For those who suspected that Twitter was hijacked on Thursday by a sophisticated group of hackers or some state-run entity, The New York Times may have ruined expectations, revealing a surprising insight into who, the paper claims, actually stood behind the attack.
According to The Times, the unprecedented steal of multiple blue-ticked accounts, from that of Bill Gates to Joe Biden, was conducted by a group who are hidden behind the nicknames "Kirk", "lol" and "ever so anxious". "lol" is described in the report as a West Coast resident in his 20s, and "ever so anxious" was introduced as a 19-year-old living in England with his mother. The identity and motivation of "Kirk" remains unknown, even to them.
The Times refers to Haseeb Awan, a Californian security researcher, as the one who got the paper in touch with the hackers, as his companies were once attacked by them. When contacted by The NYT, the alleged hackers shared screenshots of their Discord chats and tweets - the ones "Kirk" sent, showing his ability to control Twitter from the inside.
The report cited messages that "Kirk" sent, teasing his counterparts that he "works at Twitter", adding "don’t show this to anyone / seriously".
The Times described the screenshots as "the sort of thing that would require insider access to the company’s computer network".
The young people got to know each other because of a venture they shared selling so-called "OG" Twitter names, which are stylishly laconic, like @y, @6, @dark and so on. They received payments in Bitcoin, with "lol" and "ever so anxious" being middlemen for "Kirk", brokering thousand-dollar deals and sharing the proceeds.
One of their clients, a hacker called PlugWalkJoe, purchased @6 name through "ever so anxious" and was reportedly a "key player in the Twitter intrusion", as security journalist Brian Krebs pointed at him as the mastermind behind the attack.
PlugWalkJoe was reported to be connected with the hacker group ChucklingSquad, that was involved in several cyber crimes conducted through SIM card sweeping - a method that worked both for Bitcoin wallets and Twitter accounts.
“I don’t care,” said Joseph O’Connor, the alter-ego behind PlugWalkJoe, describing himself as a 21-year-old Brit. “They can come arrest me. I would laugh at them. I haven’t done anything.”
He confirmed, however, that he was aware of the attack, and had been informed by other hackers. According to The Times, "Kirk" hacked into Twitter when he "found a way into Twitter’s internal Slack messaging channel and saw them posted there, along with a service that gave him access to the company’s servers".
“we just hit cb [Coinbase]", "Kirk" allegedly wrote to "lol" in Discord, moments after breaking into the company's account.
"ever so anxious", according to The Times, did not take part in the "big hacks", having sent a message to his girlfriend asserting that he had gone offline and gone to sleep at the time of the attack. When he woke up at the end of the "show", he shared his disappointment with "lol".
“i’m not sad more just annoyed. i mean he only made 20 btc,” he said, commenting on $180,000 that were received by "Kirk" after the hack.
"Kirk" himself never again responded to his middlemen, disappearing from the Discord logs, The NYT noted.
The Thursday attack rocked Twitter by hijacking thousands of accounts, including multiple blue-ticked ones, targeting Elon Musk, Bill Gates, Barack Obama, Kanye West, Joe Biden and many others. The scam posts invited users to send money to a bitcoin address, pledging to return it to them doubled.
Reports raised suspicions that a Twitter employee might have been behind the attack, alleging that they were paid to "literally do all the work" for hackers.
Twitter launched an investigation, currently only revealing that they see the incident as "a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools".