see
url:https://www.wired.com/story/how-alleged-twitter-hackers-got-caught-bitcoin/
Quote<<<
N JULY 15, a Discord user with the handle Kirk#5270 made an enticing
proposition. “I work for Twitter,” they said, according to court
documents released Friday. “I can claim any name, let me know if you’re
trying to work.” It was the beginning of what would, a few hours later,
turn into the biggest known Twitter hack of all time. A little over two
weeks later, three individuals have been charged in connection with the
heists of accounts belonging to Bill Gates, Elon Musk, Barack Obama,
Apple, and more—along with nearly $120,000 in bitcoin.
Friday afternoon, after an investigation that included the FBI, IRS, and
Secret Service, the Department of Justice charged UK resident Mason
Sheppard and Nima Fazeli, of Orlando, Florida in connection with the
Twitter hack. A 17-year-old, Graham Ivan Clark, was charged separately
with 30 felonies in Hillsborough County, Florida, including 17 counts of
communications fraud. Together, the criminal complaints filed in the
cases offer a detailed portrait of the day everything went haywire—and
how poorly the alleged attackers covered their tracks. All three are
currently in custody.
Despite his claims on the morning of July 15, Kirk#5270 was not a
Twitter employee. He did, however, have access to Twitter’s internal
administrative tools, which he showed off by sharing screenshots of
accounts like “@bumblebee,” “@sc,” “@vague,” and “@R9.” (Short handles
are a popular target among certain hacking communities.) Another Discord
user who went by “ever so anxious#0001” soon began lining up buyers;
Kirk#5270 shared the address of a Bitcoin wallet where proceeds could be
directed. Offers included $5,000 for “@xx,” which would later be
compromised.
That same morning, someone going by “Chaewon” on the forum OGUsers
started advertising access to any Twitter account. In a post titled
"Pulling email for any Twitter/Taking Requests,” Chaewon listed prices
as $250 to change the email address associated with any account, and up
to $3,000 for account access. The post directs users to “ever so
anxious#0001” on Discord; over the course of seven hours, starting at
around 7:16 am ET, the “ever so anxious#0001” account discussed the
takeover of at least 50 user names with Kirk#5270, according to court
documents. In that same Discord chat, “ever so anxious#0001” said his
OGUsers handle was Chaewon, suggesting the two were the same individual.
Kirk#5270 allegedly received similar help from a Discord user going by
Rolex#0373, although that person was skeptical at first. “Just sounds
too good to be true,” he wrote, according to chat transcripts
investigators obtained via warrant. Later, to help back up his claim,
Kirk#5270 appears to have changed the email address tied to the Twitter
account @foreign to an email address belonging to Rolex#0373. Like
Chaewon, Rolex#0373 then agreed to help broker deals on OGUsers—where
his user name was Rolex—with prices starting at $2,500 for especially
sought-after account names. In exchange, Rolex got to keep @foreign for
himself.
>>>End of Quote