{"id":5200,"date":"2020-07-18T04:08:55","date_gmt":"2020-07-18T04:08:55","guid":{"rendered":"https:\/\/aviancetechnologies.com\/blog\/blog\/hackers-tell-the-story-of-the-twitter-attack-from-the-inside\/"},"modified":"2020-07-18T07:44:13","modified_gmt":"2020-07-18T07:44:13","slug":"hackers-tell-the-story-of-the-twitter-attack-from-the-inside","status":"publish","type":"post","link":"https:\/\/aviancetechnologies.com\/blog\/hackers-tell-the-story-of-the-twitter-attack-from-the-inside\/","title":{"rendered":"Hackers Tell the Story of the Twitter Attack From the Inside"},"content":{"rendered":"

[responsivevoice_button rate=”1\u2033 pitch=”1.2\u2033 volume=”0.8\u2033 voice=”US English Female” buttontext=”Story in Audio”]<\/p>\n

Hackers Tell the Story of the Twitter Attack From the Inside<\/h2>\n

 <\/p>\n

\n
\n

OAKLAND, Calif. \u2014 A Twitter hacking scheme that targeted political, corporate and cultural elites this week began with a teasing message between two hackers late Tuesday on the online messaging platform Discord.<\/p>\n

\u201cyoo bro,\u201d wrote a user named \u201cKirk,\u201d according to a screenshot of the conversation shared with The New York Times. \u201ci work at twitter \/ don\u2019t show this to anyone \/ seriously.\u201d<\/p>\n

He then demonstrated that he could take control of valuable Twitter accounts \u2014 the sort of thing that would require insider access to the company\u2019s computer network.<\/p>\n

The hacker who received the message, using the screen name \u201clol,\u201d decided over the next 24 hours that Kirk did not actually work for Twitter because he was too willing to damage the company. But Kirk did have access to Twitter\u2019s most sensitive tools, which allowed him to take control of almost any Twitter account, including those of former President Barack Obama, Joseph R. Biden Jr., Elon Musk and many other celebrities.<\/p>\n<\/div>\n<\/div>\n

\n
\n

Despite global attention on the intrusion, which has shaken confidence in Twitter and the security provided by other technology companies, the basic details of who were responsible, and how they did it, have been a mystery. Officials are still in the early stages of their investigation.<\/a><\/p>\n

But four people who participated in the scheme spoke with The Times and shared numerous logs and screen shots of the conversations they had on Tuesday and Wednesday, demonstrating their involvement both before and after the hack became public.<\/p>\n

The interviews indicate that the attack was not the work of a single country like Russia or a sophisticated group of hackers. Instead, it was done by a group of young people \u2014 one of whom says he lives at home with his mother \u2014 who got to know one another because of their obsession with owning early or unusual screen names, particularly one letter or number, like @y or @6.<\/p>\n

The Times verified that the four people were connected to the hack by matching their social media and cryptocurrency accounts to accounts that were involved with the events on Wednesday. They also presented corroborating evidence of their involvement, like the logs from their conversations on Discord, a messaging platform popular with gamers and hackers, and Twitter.<\/p>\n

Playing a central role in the attack was Kirk, who was taking money in and out of the same Bitcoin address as the day went on, according to an analysis of the Bitcoin transactions by The Times, with assistance from the research firm Chainalysis.<\/p>\n<\/div>\n<\/div>\n

\n
\n

But the identity of Kirk, his motivation and whether he shared his access to Twitter with anyone else remain a mystery even to the people who worked with him. It is still unclear how much Kirk used his access to the accounts of people like Mr. Biden and Mr. Musk to gain more privileged information, like their private conversations on Twitter.<\/p>\n

The hacker \u201clol\u201d and another one he worked with, who went by the screen name \u201cever so anxious,\u201d told The Times that they wanted to talk about their work with Kirk in order to prove that they had only facilitated the purchases and takeovers of lesser-known Twitter addresses early in the day. They said they had not continued to work with Kirk once he began more high-profile attacks around 3:30 p.m. Eastern time on Wednesday.<\/p>\n

\u201cI just wanted to tell you my story because i think you might be able to clear some thing up about me and ever so anxious,\u201d \u201clol\u201d said in a chat on Discord, where he shared all the logs of his conversation with Kirk and proved his ownership of the cryptocurrency accounts he used to transact with Kirk.<\/p>\n

\u201clol\u201d did not confirm his real-world identity, but said he lived on the West Coast and was in his 20s. \u201cever so anxious\u201d said he was 19 and lived in the south of England with his mother.<\/p>\n

Investigators looking into the attacks said several of the details given by the hackers lined up with what they have learned so far, including Kirk\u2019s involvement both in the big hacks later in the day and the lower-profile attacks early on Wednesday.<\/p>\n

The Times was initially put in touch with the hackers by a security researcher in California, Haseeb Awan, who was communicating with them because, he said, a number of them had previously targeted him and a Bitcoin-related company he once owned. They also unsuccessfully targeted his current company, Efani, a secure phone provider.<\/a><\/p>\n

The user known as Kirk did not have much of a reputation in hacker circles before Wednesday. His profile on Discord had been created only on July 7.<\/p>\n<\/div>\n<\/div>\n

\n
\n

But \u201clol\u201d and \u201cever so anxious\u201d were well known on the website OGusers.com, where hackers have met for years to buy and sell valuable social media screen names, security experts said.<\/p>\n

For online gamers, Twitter users and hackers, so-called O.G. user names \u2014 usually a short word or even a number \u2014 are hotly desired. These eye-catching handles are often snapped up by early adopters of a new online platform, the \u201coriginal gangsters\u201d of a fresh app.<\/p>\n

Users who arrive on the platform later often crave the credibility of an O.G. user name, and will pay thousands of dollars to hackers who steal them from their original owners.<\/p>\n

\n
\n
A conversation between \u201cever so anxious\u201d and Kirk regarding Twitter accounts for sale. A cryptocurrency account address has been redacted from the screenshot.<\/span><\/figcaption><\/figure>\n<\/div>\n<\/div>\n

Kirk connected with \u201clol\u201d late Tuesday and then \u201cever so anxious\u201d on Discord early on Wednesday, and asked if they wanted to be his middlemen, selling Twitter accounts to the online underworld where they were known. They would take a cut from each transaction.<\/p>\n

In one of the first transactions, \u201clol\u201d brokered a deal for someone who was willing to pay $1,500, in Bitcoin, for the Twitter user name @y. The money went to the same Bitcoin wallet that Kirk used later in the day when he got payments from hacking the Twitter accounts of celebrities, the public ledger of Bitcoin transactions shows.<\/p>\n

The group posted an ad on OGusers.com, offering Twitter handles in exchange for Bitcoin. \u201cever so anxious\u201d took the screen name @anxious, which he had long coveted. (His personalized details still sit atop the suspended account.)<\/p>\n<\/div>\n