So in the articles Ive read they mention that admin tool that was used for the account takeovers. They mention that the attacker might've phished credentials of an employee at Twitter and then get access to their internal network. From there they snooped around the network and found this tool.
Is it likely that the 17 y/o being accused mapped out their network and found this tool or did they just hear about it in a hacking forum?
how would someone find a tool like this? I assume they just phish credentials and then login to a VPN. Is it located on a subdomain or something? would they just have to run nmap once on the VPN and see what services are on the servers are running on the internal network?