A British man, 21, has denied being behind this week’s Twitter hack but admitted he bought a stolen account with Bitcoin, as it’s revealed three young gamers carried out the attack after allegedly infiltrating a Slack channel to make $180,000.
Joseph O’Connor, a well-known hacker who goes by the name ‘PlugWalkJoe’ online, told the New York Times he was not involved in Wednesday’s massive breach and was getting a massage near his current home in Spain at the time.
The 21-year-old, who is said to hail from Liverpool, brushed off accusations made by security journalist Brian Krebs Thursday that he was a key player in the hack, and said he was merely a customer of the assailants’.
Logs on Discord, a chat platform used by gamers, obtained by the Times show he bought the Twitter account @6 through one of the hackers who has come forward – ‘ever so anxious’ – and personalized it, but was not involved in the rest of the conversations among the known hackers involved in the breach.
Authorities are grappling to identify the perpetrators of Wednesday’s attack which broke into 130 Twitter accounts including those of some of the world’s most famous faces such as Barack Obama, Joe Biden and Elon Musk.
The culprits then posted messages from the famous accounts telling followers to send Bitcoin payments to email addresses, swindling more than $180,000 out of unsuspecting victims in the process.
British man Joseph O’Connor, 21, (pictured) has denied being behind this week’s Twitter hack but admitted he bought a stolen account with Bitcoin, as it’s revealed three young gamers carried out the attack after allegedly infiltrating a Slack channel to make $180,000
Joseph O’Connor (pictured), a well-known hacker who goes by the name ‘PlugWalkJoe’ online, told the New York Times he was not involved in Wednesday’s massive breach and was getting a massage near his current home in Spain at the time
‘I don’t care – they can come arrest me,’ O’Connor told the Times about his links to the breach.
‘I would laugh at them. I haven’t done anything.’
According to O’Connor, who KrebsOnSecurity said is at university in Spain, the word in the hacking community is the ringleader of the attack – known only as ‘Kirk’ – hacked into the Twitter accounts via messaging site Slack.
‘Kirk’ managed to infiltrate Twitter’s internal Slack messaging channel and found the credentials for the accounts, along with a service that gave him access to the company’s servers.
This version of events matches up with the current findings of investigators, the Times reported.
The ringleader then recruited at least two other hackers – ‘lol’ who identified himself as a man in his 20s living on the West Coast and ‘ever so anxious’ who said he was 19 and lived in the south of England with his mother.
Nothing is yet known about the identity of ‘Kirk’ including their nationality, location or whether they are also a lone young hacker or if they work for a higher force.
Before Wednesday, the hacker was not known in the murky hacking world and his Discord profile was only created on July 7.
It is also not clear how much information the mastermind stole from his high-profile victims such as their private conversation history.
‘Kirk’ first approached ‘lol’ online late on Tuesday, claiming he worked at Twitter and showing off his ability to hijack accounts, ‘lol’ told the Times.
‘ever so anxious’ was able to gain control of the Twitter account he had long coveted, @anxious, which now displays his contact info in the bio, according to the Times
The group posted ads on the forum OGusers.com offering to sell ‘OG accounts’ for bitcoin
‘yoo bro. i work at twitter / don’t show this to anyone / seriously,’ wrote ‘Kirk’ in the conversation seen by the Times.
‘Kirk’ showed ‘lol’ he could take control of Twitter accounts and lured in ‘ever so anxious’ the same way Wednesday morning, they allege.
The mystery ringleader then offered to hijack coveted ‘OG accounts’ and proposed that ‘lol’ and ‘ever so anxious’ could sell them.
OG, short for ‘original gangster’, accounts consist of a username with single character or short word, such as @6, @b, or @dead, which would have been created early in Twitter’s history.
Such accounts are highly coveted by hackers and gamers, with people paying high amounts to buy the stolen accounts.
The group sold @dark, @w, @l, @50 and @vague among others that day and ‘ever so anxious’ also took the screen name @anxious for himself.
The attack affected high-profile accounts including former president Barack Obama
After their initial scheme saw modest success, bringing in thousands of dollars, ‘lol’ and ‘ever so anxious’ claimed to the Times that ‘Kirk’ went rogue, hijacking high-profile accounts and posting requests to send bitcoin to the wallet address that ‘Kirk’ had also used to receive payment for the OG names.
