back twice as much bitcoin.”
Court documents show approximately 415 payments to the bitcoin wallet associated with the scam, totaling the equivalent of around $177,000.
As Twitter confirmed last week, 130 accounts were targeted in all. Attackers successfully tweeted from 45 of the accounts, accessed the direct messages of 36, and downloaded the Twitter data of seven. On Thursday evening, Twitter disclosed that attackers got in through social engineering, specifically through a phone spear-phishing attack, that targeted company employees. Court documents don’t provide much more detail than that and only allege that Clark’s actions date back to around May 3.
It’s also not entirely clear how investigators identified Clark, but the trail that led the FBI to Sheppard and Fazeli has much bigger bread crumbs. On April 2, the administrator of OGUsers announced that the forum had been hacked; a few days later, court documents say, a rival hacking gang put out a download link to a database of user information.
It turned out to be quite a trove, full of not just usernames and public postings but private messages between users, IP addresses, and email addresses. The FBI says it acquired a copy of the database on April 9.
The work appears to have been quick from there. In Chaewon’s private messages on OGUsers, investigators say they found an exchange in February where Chaewon was instructed to pay for a videogame by sending bitcoin to a particular address. Activity on that wallet the next day was traced to a cluster of bitcoin addresses that, months later, would be used by “ever so anxious#0001” in his interactions with Kirk#5270. Investigators also used the database to connect Chaewon’s account to another OGUsers handle, Mas. Both accounts signed onto the forums from the same IP address on the same day, according to the database leak; agents also found that multiple times between February 11 and 15 of this year, Chaewon posted ““IT IS MAS I AM MAS NOT BRY I AM MAS MAS MAS!@,” which combined suggest that Chaewon and Mas are owned by the same individual.
The Mas account was associated with the email account email@example.com, investigators say, which was linked to a Coinbase account tied to Mason Sheppard. The bitcoin addresses associated with Chaewon had also processed numerous exchanges on the cryptocurrency exchange Binance, whose records also tied those accounts with Sheppard. Finally, court documents say that an unnamed juvenile who had allegedly assisted in the scheme told investigators that they knew Chaewon by the name Mason.
Investigators rely on bitcoin and IP addresses to link the Rolex#0373 to Fazeli, as well, particularly one October 30, 2018, exchange that was referenced on the OGUsers forums. The Coinbase account involved in that transaction allegedly belonged to “Nim F,” under the email address “firstname.lastname@example.org,” the same used to register the Rolex account on OGUsers. The Coinbase account had allegedly been verified with a Florida driver’s license in the name of Nima Fazeli, complete with the driver’s license number. Over time, court documents say, Fazeli would use his real driver’s license to register three separate Coinbase accounts, the third of which was frequently visited from the same IP address as the Rolex#0373 Discord account and Rolex account on OGUsers.
“We appreciate the swift actions of law enforcement in this investigation and will continue to cooperate as the case progresses,” Twitter said in a tweeted statement. The FBI’s San Francisco Office released a statement Fridayindicating that the investigation was still ongoing.
While the Twitter hack garnered major headlines, the social engineering attack at the heart of it is nothing new. “In terms of the MO of breaking into companies and then using the employee tools to perpetuate fraud, that is just another day for these guys,” says Allison Nixon, chief research officer with cybersecurity firm Unit 221B, which assisted the FBI in the investigation. “This exact same MO was used against telcos for years prior to this.”
Generally, the sort of social engineering used in the Twitter hack avoids legal scrutiny, Nixon says, because it’s considered a low level of attack. That’s obviously no longer the case when your hit list includes a former president and the two wealthiest men in the world. It’s also unclear how effective a deterrent these arrests will prove to be in the long run, given how entrenched this particular hacking community has become. If anything, the details in the criminal complaints may instruct future attacks.
“Every single cycle of this teaches them to be better,” says Nixon, “because they get to see the evidence against them, and how they get caught.”