Today, the U.S. Department of Justice announced the arrest of three individuals associated with the July 15 Twitter hack. Mason Sheppard, aka “Chaewon,” 19, of Bognor Regis, in the United Kingdom, Nima Fazeli, aka “Rolex,” 22, of Orlando, Florida face several charges in the Northern District of California. A third juvenile defendant, known by his pseudonym “Kirk,” the mastermind behind the hack, has been referred by the Justice Department to Andrew Warren, the State Attorney for the 13th Judicial District in Tampa, Florida, where the defendant lives. Andrew Warren's office today filed 30 felony charges against Kirk.
In this blog, we break down how law enforcement used blockchain analysis to investigate the case and how Bitcoin’s transparency made it all possible.
Background on the Twitter hack
Twitter’s investigation revealed that the hacker — Kirk — targeted a small number of Twitter employees through a phone spear phishing attack to gain access to the Twitter admin panel. He used that access to sell “OG Twitter handles,” which are usually short profile names (e.g. @B or @joe). The OG accounts are status symbols in these online communities where such accounts can often fetch thousands of dollars when resold online.
As reported by the New York Times, Kirk sold the handles using OGusers.com, a popular marketplace for buying and selling vanity social media accounts, via intermediaries, including Sheppard, under the username Chaewon, and Fazeli, under the username Rolex. According to the Justice Department’s complaints filed today, Sheppard encouraged OGusers forum users to contact a user known as “ever so anxious” on the Discord chat platform — a user who we now know was Chaewon himself — to buy these vanity accounts, after purchasing one of his own directly from Kirk. A second discord user posting under the username “lol,” also allegedly acted as an intermediary, though this individual remains unidentified as of now.
After selling some Twitter handles, Kirk took over prominent Twitter accounts and launched a Bitcoin scam to more aggressively monetize his access to the Twitter admin panel. While the information on how investigators identified Kirk remains sealed, we show below how blockchain analysis allowed them to identify Chaewon/ever so anxious as Mason Sheppard.
Connecting the dots with blockchain analysis
Chaewon purchased his own vanity username from Kirk, and then brokered similar purchases on behalf of other users. Using Chainalysis Reactor, law enforcement analyzed a series of transfers totaling approximately 3.69 BTC from a wallet with the base address bc1qdme7m3zy450m5gl0w9n2mrh8t8h6448xfzdlvv to a wallet controlled by Kirk. Agents were able to link that wallet to Chaewon/ever so anxious, as the timing of its transfers to Kirk matched the timing of payment requests Kirk made to Chaewon/ever so anxious over Discord. Further analysis revealed several incoming transactions whose timing, amounts, and in some cases, user notes made clear that they represented payment for stolen Twitter accounts from OGusers.com forum users. We’ll now refer to the “bc1qdme…” wallet as the Chaewon wallet throughout this blog.
From there, Chainalysis Reactor shows all of Chaewon wallet’s transaction history, including on-ramps and off-ramps that could reveal Chaewon’s identity. Agents found that the Chaewon wallet transacted heavily with addresses associated with two accounts at Binance. The agents reached out to Binance, who provided records showing that these accounts were controlled by Mason Sheppard, using the email address firstname.lastname@example.org.
The agents were also able to obtain a database of all OGusers.com forum users and their associated activity after the site was hacked and the database was published publicly. This database revealed that the IP address associated with Chaewon’s account was also associated with another OGusers.com account known as Mas. Chaewon also identified himself as the owner of the Mas account in an earlier post. Like the Binance accounts, the Mas account on OGusers.com was also associated with the email address email@example.com. Finally, agents reached out to Coinbase for information on any accounts associated with the email address firstname.lastname@example.org. Coinbase confirmed that these accounts existed, and provided the KYC information associated with the accounts, which included Mason Sheppard’s driver’s license, date of birth, and address. In addition, the hacked database revealed private messages in which Chaewon purchased a video game from another OGusers.com user, paying for the purchase with the Bitcoin address 188ZsdVPv9Rkdiqn4V4V1w6FDQVk7pDf4. Blockchain analysis revealed that the new address had previously received Bitcoin from the Chaewon wallet, further linking the two.
All of this evidence confirmed for law enforcement that Mason Sheppard is the individual behind the Chaewon account who facilitated the sale of twitter handles for Kirk.
Key takeaways from the Twitter hack
The Twitter hack case highlights the need for the industry and government to collaborate on uncovering criminal networks that can cause harm to our society, as well as lessons on social engineering and security for everyone.
- Following the money on the blockchain provides important leads in complex investigations. Mason Sheppard used several different personas to interact with Kirk and other co-conspirators on various platforms, never publicly posting anything that could link him to his real-world identity. However, by analyzing the transactions of the Bitcoin addresses Sheppard posted under his Chaewon and ever so anxious usernames, agents were able to connect his activity to accounts at two cooperative cryptocurrency exchanges — in this case, Coinbase and Binance — who were able to tell the agents that the accounts were controlled by Mason Sheppard. If Sheppard had carried out these transactions in fiat currency, the investigation may have been more difficult, as the transactions wouldn’t have left the same public footprint that Bitcoin transactions do.
- It has never been more important to understand the use of cryptocurrencies and act quickly if abuse is uncovered. As more people move online and social media continues to play an increasingly important role in society, cryptocurrency will become more available to good and bad actors alike. Governments and corporations need tools to investigate and shut down illicit activity.
- Criminals are not anonymous online. This should send a message to criminals who think that they can maintain anonymity online and using cryptocurrencies. It’s particularly saddening to see young people caught up in these criminal networks that extend beyond just social media account trading and into issues of national security.
Want to learn more about how law enforcement used Chainalysis to crack the Twitter hack? Sign up for a demo here to see for yourself — a Chainalysis specialist can walk you through the Reactor graph we show above and answer all your questions.