by Paul Ducklin
You can probably guess what we mean by “Twitter hack“.
In contrast, the Twitter hack we’re referring to ultimately led to the takeover of just 45 accounts.
But what accounts they were!
As federal investigator Tigran Gambaryan reported at the time, when charges were filed against three suspects:
[M]ultiple high-profile verified accounts were compromised, including accounts belonging to Bill Gates, Elon Musk, Kanye West, Joe Biden, Barack Obama, Jeff Bezos, Mike Bloomberg, Warren Buffett, Benjamin Netanyahu, and Kim Kardashian.
The suspects were alleged to have previous form in hacking and trading in so-called OG accounts, where OG is short for original gangster.
OG accounts have the sort of short and funky account names that get snapped up by early adopters when a new social media platform starts becoming popular, making them easy on the eyes and simple to remember, such as
@jack (which belongs to Twitter’s founder, Jack Dorsey) instead of
@another_jack_63 (which is, unsurprisingly, still available).
In this hack, however, they didn’t plan to sell on the high-profile accounts that they hijacked; they used them to promote a cryptocoin scam that they hoped people would fall for because of the reach and influence of the accounts involved.
You might think it’s unlikely that anyone would fall for messages saying, essentially, “Pay me $1000 in BTC now and I’ll pay you back $2000 later”, but the prestige of the accounts involved did, apparently, convince hundreds of people to take a chance on it…
…altough investigator Gambaryan wryly noted in his affidavit to the court that “No bitcoin was ever returned, much less doubled.”
The hack, Twitter ultimately figured out, was human-led rather than technology-driven, with the scammers using social engineering tricks – sweet-talking secrets out of support staff on the phone, to you and me – to wrangle access credentials out of Twitter staff.
The crooks then used those details later on to get into Twitter’s internal support tools and to provide direct “support” of their own for their criminal enterprise.
LEARN MORE ABOUT SOCIAL ENGINEERING
Listen to our special-episode podcast with Rachel Tobac, a renowned social engineering expert, and give yourself the confidence and understanding not to get sucked into saying or doing the wrong thing online:
Three suspects were identified quickly.
One suspect was soon arrested in Florida, US, and hit the news when his bail hearing, held via Zoom in the early days of the coronavirus pandemic, was zoom-bombed with political rants and, perhaps inevitably, porn.
Though only 17 at the time, the accused, Graham Clark, had apparently already been probed for a cryptocoin heist running into a million dollars or more , but voluntarily paid back close to $1m in bitcoins to Secret Service investigators.
(Clark has since received a three-year prison sentence for his part in the Twitter hack.)
One year on, and a fourth person, Joseph O’Connor, 22, is now not only under investigation for his alleged involvement in this hack, but under arrest in Spain.
O’Connor, described in a press release from the US Department of Justice (DOJ) merely as “a citizen of the United Kingdom”, was arrested at the Spanish holiday resort of Estepona on the Costa del Sol, and will now presumably face extradition to the United States.
The press release doesn’t link to an affidavit or a charge sheet in this case; reporters at IT news site The Register say they’ve seen the relevant court document but didn’t publish it because of the private nature of some of the data that it contained.
You can imagine what some of that data might reveal, and why El Reg decided to keep it private, from the DOJ’s press release:
[I]n addition to the July 15, 2020, hack of Twitter, O’Connor is charged with computer intrusions related to takeovers of TikTok and Snapchat user accounts. O’Connor is also charged with cyberstalking a juvenile victim.
O, what a tangled web we weave/When first we practise to deceive!