News, Culture & Society

British teenager denies being behind Twitter hack but admits he bought stolen account with Bitcoin

A British man, 21, has denied being behind this week’s Twitter hack but admitted he bought a stolen account with Bitcoin, as it’s revealed three young gamers carried out the attack after allegedly infiltrating a Slack channel to make $180,000. 

Joseph O’Connor, a well-known hacker who goes by the name ‘PlugWalkJoe’ online, told the New York Times he was not involved in Wednesday’s massive breach and was getting a massage near his current home in Spain at the time. 

The 21-year-old, who is said to hail from Liverpool, brushed off accusations made by security journalist Brian Krebs Thursday that he was a key player in the hack, and said he was merely a customer of the assailants’. 

Logs on Discord, a chat platform used by gamers, obtained by the Times show he bought the Twitter account @6 through one of the hackers who has come forward – ‘ever so anxious’ – and personalized it, but was not involved in the rest of the conversations among the known hackers involved in the breach.

Authorities are grappling to identify the perpetrators of Wednesday’s attack which hacked into 130 Twitter accounts including those of some of the world’s most famous faces including Barack Obama, Joe Biden and Elon Musk. 

The culprits then posted messages from the famous accounts telling followers to send Bitcoin payments to email addresses, swindling more than $180,000 out of unsuspecting victims in the process.   

British man Joseph O’Connor, 21, (pictured) has denied being behind this week’s Twitter hack but admitted he bought a stolen account with Bitcoin, as it’s revealed three young gamers carried out the attack after allegedly infiltrating a Slack channel to make $180,000

Joseph O'Connor (pictured), a well-known hacker who goes by the name 'PlugWalkJoe' online, told the New York Times he was not involved in Wednesday's massive breach and was getting a massage near his current home in Spain at the time

The 21-year-old, who is said to hail from Liverpool, brushed off accusations made by security journalist Brian Krebs Thursday that he was a key player in the hack, and said he was merely a customer of the assailants'

Joseph O’Connor (pictured), a well-known hacker who goes by the name ‘PlugWalkJoe’ online, told the New York Times he was not involved in Wednesday’s massive breach and was getting a massage near his current home in Spain at the time

‘I don’t care – they can come arrest me,’ O’Connor told the Times about his links to the breach. 

‘I would laugh at them. I haven’t done anything.’   

According to O’Connor, who according to KrebsOnSecurity is at university in Spain, the word in the hacking community is that the ringleader of the attack – known only as ‘Kirk’ – hacked into the Twitter accounts via messaging site Slack. 

‘Kirk’ managed to infiltrate Twitter’s internal Slack messaging channel and found the credentials for the accounts, along with a service that gave him access to the company’s servers. 

This version of events matches up with the current findings of investigators, the Times reported. 

The ringleader then recruited at least two other hackers – ‘lol’ who identified himself as a man in his 20s living on the West Coast and ‘ever so anxious’ who said he was 19 and lived in the south of England with his mother. 

Nothing is yet known about the identity of ‘Kirk’ including their nationality, location or whether they are also a lone young hacker or work for a higher force. 

Before Wednesday, the hacker was not known in the murky hacking world and his Discord profile was only created on July 7.  

It is also not clear how much information the mastermind stole from his high-profile victims such as their private conversation history. 

‘Kirk’ first approached ‘lol’ online late on Tuesday, claiming he worked at Twitter and showing off his ability to hijack accounts, ‘lol’ told the Times.

'ever so anxious' was able to gain control of the Twitter account he had long coveted, @anxious, which now displays his contact info in the bio, according to the Times

‘ever so anxious’ was able to gain control of the Twitter account he had long coveted, @anxious, which now displays his contact info in the bio, according to the Times

The group posted ads on the forum OGusers.com offering to sell 'OG accounts' for bitcoin

The group posted ads on the forum OGusers.com offering to sell ‘OG accounts’ for bitcoin

‘yoo bro. i work at twitter / don’t show this to anyone / seriously,’ wrote ‘Kirk’ in the conversation seen by the Times. 

‘Kirk’ showed ‘lol’ he could take control of Twitter accounts and lured in ‘ever so anxious’ the same way Wednesday morning, they allege.

The mystery ringleader then offered to hijack coveted ‘OG accounts’ and proposed that ‘lol’ and ‘ever so anxious’ could sell them. 

OG, short for ‘original gangster’, accounts consist of a username with single character or short word, such as @6, @b, or @dead, which would have been created early in Twitter’s history. 

Such accounts are highly coveted by hackers and gamers, with people paying high amounts to buy the stolen accounts.

The group sold @dark, @w, @l, @50 and @vague among others that day and ‘ever so anxious’ also took the screen name @anxious for himself.  

