Court records made public by U.S. authorities last week following the announcement of charges against three persons allegedly involved in the latest Twitter attack showed how investigators found some of the hackers.
News of the charges came shortly after Twitter announced that by using phone spear-phishing, the attackers obtained access to its internal networks and resources, which they then used to take control of dozens of high-profile accounts. The hackers attacked 130 accounts but only 45 of them reset the passwords, many of which were used to post tweets that were part of a bitcoin scam.
On Friday, the U.S. Department of Justice revealed that it had charged Nima Fazeli (aka Rolex, Rolex#0373, and Nim F) of Orlando, Florida, 19-year-old Mason John Sheppard (aka Chaewon and “ever so anxious#001”) of the United Kingdom, and Graham Ivan Clark (aka Kirk#5270), 17-year-old, of Tampa, Florida.
Clark is considered to be the operation’s mastermind — he’s the one who supposedly hacked into Twitter’s networks. It’s claimed that Fazeli and Sheppard helped him sell access to Twitter accounts.
A user with the online moniker Kirk#5270 on the chat service Discord claimed to be working for Twitter, and offered access to any user account, according to court documents. That’s how he met Rolex and Chaewon, who helped him sell access to Twitter accounts, including the OGUsers.com hacking platform that’s specialized in social media trading and other online accounts.
In Fazeli ‘s case, the FBI found information about its OGUsers account in a database that was leaked earlier this year after a breach of the hacker website. Investigators noticed an email address given on Discord by Rolex to Kirk was the same as one posted on OGUsers by the user Rolex for PayPal payments.
The FBI has reached out to cryptocurrency exchange Coinbase for details on a mutual bitcoin address on the OGUsers forum hosted by Rolex. Coinbase records showed that the address received funds from a user named Nim F, who was registered with an email address that was also used to register on OGUsers for the Rolex account.
The user had to provide an ID for verification to register the Nim F account on Coinbase, and they gave a driver’s license with the name Nima Fazeli.
One of Fazeli ‘s registered Coinbase accounts had made approximately 1,900 transactions totaling approximately 21 bitcoins ($230,000 worth).
The investigation found that Fazeli apparently used the same IP addresses to access the Discord and Coinbase accounts which pointed to Florida locations.
He used the online monikers Chaewon and Mas on OGUsers and “ever so anxious#0001” on Discord in the case of Sheppard, who also reportedly helped Clark sell access to Twitter accounts,
An analysis of the leaked records of OGUser led to the discovery of an email address that was also linked to a Coinbase account. Information obtained from Coinbase showed that the account belonged to one Mason Sheppard, an account which was verified using a driver’s license in the United Kingdom ‘s name Mason John Sheppard. The driver’s license listed the address and date of Sheppard ‘s birth.
Court records, which describe Clark as “Juvenile 1,” state the suspect agreed to an interview after a search warrant was served and confessed to being Kirk#5270 and selling access to Twitter accounts illegally. Clark also reportedly told police he had worked with Chaewon whom he knew was called Mason, from the UK.
While it’s unclear exactly what led investigators to Clark, it wouldn’t be surprising to learn that they also made the connection, at least in part, through studying cryptocurrency accounts and the email addresses he used on different web sites. Court documents revealed that Clark and Sheppard had been discussing turning in following the Twitter hack, as Clark told investigators during the interview.
A judge on Saturday set a bail for Clark at $725,000. He’s apparently admitted to having bitcoin worth over $3 million, but his lawyer claimed it wasn’t illegally obtained.
David Anderson, U.S. attorney for California’s Northern District, said Sheppard faces 45 years in prison for the charges brought against him, while Fazeli faces a statutory maximum term of 5 years in prison.