Skip to main content
Canada’s most-awarded newsroom for a reason
Enjoy unlimited digital access
$1.99
per week
for 24 weeks
Canada’s most-awarded newsroom for a reason
$1.99
per week
for 24 weeks
// //

A Twitter hacking scheme that targeted political, corporate and cultural elites this week began with a teasing message between two hackers late Tuesday on the online messaging platform Discord.

yoo

bro, wrote a user named “Kirk,” according to a screenshot of the conversation shared with The New York Times.

Story continues below advertisement

i work at twitter

don’t show this to anyone

seriously

He then demonstrated that he could take control of valuable Twitter addresses – the sort of thing that would require insider access to the company’s computer network.

The hacker who received the message, using the screen name “lol,” decided over the next 24 hours that Kirk did not actually work for Twitter because he was too willing to damage the company. But Kirk did have access to Twitter’s most sensitive tools, which allowed him to take control of almost any Twitter address, including those of former President Barack Obama, former Vice President Joe Biden, Elon Musk and many other celebrities.

Despite global attention on the intrusion, which has shaken confidence in Twitter and the security provided by other technology companies, the basic details of who were the people responsible, and how they did it, have been a mystery. Officials are still in the early stages of their investigation.

But four people at the centre of the scheme spoke with The Times and shared numerous logs and screenshots of the conversations they had on Tuesday and Wednesday, demonstrating their involvement both before and after the hack became public.

Story continues below advertisement

The interviews indicate that the attack was not the work of a nation-state or a sophisticated group of hackers. Instead, it was done by a group of young people – one of whom says he lives at home with his mother – who got to know one another because of their obsession with owning early or unusual screen names, particularly one letter or number, like @y or @6.

The Times verified that the four people were connected to the hack by matching their social media and cryptocurrency accounts to accounts that were involved with the events Wednesday. They also presented corroborating evidence of their involvement, like the logs from their conversations on Discord and Twitter.

Playing a central role in the attack was Kirk, who was taking money in and out of the same Bitcoin address as the day went on, according to an analysis of the Bitcoin transactions by The Times, with assistance from the research firm Chainalysis.

But the identity of Kirk, his motivation and whether he shared his access to Twitter with anyone else remain a mystery even to the people who worked with him. It is still unclear how much Kirk used his access to the accounts of people like Biden and Musk to gain more privileged information, like their private conversations on Twitter.

The hacker “lol” and another one he worked with, who went by the screen name “ever so anxious,” told The Times that they wanted to talk about their work with Kirk in order to prove that they had only facilitated the purchases and takeovers of lesser-known Twitter accounts early in the day. They said they had not continued to work with Kirk once he began more high-profile attacks around 3:30 p.m. Eastern time Wednesday.

“I just wanted to tell you my story because i think you might be able to clear some thing up about me and ever so anxious,” “lol” said in a chat on Discord, where he shared all the logs of his conversation with Kirk and proved his ownership of the cryptocurrency accounts he used to transact with Kirk.

Story continues below advertisement

“lol” did not confirm his real-world identity but said he lived on the West Coast and was in his 20s. “ever so anxious” said he was 19 and lived in the south of England with his mother.

Investigators looking into the attacks said several of the details given by the hackers lined up with what they had learned, including Kirk’s involvement both in the big hacks later in the day and the lower-profile attacks early Wednesday.

The Times was initially put in touch with the hackers by a security researcher in California, Haseeb Awan, who was communicating with them because, he said, a number of them had previously targeted him and a Bitcoin-related company he once owned. They also unsuccessfully targeted his current company, Efani, a secure phone provider.

Be smart with your money. Get the latest investing insights delivered right to your inbox three times a week, with the Globe Investor newsletter. Sign up today.

Your Globe

Build your personal news feed

  1. Follow topics and authors relevant to your reading interests.
  2. Check your Following feed daily, and never miss an article. Access your Following feed from your account menu at the top right corner of every page.

Follow topics related to this article:

View more suggestions in Following Read more about following topics and authors
Report an error
Tickers mentioned in this story
Due to technical reasons, we have temporarily removed commenting from our articles. We hope to have this fixed soon. Thank you for your patience. If you are looking to give feedback on our new site, please send it along to feedback@globeandmail.com. If you want to write a letter to the editor, please forward to letters@globeandmail.com.

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff.

We aim to create a safe and valuable space for discussion and debate. That means:

  • Treat others as you wish to be treated
  • Criticize ideas, not people
  • Stay on topic
  • Avoid the use of toxic and offensive language
  • Flag bad behaviour

If you do not see your comment posted immediately, it is being reviewed by the moderation team and may appear shortly, generally within an hour.

We aim to have all comments reviewed in a timely manner.

Comments that violate our community guidelines will not be posted.

UPDATED: Read our community guidelines here

Discussion loading ...

To view this site properly, enable cookies in your browser. Read our privacy policy to learn more.
How to enable cookies