Florida teenager, 17, is charged over massive Twitter hack

Graham Ivan Clark, 17, was arrested on Friday morning in Tampa

Three people have been arrested and charged in a massive Twitter breach earlier this month that affected dozens of high-profile users.

Graham Ivan Clark, 17, was arrested on Friday morning in Tampa, Florida after a federal investigation zeroed in on him.

He faces 30 felony charges that will be prosecuted in state court.

The Hillsborough State Attorney’s Office called Clark the ‘mastermind’ of the July 15 breach, which saw famous Twitter accounts hijacked and used to plead for donations of bitcoin to a wallet controlled by the attacker.

Authorities say that the hackers behind the attack netted more than $100,000 in bitcoin through the illegal scheme. 

Also on Friday, federal prosecutors announced charges against two alleged co-conspirators: Mason ‘Chaewon’ Sheppard, 19, of Bognor Regis in the United Kingdom, and Nima ‘Rolex’ Fazeli, 22, of Orlando, Florida. 

Former US president Barack Obama, the most followed account on Twitter, was among the high-profile targets used to carry out the bitcoin scam

Former US president Barack Obama, the most followed account on Twitter, was among the high-profile targets used to carry out the bitcoin scam

Sheppard is charged with conspiracy to commit wire fraud, conspiracy to commit money laundering, and the intentional access of a protected computer.

Fazeli is charged with aiding and abetting the intentional access of a protected computer. 

According to the criminal complaints, Sheppard, aka Chaewon, also used the moniker ‘ever so anxious,’ the user name of a participant in the breach who told the New York Times he lives in the south of England with his mother. 

It was not immediately clear whether prosecutors believe Clark was the mysterious hacker ‘Kirk’ who initially offered to take over Twitter accounts for a fee using middlemen on a gamer forum, or whether they suspect he was higher up the chain, with ‘Kirk’ working as yet another middleman. 

Chat logs obtained by the IRS criminal investigative division showed discussions that ‘Rolex’ (Fazeli) and ‘ever so anxious’ (Sheppard) had with the shadowy ringleader ‘Kirk.’ 

In the chats, ‘Kirk’ claims to work at Twitter, and offers to take over any username for a fee. The original scam of selling stolen usernames appears to have evolved into the full-scale hijacking of high-profile accounts. 

Another participant, known by the moniker ‘lol’, was also mentioned in the charging documents, but was not identified by name. The complaints also refer to an unnamed juvenile suspect. 

Chat logs obtained by investigators show 'Kirk' and 'Rolex' discussing the plan

Chat logs obtained by investigators show ‘Kirk’ and ‘Rolex’ discussing the plan

The duo conspired to sell stolen Twitter handles, but the attack escalate

The duo conspired to sell stolen Twitter handles, but the attack escalate

‘There is a false belief within the criminal hacker community that attacks like the Twitter hack can be perpetrated anonymously and without consequence,’ said U.S. Attorney David L. Anderson for the Northern District of California.

‘Today’s charging announcement demonstrates that the elation of nefarious hacking into a secure environment for fun or profit will be short-lived,’ Anderson said. 

Although the investigation was led by the FBI and involves federal crimes, Clark will be prosecuted locally because Florida law allows minors to be charged as adults in financial fraud cases, when appropriate. 

‘This ‘Bit-Con’ was designed to steal money from regular Americans all over the country, including right here in Florida,’ said Hillsborough State Attorney Andrew Warren. ‘This massive fraud was orchestrated right here in our backyard, and we will not stand for that.’  

‘This defendant lives here in Tampa, he committed the crime here, and he’ll be prosecuted here,’ Warren said. 

Hillsborough County Jail records show Clark was booked shortly after 6.30am on Friday

Hillsborough County Jail records show Clark was booked shortly after 6.30am on Friday

Hillsborough County Jail records show Clark was booked into jail shortly after 6.30am on Friday. 

His home address is in a quiet suburb on the edge of the Northdale Golf & Tennis Club in northwest Tampa, within the school district of Gaither High School.

Clark had reportedly graduated from high school recently, though it was unclear from which school. 

Twitter says hackers ‘manipulated’ employees to access 130 accounts 

Twitter said last week that hackers ‘manipulated’ some of its employees to access accounts.

More than $100,000 worth of the virtual currency was sent to email addresses mentioned in the tweets, according to Blockchain.com, which monitors crypto transactions.

‘We know that they accessed tools only available to our internal support teams to target 130 Twitter accounts,’ said a statement posted on Twitter’s blog.

For 45 of those accounts, the hackers were able to reset passwords, login and send tweets, it added, while the personal data of up to eight unverified users was downloaded.

Twitter locked down affected accounts and removed the fraudulent tweets. It also shut off accounts not affected by the hack as a precaution.

‘Working together, we will hold this defendant accountable,’ Warren said. ‘Scamming people out of their hard-earned money is always wrong.’

‘Whether you’re taking advantage of someone in person or on the internet, trying to steal their cash or their cryptocurrency—it’s fraud, it’s illegal, and you won’t get away with it,’ he said. 

Participating in the investigation were the US Attorney’s Office for the Northern District of California, the FBI, the IRS, the Secret Service and the Florida Department of Law enforcement.

Twitter says the hackers responsible for the breach fooled the social media company’s employees into giving them high-level administrative credentials using a phone scam.

The company has revealed a few more details about the hack earlier this month, which it said targeted ‘a small number of employees through a phone spear-phishing attack’.

‘This attack relied on a significant and concerted attempt to mislead certain employees and exploit human vulnerabilities to gain access to our internal systems,’ the company tweeted.

The embarrassing July 15 attack compromised the accounts of some of its most high profile users, including Tesla CEO Elon Musk and celebrities Kanye West and his wife, Kim Kardashian West, in an apparent attempt to lure their followers into sending money to an anonymous bitcoin account.

The tweets falsely offered to send $2,000 for every $1,000 sent to the anonymous bitcoin address. 

After stealing employee credentials and getting into Twitter’s systems, the hackers were able to target other employees who had access to account support tools, the company said.

The hackers targeted 130 accounts. They managed to tweet from 45 accounts, access the direct message inboxes of 36, and download the Twitter data from seven. Dutch anti-Islam MP Geert Wilders has said his inbox was among those accessed.

Spear-phishing is a more targeted version of phishing, an impersonation scam that uses email or other electronic communications to deceive recipients into handing over sensitive information.

Twitter said it would provide a more detailed report later ‘given the ongoing law enforcement investigation.’

The company has previously said the incident was a ‘co-ordinated social engineering attack’ that targeted some of its employees with access to internal systems and tools. 

It did not provide any more information about how the attack was carried out, but the details released so far suggest the hackers started by using the old-fashioned method of talking their way past security.

British cybersecurity analyst Graham Cluley said his guess was that a targeted Twitter employee or contractor received a message by phone asking them to call a number.

‘When the worker called the number they might have been taken to a convincing (but fake) helpdesk operator, who was then able to use social engineering techniques to trick the intended victim into handing over their credentials,’ Clulely wrote on his blog on Friday.

It is also possible the hackers pretended to call from the company’s legitimate help line by spoofing the number, he said. 

Leave a Comment