FBI Used Information From An Online Forum Hacking To Track Down One Of The Hackers Behind The Massive Twitter Attack
from the not-even-a-third-party-record dept
As Mike reported last week, the DOJ rounded up three alleged participants in the massive Twitter hack that saw dozens of verified accounts start tweeting out promises to double the bitcoin holdings of anyone who sent bitcoin to a certain account.
Three people were arrested. The ringleader appears to be a 17-year-old Tampa, Florida resident. The other two suspects are a 22-year-old Florida man and a 19-year-old from the UK. The hack was achieved through social engineering, giving the suspects access to an internal dashboard used by Twitter employees. This gave them access to multiple accounts, as well as all any direct messages sent to and from those accounts. That it was all just a bitcoin scam is somewhat of a relief, although not so much for victims who were duped out of nearly $100,000 via 400 transactions.
A rather interesting aspect of the investigation was pointed out by CNET reporter Alfred Ng. There are plenty of places investigators can go to obtain evidence stored on websites. But they don’t always need a subpoena or warrant. Sometimes the information is already out in the open, having been harvested by malicious hackers and shared online. No paperwork needed.
— alfred ? (@alfredwkng) July 31, 2020
If you can’t read/see the tweet, it says:
wow, the FBI used a stolen database of OGUsers from April to identify one of the people allegedly involved in the Twitter hack
The information is contained in the criminal complaint [PDF] against 19-year-old UK resident Mason John Sheppard, a.k.a. “Chaewon.” Ironically, a forum used by social media account hackers was itself hacked, resulting in a stash of info investigators were able to access without having to approach the site directly. From the complaint:
On April 2, 2020, the administrator of the OGUsers forum publicly announced that OGUsers website was successfully hacked. Shortly after the announcement, a rival criminal hacking forum publicly released a link to download the OGUsers forum database, claiming it contained all of the forum’s user information. The publicly released database has been available on various websites since approximately April 2020. On or about April 9, 2020, the FBI obtained a copy of this database. The FBI found that the database included all public forum postings, private messages between users, IP addresses, email addresses, and additional user information. Also included for each user was a list of the IP addresses that user used to log into the service along with a corresponding date and timestamp.
I reviewed records and communications that are part of this publicly-released database. I also found that on February 4, 2020, Chaewon exchanged private messages on OGUsers with another user of the forum during which Chaewon made a purchase of a video game username and was instructed to send bitcoin to address 188ZsdVPv9Rkdiqn4V4V1w6FDQVk7pDf4 (hereinafter, “the Chaewon purchase address”).
From there, the FBI was able to track bitcoin transactions, locate Sheppard’s email address, and use that additional information to obtain information from virtual currency exchanges, Binance and Coinbase. With all of this information, the FBI was able to connect “Chaewon” and other usernames to Mason Sheppard to locate him and charge him with assisting in the hacking and bitcoin scam.
No warrants were needed. The info from the forum hack was already in the public domain. Bitcoin transactions are considered financial records, standing outside of the Fourth Amendment’s protections. Even if it would possibly be more prudent to directly approach websites with subpoenas or warrants to obtain records, it appears to be far easier to just access data obtained from malicious hacking. And there are companies out there compiling information from data breaches and malicious hackings and selling access to law enforcement agencies who feel judges and additional paperwork will just slow them down.