As seen onFavicon for undefinednull

How my awesome twitter username was stolen by a gang of teenagers for money and sex PART II

Yesterday (Saturday, September 29, 2012) my twitter was hacked, and username was stolen. I had a chat with a kid who is part of a ring of hackers — I use the term "ring" in its loosest sense — who are responsible for stealing my beloved username "blanket."


  1. Read Part ONE of this saga here.
    What I learned from "Moon" — @moonsellsOGs — the 14 year old from South Dakota involved in the practice of Twitter account jacking/black marketing was surprising. Here are the details from our chat.
  2. 4:49:17 Jones: Hey, you are MoonSellsOGs?

    4:49:46  Moon : yep

    4:50:39 Jones: cool if i ask you a few questions?

    4:50:56  Moon : go ahead

    4:51:21 Jones: not a cracker, not sure how this works — what does OG actually mean?

    4:51:39  Moon : original

  3. OGs are what they call the high value, brief twitter handles that these jackers trade around
  4. 4:52:00 Jones: how long have you been jacking/trading ogs?

    4:52:05  Moon : 2 weeks

    4:52:22 Jones: how much do they sell for usually

    4:52:37 Jones: and about how many have you jacked/traded?

    4:52:44  Moon : depends, if its a 2 character it could sell for up to $200

    4:52:53  Moon : if its a bad like 10 letter that isn't very good it could go for $5

  5. 4:53:43 Jones: do you do them by request? like if i told you a name i wanted could you get it?

    4:54:03  Moon : maybe, i could try, i usually just get random ones and sell them

  6. So just how do they hack/jack/crack Twitter passwords I wonder?
  7. 4:54:30 Jones: what makes a name easy to jack? a vulnerable password?

    4:55:15  Moon : yes

    4:55:47 Jones: do you rely on lists of other passwords, like the linkedin hack? or do you randomize passwords? how does the cracker work?

    4:56:17  Moon : i have several custom pw lists that i've made my self

  8. 4:57:46 Jones: what were u doing before u were jacking usernames?

    4:58:11  Moon : jacking usernames on twitter is the only kind of hacking i've done before

    4:58:36 Jones: so where did you pick this up?

    4:59:04  Moon : i've always been interested in hacking but never been able to do it, i always would get random youtube accounts from my friends who were hackers

    4:59:25 Jones: are you in High school? college?

    4:59:32  Moon : high school

  9. Yeah, fits the narrative of young "kid" hackers here. Don't know if I buy that this is the first time he's done anything like this.
  10. 5:00:19 Jones: does twitter ever try to take the usernames back?

    5:00:53  Moon : not usually, most usernames that i jack are inactive.

    5:00:59  Moon : and yes, some have gotten suspended

    5:01:26 Jones: you sell these - how do people pay? paypal?

    5:01:33  Moon : paypal and liberty reserve

    5:01:47 Jones: and how do you "hand over" the acct name?

    5:02:12  Moon : i usually have trusted people middle man the account, which means they are pretty much doing the deal.

  11. By this point I'm wondering about the morality of cracking twitter passwords. Where is he coming from?
  12. 5:04:06 Jones: Would you ever re-jack a user account you just sold?

    5:04:16  Moon : no.

    5:04:23 Jones: why?

    5:04:43  Moon : because i dont want to get a bad reputation and i want to continue to sell these

    5:05:11 Jones: but you could probably jack and resell under a different name, right?

    5:05:43  Moon : yes i could, but i dont

    5:06:15 Jones: have you ever been contacted by someone whos handle you jacked?

    5:06:24  Moon : yes,

    5:06:41 Jones: how do they find you?

    5:07:17  Moon : they could mention they're old account

    5:07:27  Moon : and most of the time i put my main twitter in the bio

    5:07:41 Jones: what do you do when they contact you?

    5:08:10  Moon : usually just ignore them. i know they wont get it back

    5:08:47 Jones: do they ever buy it back from you?

    5:09:02  Moon : no.

