FBI Used Information From An Online Forum Hacking To Track Down One Of The Hackers Behind The Massive Twitter Attack
from the not-even-a-third-party-record dept
As Mike reported last week, the DOJ rounded up three alleged participants in the massive Twitter hack that saw dozens of verified accounts start tweeting out promises to double the bitcoin holdings of anyone who sent bitcoin to a certain account.
Three people were arrested. The ringleader appears to be a 17-year-old Tampa, Florida resident. The other two suspects are a 22-year-old Florida man and a 19-year-old from the UK. The hack was achieved through social engineering, giving the suspects access to an internal dashboard used by Twitter employees. This gave them access to multiple accounts, as well as all any direct messages sent to and from those accounts. That it was all just a bitcoin scam is somewhat of a relief, although not so much for victims who were duped out of nearly $100,000 via 400 transactions.
A rather interesting aspect of the investigation was pointed out by CNET reporter Alfred Ng. There are plenty of places investigators can go to obtain evidence stored on websites. But they don't always need a subpoena or warrant. Sometimes the information is already out in the open, having been harvested by malicious hackers and shared online. No paperwork needed.
wow, the FBI used a stolen database of OGUsers from April to identify one of the people allegedly involved in the Twitter hack https://t.co/HA0LvWRwww pic.twitter.com/V9rESRsxwR
— alfred 🆖 (@alfredwkng) July 31, 2020
If you can't read/see the tweet, it says:
wow, the FBI used a stolen database of OGUsers from April to identify one of the people allegedly involved in the Twitter hack
The information is contained in the criminal complaint [PDF] against 19-year-old UK resident Mason John Sheppard, a.k.a. "Chaewon." Ironically, a forum used by social media account hackers was itself hacked, resulting in a stash of info investigators were able to access without having to approach the site directly. From the complaint:
On April 2, 2020, the administrator of the OGUsers forum publicly announced that OGUsers website was successfully hacked. Shortly after the announcement, a rival criminal hacking forum publicly released a link to download the OGUsers forum database, claiming it contained all of the forum’s user information. The publicly released database has been available on various websites since approximately April 2020. On or about April 9, 2020, the FBI obtained a copy of this database. The FBI found that the database included all public forum postings, private messages between users, IP addresses, email addresses, and additional user information. Also included for each user was a list of the IP addresses that user used to log into the service along with a corresponding date and timestamp.
I reviewed records and communications that are part of this publicly-released database. I also found that on February 4, 2020, Chaewon exchanged private messages on OGUsers with another user of the forum during which Chaewon made a purchase of a video game username and was instructed to send bitcoin to address 188ZsdVPv9Rkdiqn4V4V1w6FDQVk7pDf4 (hereinafter, “the Chaewon purchase address”).
From there, the FBI was able to track bitcoin transactions, locate Sheppard's email address, and use that additional information to obtain information from virtual currency exchanges, Binance and Coinbase. With all of this information, the FBI was able to connect "Chaewon" and other usernames to Mason Sheppard to locate him and charge him with assisting in the hacking and bitcoin scam.
No warrants were needed. The info from the forum hack was already in the public domain. Bitcoin transactions are considered financial records, standing outside of the Fourth Amendment's protections. Even if it would possibly be more prudent to directly approach websites with subpoenas or warrants to obtain records, it appears to be far easier to just access data obtained from malicious hacking. And there are companies out there compiling information from data breaches and malicious hackings and selling access to law enforcement agencies who feel judges and additional paperwork will just slow them down.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: 3rd party doctrine, 3rd party information, fbi, hacking, mason sheppard, ogusers, twitter hack, warrant
Reader Comments
Subscribe: RSS
View by: Time | Thread
But what about encryption? I thought encryption was supposed to make crimes unsolvable? Will we see officials holding up a 17-year-old's phone on national TV that they can't get into and whining because they can't pile on extra charges?
[ link to this | view in chronology ]
Re:
"I thought encryption was supposed to make crimes unsolvable?"
Did he use encryption? I thought the main port of entry was a social engineering trick.
[ link to this | view in chronology ]
Darkness darkening
But, but, but, the world is going dark, give us our backdoors, we desperately need them. Um, for all of you, not us.
(It seem obvious, but inevitably deniable, that someone actually did some detective work in this case, (by mistake?)).
[ link to this | view in chronology ]
Re: Darkness darkening
We still have to work out a few systems that can avoid decryption by quantum computers. My personal favorite is to use MP3 files as security key generators.
[ link to this | view in chronology ]
Parallel Construction
Hackers hacking a hacker forum, and then making the entire database public. Serving the information on a platter to investigators, with no warrant. It almost seems too convenient. While I have no doubt that the miscreants who peruse such sites would be willing to target one-another for lulz, petty dispute revenge, or discrediting their rivals, this almost seems too good to be true for law enforcement. It potentially sanctions a loophole whereby government-backed hackers can compromise a website, and then the police can go ahead and use any information they desire, with the caveat that they publicly release the information beforehand.
[ link to this | view in chronology ]
Re: Parallel Construction
With the use of such hacked data, and brokers supplying it, there is always the question of provenance of where the data actually came from, and how accurate is it.
[ link to this | view in chronology ]
Somewhere it seems I've heard the words "parallel construction". This sure seems to serve that up on a platter.
hmmmm, let me go get my tin foil hat.
[ link to this | view in chronology ]
But you will be met with violence for publishing information exfiltrated from badly secured government systems.
[ link to this | view in chronology ]
Theses hackers were not very smart , they only use a few email address, s in different forums and on twitter . And of course using one bitcoin address makes it easy to trace who had acess to that account. Pro hackers use disposable email address, s , burner phones , proxy vpns etc
Let's remember that anyone who uses a phone leaves a record with their isp and telecom provider
of their browsing history, location data, sms txt and email data and the fbi can easily acess this.
Most people use Gmail or other basic apps that are
do not use encryption by default.
Most criminals are stupid or careless , even hackers can be hacked or else they make stupid mistakes.
Recently it's been found that the secure enclave
in the many apple devices is not secure.
Even pro hackers find keeping all data and devices
secure is difficult
If I was going to hack twiitter I would not use my pc at home or phone to do so.
[ link to this | view in chronology ]
Show them the tropes
There's an entire segment of police procedural tv-shows devoted to not-detectives who break laws to get leads for the cops. It's just mainstream.
[ link to this | view in chronology ]