How the FBI tracked down suspects in Twitter hacking

On July 31, US time, the US investigative authorities indicted three people regarding the hacking of their Twitter accounts in the same month. In response, ZDNet used indictment documents released by the US Department of Justice to uncover the timeline of the hack and how investigators identified three hackers as suspects.

　The data used in this article is based on the indictment against the following three individuals issued by the US Department of Justice on August 1st.

　According to the indictment, the hack was originally triggered by Clark's access to part of the Twitter network on May 3rd. Clark, a Tampa resident, lived in California at the time of the incident.

　The timeline at this time is ambiguous, and it is not clear what happened between May 3rd and July 15th, when the actual hack occurred. However, it is believed that Clark did not immediately move from the initial point of entry to the Twitter management tool he later used to take over the account.

On the other hand, according to a report by The New York Times several days after the hack, it seems that Clark initially accessed one of the Slack channels used internally by Twitter, rather than Twitter itself. .

　In this report, based on the stories of informants who were allegedly involved in the hacking, Clark reportedly discovered the company's credentials posted on Twitter's Slack channel.

　This allegedly gave Clark access to tools for employees who could manage all aspects of their Twitter account. Images of the tool were leaked online on the day of the hack.

　However, it was not possible to access Twitter's backend with just the credentials for this tool. As noted in a Twitter blog post detailing the hack's investigation, accounts on the admin backend were protected with two-factor authentication (2FA).

　It is unknown how long it took for Clark to successfully gain access. However, according to the same blog post, Clark used a "telephone spear-phishing attack" to deceive several employees, gain access to their accounts, and then "(Twitter's) two-factor authentication. It is said that it broke through

　According to Twitter, this happened on July 15th, the day the hack occurred.

　Clark, who used the name "Kirk#5270" on the chat app "Discord", did not take it easy until he was discovered. According to Discord chat logs obtained by the FBI, Clark contacted two other users seeking ways to monetize the access he obtained.

　Looking at the chat log that is also included in the indictment, suspect Clark (whose username in Discord is "Kirk#5270") approached two users on Discord's OGUsers channel. OGUsers is a forum dedicated to hackers buying and selling social media accounts.