Following the recent hijacking of numerous high-profile Twitter accounts, security experts have begun attempting to track down the hackers behind the attack, with some believing they may have an idea who was responsible.
Cybercrime journalist Brian Krebs recently published an article on his popular cybersecurity blog KrebsOnSecurity in which he attempts to track down the hackers behind the recent major security breach of Twitter and the hijacking of multiple high profile user accounts, which were used to execute a Bitcoin scam that some estimate generated over $100,000.
The accounts hijacked include Democratic Presidential candidate Joe Biden, Former President Barack Obama, Tesla CEO Elon Musk, Microsoft founder Bill Gates, Amazon CEO Jeff Bezos, and the official accounts of ridesharing service Uber and tech giant Apple.
In his article, Krebs notes that an analysis of the Bitcoin wallet promoted by the hackers on the hacked Twitter accounts show that’s in the past 24 hours, the account has processed 383 transactions and received almost 13 Bitcoin, which amounts to approximately $117,000.
Krebs alleges that the attack appears to have been perpetrated by hackers who specialize in hijacking accounts using a method called “SIM swapping” which involves bribing, hacking, or coercing employees at mobile phone and social media companies into providing the hackers with access to a target’s account. This method wasn’t used in this weeks Twitter hack, but Krebs is focusing on the community that has built up around the method.
Krebs claims that in a post on a forum dedicated to account hijacking called OGusers, a user named “Chaewon” advertised a service changing the email address tied to any Twitter accounts for $250. Direct access could be provided to the accounts for between $2,000 and $3,000, claimed Chaewon.
Chaewon wrote in the sales thread: “This is NOT a method, you will be given a full refund if for any reason you aren’t given the email/@, however, if it is revered/suspended I will not be held accountable.”
Shortly before major accounts were hijacked, the Twitter account @6, formerly belonging to Adrian Lamo, the now-deceased “homeless hacker” who made waves in the hacking community when he broke into the New York Times‘ network and famously reported Chelsea Manning’s theft of classified documents, was accessed. The account now belongs to Lamo’s longtime friend, a security researcher who goes by the Twitter nickname “Lucky225.”
Lucky225 told Krebs that he received a two-factor authentication security code to his phone as hackers attempted to change the email address associated with his account. “The way the attack worked was that within Twitter’s admin tools, apparently you can update the email address of any Twitter user, and it does this without sending any kind of notification to the user,” Lucky told Krebs. “So [the attackers] could avoid detection by updating the email address on the account first, and then turning off 2FA.”
Around the same time that Lucky’s account was accessed, a Twitter account named @Shinji began tweeting photos of Twitter’s internal administrator tools and was quickly terminated by Twitter, but not before tweeting “Follow @6,” Lucky’s account which hackers had attempted to access.
The @Shinji account appeared to claim ownership of two other accounts on Instagram, “@Joe” and “@dead”. A source working at one of the largest U.S.-based mobile carriers told Krebs that the accounts belong to a notorious SIM swapper nicknamed “PlugWalkJoe” who has been tracked by investigators for some time as he is believed to have been involved in multiple SIM swapping attacks over the years.
Krebs investigated PlugWalkJoe and believes that he is a participant in a group of SIM swappers called the “ChucklingSquad” who were believed to be behind the hijacking of Twitter CEO Jack Dorsey’s account in 2019. According to the mobile industry source that spoke to Krebs, PlugWalkJoe is a 21-year-old from Liverpool, U.K. The source alleged that British man was in Spain attending university until earlier this year and added that he has been unable to return home due to travel restrictions during the pandemic.
The former student is reportedly the subject of an investigation in which a female investigator was hired to start a conversation with him and convince him to engage in a video chat. The source explained that a video recorded by investigators shows a swimming pool in the background, the same pool that can be seen on the man’s Instagram account. It appears that PlugWalkJoe may have fallen victim to a social engineering trick, the same type of trick used to gain access to Twitter’s internal tools this week.
Read more at KrebsOnSecurity here.
Lucas Nolan is a reporter for Breitbart News covering issues of free speech and online censorship. Follow him on Twitter @LucasNolan or contact via secure email at the address firstname.lastname@example.org