Everyone probably remembers how more than 50 large Twitter accounts (Musk, Gates, Obama, Apple, etc.) were hacked about 2 weeks ago.


ITKarma picture


Law enforcement officers have detained three suspects - 17-year-old Graham Clark and 22-year-old Nima Fazeli (" Rolex ") from Florida, as well as 19-year-old Mason Sheppard (" Chaewon ") From the UK.


Throughout this story I was interested in how the real characters behind this attack were calculated. More precisely, one character Mason Sheppard with the nickname " Chaewon ".


Prior to the attack on Twitter, user " Chaewon " posted an announcement on the OGUsers forum to sell an email address replacement service. Email for Twitter accounts.


ITKarma picture


Unfortunately for hackers, this forum was hacked on March 31, 2020 (and before that at the end of 2018), and its dump is in the public domain (I wrote about this in Telegram channel ).


This is what the special agent of the US tax service Tigran Gambaryan (Tigran Gambaryan) writes about in his report ( PDF ).


An email address was found in the forum dump for user " Chaewon " mail ( kpopisepic51@gmail.com ) and IP addresses ( 79.66.149.155 and 82.132.236.55 ).


ITKarma picture


User " mmm " ( f77twitter@gmail.com ) is also registered from one of these IPs. Based on our information, the password for this user is " Mason123 ". User " Ghoxl " ( 20fdisciplina@gmail.com ) is on the forum with exactly the same password. By the way, “ Chaewon ” in the Kik messenger has the name “ MasyOGF ”, the same as “ mmm , which both users reported on forum yourself.


And here the oddities begin with the report of the special agent Tigran Gambaryan. He writes about the connection " Chaewon " with a certain user " Mas " ( masonhppy@gmail.com ) at the IP-address on the same forum " OGUsers ". However, there is no " Mas " with the address masonhppy@gmail.com , but there are related " mmm " and " Ghoxl "(see above) and user" mas "( poop987@protonmail.com ).


ITKarma picture


User " Chaewon " did leave a message on the forum with the text "IT IS MAS I AM MAS NOT BRY I AM MAS MAS MAS! @", as the special agent writes. By the way, “BRY” is short for “BRYSON”, user “ Bryson ” has been blocked on this forum for fraud.


If you carefully analyze the forum dump, you can see that on 05/15/2019 the user " mas " changed his name to " Chaewon ", and almost a month later on 06/19/2019 the name " mas "is taken by user" wasdwasd123 ".


Next, the special agent finds the address masonhppy@gmail.com in the " Coinbase " database and sees the first/last name " mason sheppard " there.


The subtlety here is that the masonhppy@gmail.com addresses are neither in the " OGUsers " database (which I already wrote about above), nor in the leakage of user passwords " Coinbase ". This address did not shine in any other password leak that we analyzed (for you to understand we are talking about more than 30 billion passwords, passed through us in several years).


How the address masonhppy@gmail.com appeared in the investigation, I could not determine.


It turns out that the special agent is not saying something in his report.Either he has access to a database that he has no right to disclose (for example, access to the " Coinbase " database in real time for IP searches), or Mason Sheppard was found in a different way (for example, via a request to the British provider " TalkTalk Communications Limited " from whose network the hacker "sat") and for some reason this also cannot be disclosed.


News about information leaks and insiders can always be found on the Telegram channel " Information leaks ".


UPD: After the article was published, I nevertheless discovered that the address masonshppy@gmail.com was lit in another dump " OGUsers " obtained as a result of hacking this forum on 12/26/2018.


If you pay attention, in the report of the special agent this address is written in one place as masonshppy@gmail.com , and in another place as masonhppy@gmail.com . This annoying typo led to the fact that the address was not found in the old dump the first time.


ITKarma picture


User " Mas ", later renamed to " Chaewon " (see above), was originally registered at masonshppy@gmail.com ... Thus, the agent only had to send a request to " Coinbase " to get the rest of the data for the user with this address.

...

Source