FBI Used Information From An Online Forum Hacking To Track Down One Of The Hackers Behind The Massive Twitter Attack

from the not-even-a-third-party-record dept

As Mike reported last week, the DOJ rounded up three alleged participants in the massive Twitter hack that saw dozens of verified accounts start tweeting out promises to double the bitcoin holdings of anyone who sent bitcoin to a certain account.

Three people were arrested. The ringleader appears to be a 17-year-old Tampa, Florida resident. The other two suspects are a 22-year-old Florida man and a 19-year-old from the UK. The hack was achieved through social engineering, giving the suspects access to an internal dashboard used by Twitter employees. This gave them access to multiple accounts, as well as all any direct messages sent to and from those accounts. That it was all just a bitcoin scam is somewhat of a relief, although not so much for victims who were duped out of nearly $100,000 via 400 transactions.

A rather interesting aspect of the investigation was pointed out by CNET reporter Alfred Ng. There are plenty of places investigators can go to obtain evidence stored on websites. But they don’t always need a subpoena or warrant. Sometimes the information is already out in the open, having been harvested by malicious hackers and shared online. No paperwork needed.

If you can’t read/see the tweet, it says:

wow, the FBI used a stolen database of OGUsers from April to identify one of the people allegedly involved in the Twitter hack

The information is contained in the criminal complaint [PDF] against 19-year-old UK resident Mason John Sheppard, a.k.a. “Chaewon.” Ironically, a forum used by social media account hackers was itself hacked, resulting in a stash of info investigators were able to access without having to approach the site directly. From the complaint:

On April 2, 2020, the administrator of the OGUsers forum publicly announced that OGUsers website was successfully hacked. Shortly after the announcement, a rival criminal hacking forum publicly released a link to download the OGUsers forum database, claiming it contained all of the forum’s user information. The publicly released database has been available on various websites since approximately April 2020. On or about April 9, 2020, the FBI obtained a copy of this database. The FBI found that the database included all public forum postings, private messages between users, IP addresses, email addresses, and additional user information. Also included for each user was a list of the IP addresses that user used to log into the service along with a corresponding date and timestamp.

I reviewed records and communications that are part of this publicly-released database. I also found that on February 4, 2020, Chaewon exchanged private messages on OGUsers with another user of the forum during which Chaewon made a purchase of a video game username and was instructed to send bitcoin to address 188ZsdVPv9Rkdiqn4V4V1w6FDQVk7pDf4 (hereinafter, “the Chaewon purchase address”).

From there, the FBI was able to track bitcoin transactions, locate Sheppard’s email address, and use that additional information to obtain information from virtual currency exchanges, Binance and Coinbase. With all of this information, the FBI was able to connect “Chaewon” and other usernames to Mason Sheppard to locate him and charge him with assisting in the hacking and bitcoin scam.

No warrants were needed. The info from the forum hack was already in the public domain. Bitcoin transactions are considered financial records, standing outside of the Fourth Amendment’s protections. Even if it would possibly be more prudent to directly approach websites with subpoenas or warrants to obtain records, it appears to be far easier to just access data obtained from malicious hacking. And there are companies out there compiling information from data breaches and malicious hackings and selling access to law enforcement agencies who feel judges and additional paperwork will just slow them down.

Filed Under: , , , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “FBI Used Information From An Online Forum Hacking To Track Down One Of The Hackers Behind The Massive Twitter Attack”

Subscribe: RSS Leave a comment
11 Comments
Koby (profile) says:

Parallel Construction

Hackers hacking a hacker forum, and then making the entire database public. Serving the information on a platter to investigators, with no warrant. It almost seems too convenient. While I have no doubt that the miscreants who peruse such sites would be willing to target one-another for lulz, petty dispute revenge, or discrediting their rivals, this almost seems too good to be true for law enforcement. It potentially sanctions a loophole whereby government-backed hackers can compromise a website, and then the police can go ahead and use any information they desire, with the caveat that they publicly release the information beforehand.

Anonymous Coward says:

Theses hackers were not very smart , they only use a few email address, s in different forums and on twitter . And of course using one bitcoin address makes it easy to trace who had acess to that account. Pro hackers use disposable email address, s , burner phones , proxy vpns etc
Let’s remember that anyone who uses a phone leaves a record with their isp and telecom provider
of their browsing history, location data, sms txt and email data and the fbi can easily acess this.
Most people use Gmail or other basic apps that are
do not use encryption by default.
Most criminals are stupid or careless , even hackers can be hacked or else they make stupid mistakes.
Recently it’s been found that the secure enclave
in the many apple devices is not secure.
Even pro hackers find keeping all data and devices
secure is difficult
If I was going to hack twiitter I would not use my pc at home or phone to do so.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...