As Twitter picks up the pieces a day after hackers hijacked the accounts of high-profile users and celebrities to spread a Bitcoin scam, are we any close to finding out the individuals or groups behind this scam? Even as Twitter is taking steps to restore access for locked accounts and limiting access to internal tools as it tries to investigate what happened, the Federal Bureau of Investigation (FBI) has also launched an investigation into the hacking and the Bitcoin scam on the social media platform. The US Senate Committee has also asked Twitter to appear and explain Wednesday’s Bitcoin scam by July 23. In what has been classified as a 'coordinated social engineering attack', the Twitter accounts of Bill Gates, Elon Musk, Barack Obama, Joe Biden, Kim Kardashian West, Warren Buffet, Jeff Bezos, Apple’s corporate account, Uber’s corporate account and more were hacked to spread the Bitcoin scam.Security researcher Brian Krebs says there are strong indications that the scam was the handiwork of individuals who’ve traditionally specialized in hijacking social media accounts via “SIM swapping” (You can read more here). This method is used for criminal activities including bribing, hacking or coercing employees at mobile phone and social media companies into providing access to a target’s account. Krebs says that in the days leading up to the Bitcoin scam on Twitter, there were signs that some actors in the SIM swapping community were selling the ability to change an email address tied to any Twitter account. “A user named “Chaewon” advertised they could change email address tied to any Twitter account for $250, and provide direct access to accounts for between $2,000 and $3,000 apiece,” he says.
Krebs says that a source who works in security at one of the largest U.S.-based mobile carriers, who said the “j0e” and “dead” Instagram accounts are tied to a notorious SIM swapper who goes by the nickname “PlugWalkJoe.” Investigators have been tracking PlugWalkJoe because he is thought to have been involved in multiple SIM swapping attacks over the years that preceded high-dollar bitcoin heists. It is believed the individual is also part of, or at least was part of, a group of SIM swappers that went by the name “ChucklingSquad,” and are believed to be behind the hacking of Twitter CEO Jack Dorsey‘s Twitter account last year. The hackers had, at the time, done a SIM swap attack against AT&T, the mobile provider for the phone number tied to Dorsey’s Twitter account, says Krebs.
It is believed that PlugWalkJoe in real life is a 21-year-old from U.K. and his name if Joseph James Connor. “The source said PlugWalkJoe is in Spain where he was attending a university until earlier this year. He added that PlugWalkJoe has been unable to return home on account of travel restrictions due to the COVID-19 pandemic,” he says.
According to Blockchain.com tracking the BTC account, as much as $118,211.37 (that is 12.86252562 BTC) had been received by yesterday and much of it has been taken out as well leaving the account bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh.
Twitter, on its part, had confirmed within hours that it was a 'coordinated social engineering attack' and confirm that hackers "successfully targeted some of our employees with access to internal systems and tools." Twitter, as one of its first measures, blocked the ability to tweet. That is, for a large majority if not all, of the 359,000 verified Twitter accounts—something that is still being restored as the social networks is beefing up security.