Security Experts:

How the FBI Identified Twitter Hackers

Bitcoin Transactions Led FBI to Twitter Hackers

Court documents made public last week by U.S. authorities following the announcement of charges against three individuals allegedly involved in the recent Twitter attack revealed how some of the hackers were identified by investigators.

News of the charges came shortly after Twitter revealed that the attackers gained access to its internal systems and tools, which they later used to take control of tens of high-profile accounts, by using phone spear-phishing. The hackers targeted 130 accounts, but reset the passwords for only 45 of them, many of which were used to post tweets that were part of a bitcoin scam.

The U.S. Department of Justice announced on Friday that it charged 22-year-old Nima Fazeli (aka Rolex, Rolex#0373, and Nim F) of Orlando, Florida, 19-year-old Mason John Sheppard (aka Chaewon and “ever so anxious#001”) of the United Kingdom, and 17-year-old Graham Ivan Clark (aka Kirk#5270), of Tampa, Florida.

Clark is believed to be the mastermind of the operation — he is the one who allegedly broke into Twitter’s systems. Fazeli and Sheppard are believed to have helped him sell access to Twitter accounts.

According to court documents, a user with the online moniker Kirk#5270 on the chat service Discord claimed to work for Twitter and offered to provide access to any user account. That is how he met Rolex and Chaewon, who helped him sell access to Twitter accounts, including on the hacking forum, which specializes in the trading of social media and other online accounts.

Chat between Twitter hackers

In the case of Fazeli, the FBI found information on his OGUsers account in a database that was leaked earlier this year after the hacker website was breached. Investigators noticed that an email address provided by Rolex to Kirk on Discord was the same as one shared by the user Rolex for PayPal payments on OGUsers.

The FBI reached out to cryptocurrency exchange Coinbase to obtain information on a bitcoin address shared by Rolex on the OGUsers forum. Coinbase records showed that the address received funds from a user named Nim F, which had been registered with an email address that was also used to register the Rolex account on OGUsers.

In order to register the Nim F account on Coinbase, the user had to provide an ID for verification, and they provided a driver’s license with the name Nima Fazeli.

One of the Coinbase accounts registered by Fazeli had made roughly 1,900 transactions totaling approximately 21 bitcoin (worth $230,000).

The investigation showed that Fazeli apparently accessed the Discord and Coinbase accounts using the same IP addresses, which pointed to locations in Florida.

In the case of Sheppard, who also allegedly helped Clark sell access to Twitter accounts, he used the online monikers Chaewon and Mas on OGUsers and “ever so anxious#0001” on Discord.

An analysis of the leaked OGUser records led to the discovery of an email address that was also associated with a Coinbase account. Information obtained from Coinbase showed that the account belonged to one Mason Sheppard, an account that had been verified using a driver’s license in the name Mason John Sheppard from the United Kingdom. The driver’s license listed Sheppard’s address and date of birth.

Court documents, which identify Clark as “Juvenile 1,” say the suspect agreed to an interview after the execution of a search warrant and admitted being Kirk#5270 and illegally selling access to Twitter accounts. Clark also allegedly told investigators that he had worked with Chaewon whom he knew was someone from the UK named Mason.

While it’s unclear exactly what led investigators to Clark, it would not be surprising to learn that they also made the connection, at least partly, through the analysis of cryptocurrency accounts and the email addresses he used on various websites. Court documents revealed that Clark and Sheppard discussed turning themselves in following the Twitter hack, according to what Clark told investigators during the interview.

A judge set Clark’s bail at $725,000 on Saturday. He has apparently admitted having over $3 million worth of bitcoin, but his lawyer claimed that it was not obtained illegally.

David Anderson, U.S. Attorney for the Northern District of California, said Sheppard faces 45 years in prison for the charges brought against him, while Fazeli faces a statutory maximum penalty of 5 years in prison.

Related: Twitter Says Hackers Accessed DM Inboxes in Recent Attack

Related: Twitter Says Hackers Accessed Dutch Politician's Inbox

Related: Hackers Accessed, Downloaded Twitter User Data in Recent Attack

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.