Feds Charge 3 In Massive Twitter Hacker Attack Targeting Biden, Obama, Gates, Bezos Accounts
SAN FRANCISCO (CBS SF) -- Three individuals including a juvenile were charged Friday with masterminding a Twitter hacking attack that compromised accounts belonging to VIPs ranging from former President Barack Obama and presumptive Democratic presidential nominee Joe Biden to billionaire businessmen Elon Musk, Bill Gates and Jeff Bezos.
U.S. Attorney David Anderson announced the charges against Mason Sheppard, aka "Chaewon," 19, of Bognor Regis, in the United Kingdom; Nima Fazeli, aka "Rolex," 22, of Orlando, Florida, and a juvenile who was not identified.
"As of today, the FBI and our partners have taken two individuals into custody," said FBI San Francisco Assistant Special Agent in Charge Sanjay Virmani. "They are facing either federal or state criminal charges, including computer intrusion, fraud, money laundering, wire fraud, and identity theft."
Sheppard was charged in a criminal complaint in the Northern District of California with conspiracy to commit wire fraud, conspiracy to commit money laundering, and the intentional access of a protected computer.
If convicted of all counts, Sheppard is facing a sentence of 45 years in federal prison. Read the charging document for Mason Sheppard.
Fazeli was charged in a criminal complaint in the Northern District of California with aiding and abetting the intentional access of a protected computer.
If convicted Fazeli faces five years in federal prison. Read the charging document for Nima Fazeli
The juvenile involved in the case was turned over to Florida authorities.
"There is a false belief within the criminal hacker community that attacks like the Twitter hack can be perpetrated anonymously and without consequence," Anderson said in a release. "Today's charging announcement demonstrates that the elation of nefarious hacking into a secure environment for fun or profit will be short-lived. Criminal conduct over the Internet may feel stealthy to the people who perpetrate it, but there is nothing stealthy about it. In particular, I want to say to would-be offenders, break the law, and we will find you."
According to the complaint federal investigators were trying to determine the identity of "Kirk#5270" -- the alleged mastermind of the hack. Both Sheppard and Fazeli were in contact with "Kirk#5270."
"I have probable cause to believe that an unknown individual, identified by the online moniker of "Kirk#5270," played a central role in the compromise of Twitter on July 15, 2020," IRS Special Agent Tigren Gambaryan stated in the charging document. "Pursuant to a search warrant signed by U.S. Magistrate Judge Sallie Kim in the Northern District of California on July 17, 2020, Discord, Inc. provided content, which included Discord chats between an individual utilizing the username "Kirk#5270" and others, in which "Kirk#5270" said that he/she could reset, swap, and control any Twitter account at will, and would do so in exchange for bitcoin transfers."
"Kirk#5270" told the others he was a former Twitter employee. He remains at large.
As alleged in the complaints, the Twitter attack consisted of a combination of technical breaches and social engineering. The result of the Twitter hack was the compromise of approximately 130 Twitter accounts belonging to politicians, celebrities, and musicians.
The hackers are alleged to have created a scam bitcoin account, to have hacked into Twitter VIP accounts, to have sent solicitations from the Twitter VIP accounts with a false promise to double any bitcoin deposits made to the scam account, and then to have stolen the bitcoin that victims deposited into the scam account.
As alleged in the complaints, the scam bitcoin account received more than 400 transfers worth more than $100,000.
In a blog post by Twitter's security , the company said the hack began with an email phishing attack of several of its employees.
"The social engineering that occurred on July 15, 2020, targeted a small number of employees through a phone spear phishing attack," the post revealed. " A successful attack required the attackers to obtain access to both our internal network as well as specific employee credentials that granted them access to our internal support tools. Not all of the employees that were initially targeted had permissions to use account management tools, but the attackers used their credentials to access our internal systems and gain information about our processes."
"This knowledge then enabled them to target additional employees who did have access to our account support tools. Using the credentials of employees with access to these tools, the attackers targeted 130 Twitter accounts, ultimately Tweeting from 45, accessing the DM (direct message) inbox of 36, and downloading the Twitter Data of 7."
Since the attack, the blog post said, "we've significantly limited access to our internal tools and systems to ensure ongoing account security while we complete our investigation."