FBI Used Information From An Online Forum Hacking To Track Down One Of The Hackers Behind The Massive Twitter Attack

from the not-even-a-third-party-record dept

As Mike reported last week, the DOJ rounded up three alleged participants in the massive Twitter hack that saw dozens of verified accounts start tweeting out promises to double the bitcoin holdings of anyone who sent bitcoin to a certain account.

Three people were arrested. The ringleader appears to be a 17-year-old Tampa, Florida resident. The other two suspects are a 22-year-old Florida man and a 19-year-old from the UK. The hack was achieved through social engineering, giving the suspects access to an internal dashboard used by Twitter employees. This gave them access to multiple accounts, as well as all any direct messages sent to and from those accounts. That it was all just a bitcoin scam is somewhat of a relief, although not so much for victims who were duped out of nearly $100,000 via 400 transactions.

A rather interesting aspect of the investigation was pointed out by CNET reporter Alfred Ng. There are plenty of places investigators can go to obtain evidence stored on websites. But they don't always need a subpoena or warrant. Sometimes the information is already out in the open, having been harvested by malicious hackers and shared online. No paperwork needed.

If you can't read/see the tweet, it says:

wow, the FBI used a stolen database of OGUsers from April to identify one of the people allegedly involved in the Twitter hack

The information is contained in the criminal complaint [PDF] against 19-year-old UK resident Mason John Sheppard, a.k.a. "Chaewon." Ironically, a forum used by social media account hackers was itself hacked, resulting in a stash of info investigators were able to access without having to approach the site directly. From the complaint:

On April 2, 2020, the administrator of the OGUsers forum publicly announced that OGUsers website was successfully hacked. Shortly after the announcement, a rival criminal hacking forum publicly released a link to download the OGUsers forum database, claiming it contained all of the forum’s user information. The publicly released database has been available on various websites since approximately April 2020. On or about April 9, 2020, the FBI obtained a copy of this database. The FBI found that the database included all public forum postings, private messages between users, IP addresses, email addresses, and additional user information. Also included for each user was a list of the IP addresses that user used to log into the service along with a corresponding date and timestamp.

I reviewed records and communications that are part of this publicly-released database. I also found that on February 4, 2020, Chaewon exchanged private messages on OGUsers with another user of the forum during which Chaewon made a purchase of a video game username and was instructed to send bitcoin to address 188ZsdVPv9Rkdiqn4V4V1w6FDQVk7pDf4 (hereinafter, “the Chaewon purchase address”).

From there, the FBI was able to track bitcoin transactions, locate Sheppard's email address, and use that additional information to obtain information from virtual currency exchanges, Binance and Coinbase. With all of this information, the FBI was able to connect "Chaewon" and other usernames to Mason Sheppard to locate him and charge him with assisting in the hacking and bitcoin scam.

No warrants were needed. The info from the forum hack was already in the public domain. Bitcoin transactions are considered financial records, standing outside of the Fourth Amendment's protections. Even if it would possibly be more prudent to directly approach websites with subpoenas or warrants to obtain records, it appears to be far easier to just access data obtained from malicious hacking. And there are companies out there compiling information from data breaches and malicious hackings and selling access to law enforcement agencies who feel judges and additional paperwork will just slow them down.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: 3rd party doctrine, 3rd party information, fbi, hacking, mason sheppard, ogusers, twitter hack, warrant


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Tim R (profile), 3 Aug 2020 @ 9:47am

    But what about encryption? I thought encryption was supposed to make crimes unsolvable? Will we see officials holding up a 17-year-old's phone on national TV that they can't get into and whining because they can't pile on extra charges?

    reply to this | link to this | view in chronology ]

    • icon
      PaulT (profile), 3 Aug 2020 @ 9:52pm

      Re:

      "I thought encryption was supposed to make crimes unsolvable?"

      Did he use encryption? I thought the main port of entry was a social engineering trick.

      reply to this | link to this | view in chronology ]

  • icon
    Anonymous Anonymous Coward (profile), 3 Aug 2020 @ 9:49am

    Darkness darkening

    But, but, but, the world is going dark, give us our backdoors, we desperately need them. Um, for all of you, not us.

    (It seem obvious, but inevitably deniable, that someone actually did some detective work in this case, (by mistake?)).

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 3 Aug 2020 @ 10:09am

      Re: Darkness darkening

      We still have to work out a few systems that can avoid decryption by quantum computers. My personal favorite is to use MP3 files as security key generators.

      reply to this | link to this | view in chronology ]

  • icon
    Koby (profile), 3 Aug 2020 @ 10:27am

    Parallel Construction

    Hackers hacking a hacker forum, and then making the entire database public. Serving the information on a platter to investigators, with no warrant. It almost seems too convenient. While I have no doubt that the miscreants who peruse such sites would be willing to target one-another for lulz, petty dispute revenge, or discrediting their rivals, this almost seems too good to be true for law enforcement. It potentially sanctions a loophole whereby government-backed hackers can compromise a website, and then the police can go ahead and use any information they desire, with the caveat that they publicly release the information beforehand.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 3 Aug 2020 @ 11:06am

      Re: Parallel Construction

      With the use of such hacked data, and brokers supplying it, there is always the question of provenance of where the data actually came from, and how accurate is it.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 3 Aug 2020 @ 12:25pm

    Somewhere it seems I've heard the words "parallel construction". This sure seems to serve that up on a platter.

    hmmmm, let me go get my tin foil hat.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 3 Aug 2020 @ 1:53pm

    But you will be met with violence for publishing information exfiltrated from badly secured government systems.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 3 Aug 2020 @ 1:54pm

    Theses hackers were not very smart , they only use a few email address, s in different forums and on twitter . And of course using one bitcoin address makes it easy to trace who had acess to that account. Pro hackers use disposable email address, s , burner phones , proxy vpns etc
    Let's remember that anyone who uses a phone leaves a record with their isp and telecom provider
    of their browsing history, location data, sms txt and email data and the fbi can easily acess this.
    Most people use Gmail or other basic apps that are
    do not use encryption by default.
    Most criminals are stupid or careless , even hackers can be hacked or else they make stupid mistakes.
    Recently it's been found that the secure enclave
    in the many apple devices is not secure.
    Even pro hackers find keeping all data and devices
    secure is difficult
    If I was going to hack twiitter I would not use my pc at home or phone to do so.

    reply to this | link to this | view in chronology ]

  • icon
    Jeremy Lyman (profile), 4 Aug 2020 @ 5:02am

    Show them the tropes

    There's an entire segment of police procedural tv-shows devoted to not-detectives who break laws to get leads for the cops. It's just mainstream.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Essential Reading
Techdirt Insider Chat
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.