Around age 13, the boy bought a series of websites with pornographic names and tried to resell them using his personal address and email, according to domain records.
Around the same time, online forum accounts tied to his email address and home internet protocol address showed up on the website OGusers.com, a site that was the home for the others involved in the Twitter attack, according to two online forensic firms. The site provides a place for hackers to buy and sell coveted “original gangster” user names on social media sites, such as single letter accounts like @a or @6.
The teenager rotated among several aliases tied to his various online accounts, according to intelligence analysis done by the firm Intel471. The messages from the accounts included profanities, anti-Semitic remarks and homophobic comments. At one point, the teenager complained about losing around $200,000 on a Bitcoin gambling site. He also offered to sell a user name for $3,000 in Bitcoin, according to messages from the forum that were later leaked.
“IF your broke and can’t afford or dont think thats a good price JUST DONT EVEN MESSAGE ME!” he wrote in late 2018.
He later linked up with Mr. Clark online and they began working together, people involved in the investigation said. Their early work, hackers said and investigators confirmed, was on so-called SIM swaps, a hacking method that is often used to steal social media accounts and cryptocurrency.
Late last year and early this year, hackers and investigators said, the teenager was part of a group that got inside the site GoDaddy, a company that sells and secures website names. The hackers were able to access and change customer records. GoDaddy confirmed the hack in a letter to customers.
In May, the Massachusetts teenager and Mr. Clark began tricking Twitter employees to give up their logins, leading to the July 15 hack. The boys, using the alias Kirk, began selling valuable Twitter user names to customers.