Twitter hackers were caught after sending bitcoin to verified Coinbase accounts

Following the arrest of three people in relation to the hacking of Twitter Inc. on Friday, more details have emerged as to how the trio were tracked down and how they managed to gain access to Twitter.

The mastermind of the hack was not named by the U.S. Federal Bureau of Investigation but was later identified in media reports as Graham Ivan Clark, 17, from Tampa, Florida. According to the indictment, Clark hired Mason Sheppard, 19, from the U.K. and Nima Fazeli, 22, of Orlando, Florida, to help him gain access to Twitter through a phone spear phishing campaign.

Twitter detailed in a series of tweets how the attack took place. The trio is said to have “targeted a small number of employees through a phone spear-phishing attack,” with a “significant and concerted attempt to mislead certain employees and exploit human vulnerabilities to gain access to our internal systems.” Having gained that access, the trio then tweeted bitcoin scam messages across a number of high-profile accounts, including those of former U.S. President Barack Obama and Tesla Inc. Chief Executive Officer Elon Musk.

The path to capturing the trio turned out to be fairly easy for the FBI. The three may have been crafty in gaining access to Twitter, but ultimately they were extraordinarily lax in hiding their trail. Using blockchain analysis tools, the FBI traced the bitcoin sent to the trio in the scam to Coinbase Inc. accounts that had been registered and verified with real driver’s licenses of Fazeli and Sheppard.

Although Fazeli and Sheppard are certainly not master criminals, the story of Clark is more interesting. A long piece in The New York Times details his path to hacking from becoming a Minecraft scammer at the age of 10 to joining a hacking forum at 15, then moving on to bitcoin at 16. Clark had been previously investigated for the theft of $865,000 in bitcoin but was never charged over the matter.

Clark’s criminal activities prior to the Twitter hack may have been even more extensive. At a hearing on Saturday that granted him bail for $725,000, Clark’s attorney said that his client had more than $3 million in bitcoin.

That social engineering was used by the trio was of particular interest to security analysts. Lisa Plaggemier, chief strategy officer at digital security awareness training company MediaPro Holdings LLC, told SiliconANGLE that the Twitter attack was a well-planned targeted voice phishing, or vishing, attack.

“Employee training against these types of attacks is critical and it can be tricky,” she said. “When the attackers have done their research on the targeted individuals and used data gained in previous breaches, they can be extremely convincing over the phone.

As a result, she added, “employees, and the general public for that matter, have become accustomed to the obvious phone scans, like the IRS phone scam that was so pervasive a few years back. It was ‘spray and pray,’ not targeted, and therefore relatively obvious to many people who knew to hang up. But therein lies the problem.”

Ray Kelly, principal security engineer at application security firm WhiteHat Security Inc., noted that the incident demonstrates that social engineering is still a common method for attackers to gain access to internal systems.”The human is often times the weakest link in any security chain,” he said. “Proper employee training and employing services that test human susceptibility to social engineering attacks such as email spear-phishing, phone calls and in-person attacks can be invaluable to help prevent the employee from being the security gap in any organization.”

Image: Shawn Campbell/Flickr