- After
Twitter suffered a massive hack Wednesday that took over dozens of high-profile verified accounts and ground the site to a halt, the hunt began to identify culprits. - Many assumed the scale of the hack meant it was carried out by sophisticated actors like a nation-state — but new findings from researcher Brian Krebs and
cybersecurity firm Unit 211B suggest that the heist may have been led by a relatively unsophisticated group of young hackers. - The researchers identified one account that, in the days leading up to the heist, demonstrated on Twitter and in hacker forums that it could carry out the type of attack that played out on Wednesday. The account belongs to a 21-year-old from Liverpool, U.K., named Joseph James Connor.
- It's not clear whether Connor acted alone or with others to carry out the hack Wednesday — and cybersecurity experts told Business Insider that hackers likely have more plans in store.
New evidence surfaced by cybersecurity researchers suggests that the massive hack that compromised dozens of verified Twitter accounts Wednesday was not carried out by a sophisticated nation-state actor, as some had thought, but rather by a ragtag group of young hackers.
The heist apparently began when the cryptocurrency exchange Binance tweeted that users who sent bitcoin to a specific address would receive even more bitcoin in return. Within minutes, similar messages were sent from the accounts of Bill Gates, Tesla CEO Elon Musk, Amazon CEO Jeff Bezos, President Barack Obama, and Kim Kardashian West urging people to send bitcoin to the link in exchange for more bitcoin.
The fraudulent tweets continued to appear for more than an hour with Twitter apparently helpless to stop them. In many cases, the tweets were quickly deleted, only for similar tweets to be sent out minutes later. Twitter ultimately blocked all verified accounts from sending tweets for roughly 30 minutes as it attempted to take control of the situation.
Before order was restored, more than 13 bitcoin — or roughly $117,000 — appeared to be transferred to the bitcoin wallet linked in the malicious tweets.
Twitter said in a statement late Wednesday night that it had evidence to suggest the hackers targeted Twitter employees using social engineering in order to "access internal systems and tools."
"We know they used this access to take control of many highly-visible (including verified) accounts and Tweet on their behalf. We're looking into what other malicious activity they may have conducted or information they may have accessed and will share more here as we have it," Twitter said in the statement.
It's the widest-reaching hack in Twitter's history — but cybersecurity experts began to point out indicators that the attack wasn't carried out by a well-financed hacking operation or a sophisticated nation-state actor. For one, its scope was apparently unambitious — attackers could have leveraged access to the massive accounts to disrupt the stock market, sway an election, or even attempt to start a war. And the amount of money pilfered through the bitcoin scam is relatively small given the level of access. Some experts saw the noisy hack as a sign that a more nefarious attack may have taken place simultaneously.
Now, new evidence surfaced by researcher Brian Krebs and cybersecurity firm Unit 211B shows users bragging in hacker forums and on Twitter that they could compromise any Twitter account in the days leading up to the hack.
One person in the account hijacking forum OGusers said in a post days before the Wednesday hack that they could compromise any Twitter account, offering to sell access to accounts for prices ranging from $250 to $3,000, according to Krebs' findings. Before that, at least two Twitter accounts — @shinji and @b — posted screenshots of Twitter's internal tools. Motherboard reported Wednesday that the internal tools can be used to change the email address associated with an account and take over the account without notifying the account's original owner.
Citing a source who works in security at a US-based mobile carrier, Krebs traced the @shinji and @b Twitter handles to a notorious hacker who goes by PlugWalkJoe.
PlugWalkJoe is known for SIM swapping attacks, or heists in which hackers bribe or trick mobile carrier employees to give them control of a different person's cell phone number in order to compromise their other accounts. PlugWalkJoe is also affiliated with ChucklingSquad, a group of SIM swappers thought to be behind the 2019 hack of Twitter CEO Jack Dorsey.
According to Krebs' security sources, PlugWalkJoe is a 21-year-old from Liverpool, UK, named Joseph James Connor, who is currently living in Spain. The source told Krebs that an undercover female investigator recently convinced Connor — operating under his PlugWalkJoe handle — to agree to a video call, which showed a pool in the background that Connor has also posted to his Instagram.
It's not clear whether Connor acted alone or with others to carry out the hack Wednesday, nor is it clear whether the attack has run its course. Details of the hack suggest that attackers could have viewed the direct messages of every compromised account, which could theoretically be used for lucrative blackmail schemes.
Twitter now faces demands from state and federal lawmakers to more thoroughly explain how the accounts were compromised and why it took so long to regain control. Both the FBI and New York State regulators opened investigations into the hack Thursday, and the Senate Select Committee on Intelligence said it would request information from Twitter.
And cybersecurity experts told Business Insider that the attack likely isn't over.
"In security, you're paid to be paranoid," Kevin O'Brien, the CEO of the cloud email security company GreatHorn, told Business Insider Thursday. "And the paranoia says there was something else happening at the same time, or these accounts were being accessed in ways that are far more damaging."