The Twitter hack that saw attackers use dozens of high-profile accounts to promote a fake bitcoin giveaway could have been orchestrated by a notorious 21-year old SIM Swapper.

According to well-regarded security researcher Brian Krebs, the attack that hijacked the accounts of Amazon CEO Jeff Bezos, presidential candidate Joe Biden, Tesla CEO Elon Musk, billionaire investor Warren Buffett, and crypto exchanges Coinbase and Binance, could have been pulled off by the SIM swapping community.

The first tweet, Krebs describes, came from Binance, and minutes later dozens of other accounts started promoting the fake bitcoin giveaway, which netted over $130,000 to the hackers. Before that happened, however, another account was compromised, and it could be key to uncovering who was behind the security breach.

SIM Swapping and Twitter ‘OG’ Accounts

According to Brian Krebs, the SIM swapping community sees the so-called “OG” social media accounts, short for “Original Gangster” as prizes that can be sold for thousands of dollars on underground markets. Accounts with one or two letters, such as @B, are seen as OG accounts.

On a forum dedicated to account hijacking, a user named “Chaewon” advertised they could change the email of any Twitter account, and provided direct access to accounts for between $2,000 and $3,000. The user posted:

This is NOT a method, you will be given a full refund if for any reason you aren’t given the email/@, however if it is revered/suspended I will not be held accountable.

Before the Binance account tweeted out the fake cryptocurrency giveaway, an OG account was hacked, the @6 account, which belonged to the now-deceased hacker Adrian Lamo, best known for breaking into the New York Times’s network. The account is managed by a long-time friend, a security researcher going by Lucky225.

Lucky225 revealed he received a password confirmation code for the @6 account, which was hacked because the SIM Swapper managed to change the email behind the account and disable its two-factor authentication (2FA). Shortly thereafter another OG account, @b, was hacked and started tweeting images of Twitter’s internal controls panel.

At the same time, the @shinji Twitter account was showing screenshots of Twitter’s internal tools. Minutes later these accounts were terminated, although before they went down they tweeted out “follow @6.”

Archived versions of the Shinji account shows it was claiming ownership of two OG Instagram accounts – “J0e” and “dead.” These accounts, according to an unnamed sources Brian Krebs cited from “one of the largest U.S.-based mobile carries,” belong to notorious SIM swapper who goes by “PlugWalkJoe.”

PlugWalkJoe and ‘High-Dollar Bitcoin Heists’

Krebs detailed the source revealed investigators have been tracking PlugWalkJoe over his involvement in multiple SIM swapping attacks that preceded “high-dollar bitcoin heists.” The individual, the source added, is part of a group of SIM swappers going by “ChucklingSquad” that could have been behind the hack of Twitter CEO Jack Dorsey.

PlugWalkJoe, per investigators, is a 21-year old from Liverpool, U.K. named Joseph James Connor. He is attending university in Spain, and was found after a female investigator managed to get him to agree to a video chat. The video chat showed a distinctive swimming pool in the background, which PlugWalkJoe had published pictures of in his Instagram account.

The Twitter security breach, it’s worth noting, could have seen the fake giveaway be a part of a cover-up to hide “other malicious activity,” according to security experts. The person behind the address that was promoted in the fake bitcoin giveaway could also be being tracked, as it has interacted with Coinbase and BitPay.

Featured image via Pixabay.