On July 15, a Discord user with the handle Kirk#5270 made an enticing proposition. “I work for Twitter,” they said, according to court documents released Friday. “I can claim any name, let me know if you’re trying to work.” It was the beginning of what would, a few hours later, turn into the biggest known Twitter hack of all time. A little over two weeks later, three individuals have been charged in connection with the heists of accounts belonging to Bill Gates, Elon Musk, Barack Obama, Apple, and more—along with nearly $120,000 in bitcoin.
Friday afternoon, after an investigation that included the FBI, IRS, and Secret Service, the Department of Justice charged UK resident Mason Sheppard and Nima Fazeli, of Orlando, Florida in connection with the Twitter hack. A 17-year-old, Graham Ivan Clark, was charged separately with 30 felonies in Hillsborough County, Florida, including 17 counts of communications fraud. Together, the criminal complaints filed in the cases offer a detailed portrait of the day everything went haywire—and how poorly the alleged attackers covered their tracks. All three are currently in custody.
Despite his claims on the morning of July 15, Kirk#5270 was not a Twitter employee. He did, however, have access to Twitter’s internal administrative tools, which he showed off by sharing screenshots of accounts like “@bumblebee,” “@sc,” “@vague,” and “@R9.” (Short handles are a popular target among certain hacking communities.) Another Discord user who went by “ever so anxious#0001” soon began lining up buyers; Kirk#5270 shared the address of a Bitcoin wallet where proceeds could be directed. Offers included $5,000 for “@xx,” which would later be compromised.
That same morning, someone going by “Chaewon” on the forum OGUsers started advertising access to any Twitter account. In a post titled “Pulling email for any Twitter/Taking Requests,” Chaewon listed prices as $250 to change the email address associated with any account, and up to $3,000 for account access. The post directs users to “ever so anxious#0001” on Discord; over the course of seven hours, starting at around 7:16 am ET, the “ever so anxious#0001” account discussed the takeover of at least 50 user names with Kirk#5270, according to court documents. In that same Discord chat, “ever so anxious#0001” said his OGUsers handle was Chaewon, suggesting the two were the same individual.
Kirk#5270 allegedly received similar help from a Discord user going by Rolex#0373, although that person was skeptical at first. “Just sounds too good to be true,” he wrote, according to chat transcripts investigators obtained via warrant. Later, to help back up his claim, Kirk#5270 appears to have changed the email address tied to the Twitter account @foreign to an email address belonging to Rolex#0373. Like Chaewon, Rolex#0373 then agreed to help broker deals on OGUsers—where his user name was Rolex—with prices starting at $2,500 for especially sought-after account names. In exchange, Rolex got to keep @foreign for himself.
By around 2 pm ET on July 15, at least 10 Twitter accounts had been stolen, according to the criminal complaints, but the hackers still seemed focused on short or desirable handles like @drug and @xx and @vampire, rather than celebrities and tech moguls. And the takeovers were an end unto themselves, rather than in service of a cryptocurrency scam. The deals brokered by Chaewon netted Kirk#5270 around $33,000 in bitcoin, according to the criminal complaint; Chaewon took in another $7,000 for his role as intermediary.
The FBI believes that Rolex is Fazeli, and it charged him with one count of aiding and abetting the intentional access of a protected computer. They believe Sheppard is Chaewon, who is charged with conspiracy to commit wire fraud, conspiracy to commit money laundering, and the intentional access of a protected computer.