The wide-scale hack of prominent Twitter accounts on Wednesday may have been made possible by a notorious cybercriminal.
The incident, which first saw cryptocurrency-related accounts taken over, was used to push a Bitcoin scam that eventually netted more than $100,000.
The hack swiftly spread far beyond the digital currency sphere and ultimately led to the compromise of numerous high-profile individuals, including former President Barack Obama, former Vice President Joe Biden, Tesla CEO Elon Musk, and Amazon founder Jeff Bezos.
The breadth of the hack immediately led security experts to raise concerns over the possibility that Twitter itself had been breached. A report from Vice soon after stated that those responsible had gained access to an internal Twitter tool after bribing an employee.
Twitter appeared to confirm at least part of the report late Wednesday, although the company claimed its employees were the victims of “a coordinated social engineering attack.”
Now, new information suggests that the hack may have been perpetrated by those involved in SIM Swapping, an attack which involves tricking or bribing mobile carrier employees into transferring an individual’s phone number to a hacker’s SIM card.
As reported by security blogger Brian Krebs on Thursday, a post on the underground forum “OGUsers” had advertised the ability to change the email address associated with any Twitter account just days prior.
The user behind the post, a member named “Chaewon,” was charging $250 to replace a Twitter user’s email and between $2,000 to $3,000 for direct access to specific accounts.
By replacing a Twitter user’s email with one of their own, a hacker could request a password reset. Twitter would then send a link to change the password to the hacker’s email. A hacker could even disable an account’s two-factor authentication before gaining access.
Some of the first accounts to be snagged by the hack were @6 and @B or what are referred to as “OG accounts,” profiles with short usernames that are highly-coveted among SIM swappers.
It wasn’t long after that screenshots of Twitter’s internal tool began appearing on the platform, leading the company to delete any tweets containing the image.
One Twitter account to tweet out the image, @shinji, had also asked users to follow @6 prior to their account being suspended.
A security source from a major mobile carrier told Krebs that the two Instagram accounts belonged to a notorious SIM swapper who refers to himself as “PlugWalkJoe.”
PlugWalkJoe is reportedly the subject of numerous investigations due to his involvement in SIM swapping attacks that have led to major Bitcoin thefts.
Given that @shinji promoted accounts reportedly tied to PlugWalkJoe in his bio, mentioned @6 long before it was widely known to have been hacked, and tweeted out images of Twitter’s internal tool, it’s not surprising that some security experts have linked the SIM swapper to the hack.
Krebs’ source further added that PlugWalkJoe is known for his involvement with the “ChucklingSquad,” a group of SIM swappers that have made headlines for taking over the Twitter accounts of celebrities and even Twitter CEO Jack Dorsey. The hacker is allegedly a 21-year-old from Liverpool who is currently grounded in Spain due to COVID-19 travel restrictions.
Krebs continued by stating that his source had confirmed the 21-year-old to be PlugWalkJoe thanks to a photo of a swimming pool on the j0e Instagram account. A woman convinced the individual to video chat with her as part of an investigation and saw the same swimming pool in the background.
It still remains unclear just how damaging the Twitter hack was. While it appears that Twitter is taking steps to lock down access to its internal tools, questions still remain over whether accounts affected had their DMs compromised as well.
Major questions are also being raised about the potential national security threat posed by Twitter. If a 21-year-old seeking Bitcoin was allegedly able to takeover accounts belonging to some of the world’s most powerful individuals, an advanced nation state with more nefarious aims could undoubtedly do the same.
- Twitter’s response to major hack is still leaving lots of people locked out
- Report: Twitter employee paid by hackers to get access to large accounts
- Twitter descends into momentary chaos with response to bitcoin scam