A hacker forum obsessed with super-short 'OG' handles was selling Twitter account access for $3,000 days before the giant hack
- Screenshots obtained by Business Insider and multiple reports have pinpointed a community of hackers who are obsessed with "OG" Twitter handles as a possible factor in Wednesday's giant Twitter hack.
- The term "OG" stands for "original gangster" and refers to online usernames that are short, making them potentially desirable.
- In the days before the hack, a user on the forum advertised access to individual Twitter accounts for between $2,000 and $3,000, per screenshots seen by Business Insider.
- Executives at two cybersecurity firms told Reuters Wednesday's hack didn't appear to be particularly sophisticated.
- Twitter continues to investigate the hack internally, and the exact sequence of events is still emerging.
It looks like the birthplace of Wednesday's giant Twitter hack was a community of hackers obsessed with "OG" (Original Gangster) Twitter handles.
On Wednesday dozens of high-profile accounts including Barack Obama, Joe Biden, Jeff Bezos, Bill Gates, Elon Musk, and Kanye West tweeted out a scam that asked their followers to send the cryptocurrency Bitcoin to them via a Bitcoin wallet address, promising to send back double the amount.
Although the Bitcoin scam was comparatively harmless, the scale of the hack is unprecedented.
It has caused jitters among lawmakers, Twitter users, and the security community who worry that hackers may next time wreak further damage, potentially manipulating the stock market or even provoking geopolitical conflict. Twitter is widely used by global leaders, and particularly by President Trump.
Screenshots obtained by Business Insider, as well as reports from TechCrunch, Reuters, and well-respected cybersecurity reporter Brian Krebs link the hack with a community of hackers that values short Twitter handles, known has "OG" handles.
"OG" stands for "original gangsters" and refers to short social media usernames that might be seen as desirable — comprising a first name, for example, or one or two letters.
Business Insider viewed screenshots from a forum called OGusers in the runup to Wednesday's attack which show hackers selling access to Twitter accounts. The screenshots were provided to Business Insider by Roi Carthy, CEO of cyberintelligence firm Hudson Rock.
The screenshots show a post from a user known as "Chaewon" claiming to be able to change the email address on any Twitter account for $250, and grant full access to the account for $2,000 to $3,000.
Before the high-profile accounts were hijacked, a handful of OG accounts were hacked first.
One anonymous source told TechCrunch that a hacker with the alias "Kirk" was the culprit behind the hack itself, and was able to rake in over $100,000 through the Bitcoin scam after gaining access to an internal Twitter admin tool allowing them to change the email address associated with a Twitter account.
Motherboard previously reported that the hackers gained access to a dashboard which allowed them to change accounts' email addresses.
Further screenshots provided to Business Insider by Hudson Rock appear to show the compromised Twitter tool in question.
TechCrunch's source said that before Kirk embarked on the Bitcoin scam they started selling OG Twitter handles with the help of a "trusted" member of OGusers. It's not clear from TechCrunch's report whether this user was Chaewon. They also said Kirk made off with over $100,000, which tallies with analysis of the Bitcoin wallet addresses posted by the hacked accounts.
Not a particularly sophisticated scheme
Executives at Hudson Rock and Unit 221B, a security firm that aided Krebs in his investigation into the hack, both told Reuters that the hack didn't look overly thought-out or professional.
"This doesn't look like a particularly sophisticated hacking group," said Hudson Rock CEO Roi Carthy.
"When you have these less professional criminal groups, you see chaotic outcomes," said Allison Nixon, Unit 221B's chief research officer.
"One member might stumble across a powerful hack, and it spirals out of control. That's probably what happened here," she added.
Twitter is still conducting its own investigation into what happened, and on Thursday said the attack affected roughly 130 accounts. It said only a "small subset" of these accounts tweeted links to Bitcoin wallets.
Twitter's statement on Wednesday implies that multiple hackers carried out the attack.
"We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools," Twitter said.
The company did not confirm whether these systems and tools included the dashboard mentioned by TechCrunch and Motherboard.
It described the hackers as having used a "coordinated social engineering attack" — social engineering being a term for any hack in which people are tricked into handing over access, rather than the attackers technically hacking into a company's systems.