  13. Okay, if a kid can crack a Twitter password with only 2 weeks experience as a hacker there must be something wrong with how Twitter's log-ins work — compared to other sites that have adopted security measures. Moon tells me.
  14. 5:10:17 Jones: Back to the password list. Doesn't Twitter have an autoblock if you try to run passwords too many times?

    5:11:22  Moon : not with this program, it runs it through a proxy list of different ip's

    5:13:08 Jones: do you ever work with other types of accounts?

    5:13:18 Jones: Like Facebook, YouTube

    5:14:03  Moon : i use to work with youtube accounts

    5:14:11 Jones: and then?

    5:14:23  Moon : what do you mean?

    5:14:36 Jones: like why don't you do youtube work anymore?

    5:14:44  Moon : youtube is insanely difficult

    5:15:08 Jones: what would twitter have to do to be harder/impossible to crack?

    5:15:33  Moon : you mean youtube?

    5:16:07 Jones: No, twitter - since twitter is easier than youtube - what would twitter have to do to make it as hard to crack as youtube

    5:16:38  Moon : they would have to redo they're captcha system, youtube uses a more complex one,

    5:16:49  Moon : that filters by account, unlike twitter which filters by ip

    5:17:32 Jones: makes sense

  15. How big is this ring of twitter crackers? Am I one tiny victim of a cabal of 4chan forum users who seek to bring down major financial firms and government websites?
  16. 5:20:50 Jones: do you have a lot of friends who do this too? Do you trade around names?

    5:21:07  Moon : i have about 3 friends and usually we dont trade names

    5:23:23 Jones: how many have you sold today?

    5:23:35  Moon : i think 5

  17. I ask "Moon" a few more questions, including about his age (14) and location (South Dakota). And then I get to the line of questions that could be more sensitive.
  18. 5:34:18 Jones: what would you say to someone who thought what you are doing is wrong?

    5:34:51  Moon : I don't enjoy taking active accounts, I take users accounts who are inactive, I do not try to harm people.

    5:36:15 Jones: but you have taken active accounts right? you said people have contacted you about their usernames

    5:36:25  Moon : only 1

    5:37:46 Jones: but you are actually hacking into accounts that belong to people even if they are inactive. That could be considered illegal because it violates terms of service

    5:38:43 Jones: What would you say to someone who says that it's wrong?

    5:39:34  Moon : to be honest, i probably wouldn't know how to respond,

    5:42:56 Jones: it seems like you are exploiting a weakness in twitter, something they should be more aware of

    5:43:29 Jones: if they made a fix that made jacking impossible, would you be disappointed?

    5:44:09  Moon : well, i wouldn't be making around $100 a day like i am currently, which would disapoint me a bit, but eventually you know i would learn to deal with it and probably make my money legitly from youtube partnerships

    5:45:46 Jones: so youtube partnerships are more profitable?

    5:46:34  Moon : most likely not but its a legit money source so i wont have to feel as bad about it

    5:47:33 Jones: would you feel comfortable telling friends IRL and parents you're doing this (do you already?)

    5:48:22  Moon : i would most likely not tell irl friends, same for parents, my parents would find this wrong, my father knows several languages of coding and knows i've been interested in this

    5:48:31  Moon : i know he would not like that i am doing this

    5:49:14 Jones: That's a lot of $$. hard to pass up. I feel for you.

    5:49:29 Jones: What do you do with the cash?

    5:50:01  Moon : so far nothing, i have about $300 in my paypal. dont have anything to spend it on so i guess i'll just keep it.

    5:50:58 Jones: do you worry that you might get caught by someone?

    5:51:27  Moon : yes that is always a small worry of mine, well for most hackers it is,

  19. I have to say, Moon seems down to Earth, as much as a (probably) teenager can be. Not malicious, simply exploiting vulnerabilities. I still shake my head at how a kid would come to feel comfortable with this behavior, ethically. I mean exploiting security vulnerabilities on a microblogging site to make chump change? There would be more money to be made at legit jobs given the time invested, even at minimum wage. And he knows better.
    But still he stops short of being a troll doing this for "lolz."
    More soon.