The attack affected high-profile accounts including former president Barack Obama

The attack affected high-profile accounts including former president Barack Obama

After their initial scheme saw modest success, bringing in thousands of dollars, ‘lol’ and ‘ever so anxious’ claimed to the Times that ‘Kirk’ went rogue, hijacking high-profile accounts and posting requests to send bitcoin to the wallet address that ‘Kirk’ had also used to receive payment for the OG names. 

The young hackers maintained they stopped serving as middlemen at this point and insist they were not involved in the high-profile Bitcoin scam that drew in $180,000 using celebrity accounts. 

The posts said people had 30 minutes to send $1,000 in bitcoin, promising they would receive twice as much in return. 

Twitter says hackers ‘manipulated’ employees to access 130 accounts

Twitter says hackers ‘manipulated’ some of its employees to access accounts in a high-profile attack on the social media company, including those of Democratic presidential challenger Joe Biden and tech entrepreneur Elon Musk.

Posts trying to dupe people into sending the hackers Bitcoin were tweeted by the official accounts of Apple, Uber, Bill Gates and many others on Wednesday, forcing Twitter to lock large numbers of accounts in damage control.

More than $100,000 worth of the virtual currency was sent to email addresses mentioned in the tweets, according to Blockchain.com, which monitors crypto transactions.

‘We know that they accessed tools only available to our internal support teams to target 130 Twitter accounts,’ said a statement posted Saturday on Twitter’s blog.

Twitter says 130 accounts were targeted in the mass hack that occurred earlier this week

Twitter says 130 accounts were targeted in the mass hack that occurred earlier this week

For 45 of those accounts, the hackers were able to reset passwords, login and send tweets, it added, while the personal data of up to eight unverified users was downloaded.

Twitter locked down affected accounts and removed the fraudulent tweets. It also shut off accounts not affected by the hack as a precaution.

Most of those have now been restored, Twitter said on Saturday.

President Donald Trump’s account, which has 83.5 million followers, was not targeted.

‘The president will remain on Twitter,’ White House press secretary Kayleigh McEnany said. ‘His account was secure and not jeopardized during these attacks.’

Twitter said it is limiting the information it makes public about the attack while it carries out ‘remediation steps’ to secure the site, as well as training employees to guard against future hacking attempts. 

They say ‘Kirk’ has since vanished and ‘lol’ now doubts ‘kirk’ works for Twitter after seeing the damage he was willing to inflict on the company. 

Analysis of the Bitcoin transactions by The Times and research firm Chainalysis confirmed that ‘Kirk’ was taking money in and out of the same Bitcoin wallet in the lower level scam of the stolen OG accounts and the progressively higher level attacks on the celebrity accounts.  

Three investigators also confirmed to the Times that the Bitcoin wallet that paid to set up cryptoforhealth.com was the same wallet ‘Kirk’ had used all morning. 

The fraudulent posts managed to draw in more than $180,000 worth of bitcoin before Twitter shut it down by deleting the posts and shutting off access for broad swaths of users.  

The massive hack has raised questions about Twitter’s security as it serves as a megaphone for politicians ahead of November’s election.

‘Based on what we know right now, we believe approximately 130 accounts were targeted by the attackers in some way as part of the incident,’ Twitter said in a tweet Friday.

‘For a small subset of these accounts, the attackers were able to gain control of the accounts and then send Tweets from those accounts.’

Twitter said it appeared to be a ‘coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.’ 

Cybersecurity experts were stunned by the startling revelation that the breach, unprecedented in scale for the social media site, seemingly amounted to youthful hijinks. 

‘An incident such as this could have extraordinary serious consequences – manipulation of the markets, disinformation relating to an election, etc,’ Brett Callow, a threat analyst at cybersecurity firm Emsisoft, told DailyMail.com. 

‘However, in this case, reporting suggests that the hack was carried out by a group of young people who may have done nothing worse than execute a bitcoin scam,’ he said. ‘Twitter got lucky.’

Twitter said Saturday that hackers had ‘manipulated’ some of its employees to access the accounts.

‘We know that they accessed tools only available to our internal support teams to target 130 Twitter accounts,’ said a statement posted Saturday on Twitter’s blog.

For 45 of those accounts, the hackers were able to reset passwords, login and send tweets, it added, while the personal data of up to eight unverified users was downloaded. 

Twitter said it will not divulge who owns the eight accounts that had their details downloaded.

‘There is a lot speculation about the identity of these 8 accounts. We will only disclose this to the impacted accounts, however to address some of the speculation: none of the eight were Verified accounts,’ Twitter said Saturday.

Twitter and the FBI are both investigating the breach.  

Twitter CEO Jack Dorsey is seen above. 130 Twitter accounts were breached and $180,000 Bitcoin swindled in Wednesday's massive hack

Twitter CEO Jack Dorsey is seen above. 130 Twitter accounts were breached and $180,000 Bitcoin swindled in Wednesday’s massive hack

Read more at DailyMail.co.uk