THREAD: Here’s a quick summary of our blog on how blockchain analysis enabled law enforcement to identify an individual associated with the #TwitterHack who was arrested earlier today.
Background: @TheJusticeDept announced today the arrest of 3 individuals associated with the #TwitterHack - Mason Sheppard, aka “Chaewon,” Nima Fazeli, aka “Rolex,” and a third juvenile defendant known as “Kirk,” the alleged mastermind behind the attack. bit.ly/3fd2hT6
Kirk spear phished Twitter employees to access a Twitter admin panel that enabled him to take over celebrity accounts, which he used t]o promote a trust trading scam. You can read the details on the scam itself here. bit.ly/2BR84jI
Per @nathanielpopper and @kateconger, before hacking celeb accounts, Kirk used his access to the Twitter admin panel to sell “OG Twitter handles,”meaning short profile names (eg @B) that are coveted in some online communities and can be sold for thousands. nyti.ms/3hULOVj
Specifically, Kirk sold handles to users of OGusers.com, a popular forum/marketplace for OG accounts. He sold through intermediaries, including an individual who posted under the name “Chaewon” on OGusers.com and “ever so anxious” on Discord.
How did law enforcement identify Chaewon as Mason Sheppard? Blockchain analysis was crucial. Here’s the Chainalysis Reactor graph we’ll continue referencing that shows Chaewon’s relevant transactions. 
First, agents using Chainalysis Reactor analyzed a series of transfers totaling ~3.69 BTC from a wallet with base address bc1qdme7m3zy450m5gl0w9n2mrh8t8h6448xfzdlvv — which we’ll refer to as “Chaewon wallet” — to a wallet controlled by Kirk.
Agents linked that wallet to Chaewon/ever so anxious by matching the timing of those transfers to timing of pay requests from Kirk to ever so anxious on Discord. Payments to Chaewon wallet were also linked to purchases of stolen Twitter accounts from OGusers.com users
Agents were then able to trace all of Chaewon wallet’s transaction history. They found that it transacted heavily with two accounts at @Binance. Agents reached out, and Binance provided records showing that Mason Sheppard owned the accounts.
Agents also obtained a database of all OGusers.com users that was published publicly after the site was hacked. The database revealed Chaewon’s IP address was also linked to an account called “Mas,” registered with the email address masonshppy@gmail.com.
The leaked data also revealed another BTC address — 188ZsdVPv9Rkdiqn4V4V1w6FDQVk7pDf4 — that Chaewon used to buy a video game account from another OGusers.com user. That address had transacted with Chaewon wallet previously, further linking the two.
Finally, agents reached out to @coinbase for info on accounts associated with masonshppy@gmail.com. Coinbase confirmed they existed and provided records also indicating Mason Sheppard’s ownership.
All this evidence together confirmed for law enforcement that Mason Sheppard was the individual behind the Chaewon/ever so anxious accounts who facilitated twitter handle sales for Kirk.
Key takeaway: Blockchain analysis can provide crucial leads in complex investigations. Though Sheppard never posted anything publicly revealing his identity, agents were able to follow his crypto transfers to cooperative exchanges and get the info they needed.
If you’d like to learn more about this investigation and see Chainalysis tools in action for yourself, you can contact us any time. END OF THREAD chainalysis.com/contact-us/
