A British man, 21, has denied being behind this week’s Twitter hack but admitted he bought a stolen account with Bitcoin, as it’s revealed three young gamers carried out the attack after allegedly infiltrating a Slack channel to make $180,000.
Joseph O’Connor, a well-known hacker who goes by the name ‘PlugWalkJoe’ online, told the New York Times he was not involved in Wednesday’s massive breach and was getting a massage near his current home in Spain at the time.
The 21-year-old, who is said to hail from Liverpool, brushed off accusations made by security journalist Brian Krebs Thursday that he was a key player in the hack, and said he was merely a customer of the assailants’.
Logs on Discord, a chat platform used by gamers, obtained by the Times show he bought the Twitter account @6 through one of the hackers who has come forward – ‘ever so anxious’ – and personalized it, but was not involved in the rest of the conversations among the known hackers involved in the breach.
Authorities are grappling to identify the perpetrators of Wednesday’s attack which hacked into 130 Twitter accounts including those of some of the world’s most famous faces including Barack Obama, Joe Biden and Elon Musk.
The culprits then posted messages from the famous accounts telling followers to send Bitcoin payments to email addresses, swindling more than $180,000 out of unsuspecting victims in the process.
British man Joseph O’Connor, 21, (pictured) has denied being behind this week’s Twitter hack but admitted he bought a stolen account with Bitcoin, as it’s revealed three young gamers carried out the attack after allegedly infiltrating a Slack channel to make $180,000
Joseph O’Connor (pictured), a well-known hacker who goes by the name ‘PlugWalkJoe’ online, told the New York Times he was not involved in Wednesday’s massive breach and was getting a massage near his current home in Spain at the time
‘I don’t care – they can come arrest me,’ O’Connor told the Times about his links to the breach.
‘I would laugh at them. I haven’t done anything.’
According to O’Connor, who according to KrebsOnSecurity is at university in Spain, the word in the hacking community is that the ringleader of the attack – known only as ‘Kirk’ – hacked into the Twitter accounts via messaging site Slack.
‘Kirk’ managed to infiltrate Twitter’s internal Slack messaging channel and found the credentials for the accounts, along with a service that gave him access to the company’s servers.
This version of events matches up with the current findings of investigators, the Times reported.
The ringleader then recruited at least two other hackers – ‘lol’ who identified himself as a man in his 20s living on the West Coast and ‘ever so anxious’ who said he was 19 and lived in the south of England with his mother.
Nothing is yet known about the identity of ‘Kirk’ including their nationality, location or whether they are also a lone young hacker or work for a higher force.
Before Wednesday, the hacker was not known in the murky hacking world and his Discord profile was only created on July 7.
It is also not clear how much information the mastermind stole from his high-profile victims such as their private conversation history.
‘Kirk’ first approached ‘lol’ online late on Tuesday, claiming he worked at Twitter and showing off his ability to hijack accounts, ‘lol’ told the Times.
‘ever so anxious’ was able to gain control of the Twitter account he had long coveted, @anxious, which now displays his contact info in the bio, according to the Times
The group posted ads on the forum OGusers.com offering to sell ‘OG accounts’ for bitcoin
‘yoo bro. i work at twitter / don’t show this to anyone / seriously,’ wrote ‘Kirk’ in the conversation seen by the Times.
‘Kirk’ showed ‘lol’ he could take control of Twitter accounts and lured in ‘ever so anxious’ the same way Wednesday morning, they allege.
The mystery ringleader then offered to hijack coveted ‘OG accounts’ and proposed that ‘lol’ and ‘ever so anxious’ could sell them.
OG, short for ‘original gangster’, accounts consist of a username with single character or short word, such as @6, @b, or @dead, which would have been created early in Twitter’s history.
Such accounts are highly coveted by hackers and gamers, with people paying high amounts to buy the stolen accounts.
The group sold @dark, @w, @l, @50 and @vague among others that day and ‘ever so anxious’ also took the screen name @anxious for himself.
The attack affected high-profile accounts including former president Barack Obama
After their initial scheme saw modest success, bringing in thousands of dollars, ‘lol’ and ‘ever so anxious’ claimed to the Times that ‘Kirk’ went rogue, hijacking high-profile accounts and posting requests to send bitcoin to the wallet address that ‘Kirk’ had also used to receive payment for the OG names.
The young hackers maintained they stopped serving as middlemen at this point and insist they were not involved in the high-profile Bitcoin scam that drew in $180,000 using celebrity accounts.
The posts said people had 30 minutes to send $1,000 in bitcoin, promising they would receive twice as much in return.
They say ‘Kirk’ has since vanished and ‘lol’ now doubts ‘kirk’ works for Twitter after seeing the damage he was willing to inflict on the company.
Analysis of the Bitcoin transactions by The Times and research firm Chainalysis confirmed that ‘Kirk’ was taking money in and out of the same Bitcoin wallet in the lower level scam of the stolen OG accounts and the progressively higher level attacks on the celebrity accounts.
Three investigators also confirmed to the Times that the Bitcoin wallet that paid to set up cryptoforhealth.com was the same wallet ‘Kirk’ had used all morning.
The fraudulent posts managed to draw in more than $180,000 worth of bitcoin before Twitter shut it down by deleting the posts and shutting off access for broad swaths of users.
The massive hack has raised questions about Twitter’s security as it serves as a megaphone for politicians ahead of November’s election.
‘Based on what we know right now, we believe approximately 130 accounts were targeted by the attackers in some way as part of the incident,’ Twitter said in a tweet Friday.
‘For a small subset of these accounts, the attackers were able to gain control of the accounts and then send Tweets from those accounts.’
Twitter said it appeared to be a ‘coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.’
Cybersecurity experts were stunned by the startling revelation that the breach, unprecedented in scale for the social media site, seemingly amounted to youthful hijinks.
‘An incident such as this could have extraordinary serious consequences – manipulation of the markets, disinformation relating to an election, etc,’ Brett Callow, a threat analyst at cybersecurity firm Emsisoft, told DailyMail.com.
‘However, in this case, reporting suggests that the hack was carried out by a group of young people who may have done nothing worse than execute a bitcoin scam,’ he said. ‘Twitter got lucky.’
Twitter said Saturday that hackers had ‘manipulated’ some of its employees to access the accounts.
‘We know that they accessed tools only available to our internal support teams to target 130 Twitter accounts,’ said a statement posted Saturday on Twitter’s blog.
For 45 of those accounts, the hackers were able to reset passwords, login and send tweets, it added, while the personal data of up to eight unverified users was downloaded.
Twitter said it will not divulge who owns the eight accounts that had their details downloaded.
‘There is a lot speculation about the identity of these 8 accounts. We will only disclose this to the impacted accounts, however to address some of the speculation: none of the eight were Verified accounts,’ Twitter said Saturday.
Twitter and the FBI are both investigating the breach.
Twitter CEO Jack Dorsey is seen above. 130 Twitter accounts were breached and $180,000 Bitcoin swindled in Wednesday’s massive hack