Four people in an interview with The Times revealed their involvement in the Twitter hack last week. The hackers who shared screenshots of their conversations to prove their involvement were not heretofore well known in the hacking community. The people involved did not belong to any “single country like Russia or a sophisticated group of hackers” like the extent of the security breach seemed to suggest but rather they are young and relatively unknown save for their presence on the website OGusers.com.
OGusers is a website frequented by gamers, hackers, and people interested in social media. The website is a place to trade O.G usernames which are highly desired usernames picked up by users in the nascent stages of big platforms. Two of the people who acted as acomplises in the attack “lol” and “ever so anxious” acted as middlemen due to their presence on the site to sell the usernames of the accounts which were breached by a third individual “kirk”, who seemed to have a way to get access to any high profile twitter account he so chose.
“Kirk” approached “lol” on discord with the message “yoo bro,” and proceeded to introduce himself, “i work at twitter / don’t show this to anyone / seriously.” Though “lol” and his friend “ever so anxious” admitted to being complicit in the initial scheme of selling usernames, they claimed to not be involved in the later all out attack on Wednesday, “I just wanted to tell you my story because i think you might be able to clear some thing up about me and ever so anxious”.
“lol” claimed to be a 20 year old living on the West Coast, while “ever so anxious” said he was 19 year old in South London who lived with his mother. The mysterious “kirk”, on the other hand, disappeared after the attack on Wednesday and his profile on discord was only created on July 7th.
The Times got to know of those involved via Haseeb Awan, a security researcher in California who said he was in touch with them because he had been targeted by them before. They targeted a bitcoin company he once owned and later they tried a failed attack against his current venture, Efani, a secure phone provider.
One of their customers on OGusers who purchased the twitter handle @6 is a well known figure in hacking circles who goes by the name “PlugWalkJoe”. “PlugWalkJoe” was one of the people named as a key player by security journalist Brian Krebs in an article concerning the hack. “PlugWalkJoe”, who in an interview with The Times revealed his real name to be Joseph O’Connor said of the accusation, “I don’t care, they can come arrest me. I would laugh at them. I haven’t done anything.”
O’Connor revealed that “kirk” got the credentials of Twitter accounts when he found a way into Twitter’s internal Slack messaging channel and saw them posted there, along with a service that gave him access to the company’s servers. These details were in line with what those who were investigating the case had learned so far. Twitter did not issue a comment on the matter citing the active investigation.
The Times verified that the four people were connected to the hack by matching their social media and cryptocurrency accounts to accounts that were involved with the events on Wednesday. They also presented corroborating evidence of their involvement, like the logs from their conversations on Discord, a messaging platform popular with gamers and hackers, and Twitter.
After the all-out attack involving the bitcoin scam, the public ledger of the Bitcoin transactions revealed that the Bitcoin wallet that was used to purchase the domain cryptoforhealth.com was the very wallet that Kirk had been using for earlier transactions. This information was provided by three investigators who could not come forth with any official statements because of the active investigation.