jwz-twitter-opsec.html

<strong>There’s no pwnage like self-pwnage</strong></p><p>Remember when I covered the not-amazing Twitter hack last month and I suggested that maybe<em> </em>whoever did it <a href="https://au.news.yahoo.com/twitter-bitcoin-scam-social-engineering-hack-access-193040357.html" rel="nofollow noopener" target="_blank">just really sucked at crime</a>? Because who would blow up that absolute gold mine of access and information so fast *and* in the light of day. Yep, that.&nbsp;</p><p>So the OPSEC Dumbass Of The Year award goes to… Florida Man. I mean, Florida Boy. Hop on the boat: we’re touring Dipshit Island.</p><p>When Twitter's “hack” happened, thought Leader Infosec Twitter went nuclear rumoring nation-state attacks. Brian Krebs got so hard he doxed the wrong guy. (Again.) But one shared truth across the board was that <a href="https://www.engadget.com/twitter-hack-bitcoin-money-laundering-140031258.html" rel="nofollow noopener" target="_blank">those Bitcoin transactions were going to be traced</a>. I mean, only Senators and extremely dull / probably drunk children still believe that Bitcoin is anonymous. Also? Everyone knows Coinbase is a snitch.</p><p>So. This past weekend 17-year-old <a href="https://www.engadget.com/twitter-hacker-graham-clark-stolen-bitcoin-140234512.html" rel="nofollow noopener" target="_blank">Graham Ivan Clark</a> and <a href="https://www.engadget.com/teenager-arrested-twitter-bitcoin-hack-183302700.html" rel="nofollow noopener" target="_blank">two accomplices</a> got popped — Mason Sheppard (age 19) from the United Kingdom and Nima Fazeli (age 22) from… Florida. The FBI had <a href="https://twitter.com/alfredwkng/status/1289282232322932737" rel="nofollow noopener" target="_blank">snagged a stolen database</a> of the OGUsers forum these brain surgeons lurked on, and that was that. While it's a side note, we must pause and laugh that Fazeli’s anti-OPSEC thievery ‘nym was “Rolex.”&nbsp;</p><p>Also now we know the FBI is using our stolen Equifax data for probably some weird shit.&nbsp;</p><p>Anyway, let's step back for perspective. In a cascading series of unfuckingbelieveable lifelong OPSEC fails, busted Twitter "hacker" Graham David Clark started out as a petty Minecraft scammer whose debut in the major crimes department — an amateur <a href="https://www.npr.org/2019/10/25/773199525/sim-swap-scams-expose-risks-of-using-phones-for-secondary-i-d" rel="nofollow noopener" target="_blank">SIM-swap for Bitcoin theft</a> — got him busted right out of the gate last year.</p><p>Upon getting caught and having the Secret Service seize 100 of his Bitcoins, Clark interpreted it as a sign he should immediately:</p><p><strong>- a)</strong> Deck out his Tampa apartment with overpriced gaming gear, drive a white BMW 3 Series around Florida, while flaunting on Instagram with crap like designer sneakers and a gem-encrusted Rolex, plus;<br>- <strong>b)</strong> Two weeks later start criming on Twitter employees</p><p>Truly Clark is a prize pony when it comes to being the ringleader of any “sophisticated” hack attack. It speaks volumes about his accomplices' risk-assessment skillset. But it also meant that every goddamn time <a href="https://www.nytimes.com/2020/08/02/technology/florida-teenager-twitter-hack.html" rel="nofollow noopener" target="_blank">New York Times called Clark a “mastermind”</a> (along with other outlets that pay reporters upward of NYT’s six figure salaries) I was caught in an endless loop of spit takes that soaked my laptop in coffee *and* my entire apartment in vodka sodas.</p><p>Anyway, I’m sure by the end of the year Graham Ivan Clark will be making seven figures advising Zoom on security.</p>