The young hackers maintained they stopped serving as middlemen at this point and insist they were not involved in the high-profile Bitcoin scam that drew in $180,000 using celebrity accounts.
The posts said people had 30 minutes to send $1,000 in bitcoin, promising they would receive twice as much in return.
Twitter says hackers ‘manipulated’ employees to access 130 accounts
Twitter says hackers ‘manipulated’ some of its employees to access accounts in a high-profile attack on the social media company, including those of Democratic presidential challenger Joe Biden and tech entrepreneur Elon Musk.
Posts trying to dupe people into sending the hackers Bitcoin were tweeted by the official accounts of Apple, Uber, Bill Gates and many others on Wednesday, forcing Twitter to lock large numbers of accounts in damage control.
More than $100,000 worth of the virtual currency was sent to email addresses mentioned in the tweets, according to Blockchain.com, which monitors crypto transactions.
‘We know that they accessed tools only available to our internal support teams to target 130 Twitter accounts,’ said a statement posted Saturday on Twitter’s blog.
Twitter says 130 accounts were targeted in the mass hack that occurred earlier this week
For 45 of those accounts, the hackers were able to reset passwords, login and send tweets, it added, while the personal data of up to eight unverified users was downloaded.
Twitter locked down affected accounts and removed the fraudulent tweets. It also shut off accounts not affected by the hack as a precaution.
Most of those have now been restored, Twitter said on Saturday.
President Donald Trump’s account, which has 83.5 million followers, was not targeted.
‘The president will remain on Twitter,’ White House press secretary Kayleigh McEnany said. ‘His account was secure and not jeopardized during these attacks.’
Twitter said it is limiting the information it makes public about the attack while it carries out ‘remediation steps’ to secure the site, as well as training employees to guard against future hacking attempts.
They say ‘Kirk’ has since vanished and ‘lol’ now doubts the ringleader works for Twitter after seeing the damage they were willing to inflict on the company.
Analysis of the Bitcoin transactions by The Times and research firm Chainalysis confirmed that ‘Kirk’ was taking money in and out of the same Bitcoin wallet used in the lower level scam of the stolen OG accounts and the progressively higher level attacks on the celebrity accounts.
Three investigators also confirmed to the Times that the Bitcoin wallet was used in both schemes.
The fraudulent posts managed to draw in more than $180,000 worth of Bitcoin before Twitter shut it down by deleting the posts and shutting off access for broad swaths of users.
Cybersecurity experts were stunned by the startling revelation that the breach, unprecedented in scale for the social media site, seemingly amounted to youthful hijinks.
‘An incident such as this could have extraordinary serious consequences – manipulation of the markets, disinformation relating to an election, etc,’ Brett Callow, a threat analyst at cybersecurity firm Emsisoft, told DailyMail.com.
‘However, in this case, reporting suggests that the hack was carried out by a group of young people who may have done nothing worse than execute a bitcoin scam,’ he said. ‘Twitter got lucky.’
The massive hack has raised questions about Twitter’s security as it serves as a megaphone for politicians ahead of November’s election.
Twitter said Saturday that hackers had ‘manipulated’ some of its employees to access the accounts.
It also confirmed that 130 accounts were breached, including 45 where passwords and logins were reset and tweets sent.
Personal data was downloaded from eight unverified accounts.
‘We know that they accessed tools only available to our internal support teams to target 130 Twitter accounts,’ said a statement posted Saturday on Twitter’s blog.
‘As of now, we know that they accessed tools only available to our internal support teams to target 130 Twitter accounts. For 45 of those accounts, the attackers were able to initiate a password reset, login to the account, and send Tweets.’
It continued: ‘For up to eight of the Twitter accounts involved, the attackers took the additional step of downloading the account’s information through our “Your Twitter Data” tool. We are reaching out directly to any account owner where we know this to be true.’
Twitter said it will not divulge who owns the eight accounts that had their details downloaded.
‘There is a lot speculation about the identity of these 8 accounts. We will only disclose this to the impacted accounts, however to address some of the speculation: none of the eight were Verified accounts,’ Twitter said Saturday.
Twitter and the FBI are both investigating the breach.
Twitter CEO Jack Dorsey is seen above. 130 Twitter accounts were breached and $180,000 Bitcoin swindled in Wednesday’s massive hack