Florida teen arrested as mastermind of Twitter hack
A Florida teen was identified Friday as the
mastermind of a scheme earlier this month that commandeered Twitter accounts of
prominent politicians, celebrities and technology moguls and scammed people around
the globe out of more than $100,000 in Bitcoin. Two other men were also charged
in the case.
Graham Ivan Clark, 17, was arrested Friday in Tampa,
where the Hillsborough State Attorney’s Office will prosecute him as an adult.
He faces 30 felony charges, according to a news release.
Two men accused of benefiting from the hack — Mason
Sheppard, 19, of Bognor Regis, U.K., and Nima Fazeli, 22, of Orlando — were
charged separately in California federal court.
In one of the most high-profile security breaches in
recent years, bogus tweets were sent out on July 15 from the accounts of Barack
Obama, Joe Biden, Mike Bloomberg and a number of tech billionaires including
Amazon CEO Jeff Bezos, Microsoft co-founder Bill Gates and Tesla CEO Elon Musk.
Celebrities Kanye West and his wife, Kim Kardashian West, were also hacked.
The tweets offered to send $2,000 for every $1,000
sent to an anonymous Bitcoin address. The hack alarmed security experts because
of the grave potential of such an intrusion for creating geopolitical mayhem
with disinformation.
Court papers in the California cases say Fazeli and
Sheppard brokered the sale of Twitter accounts stolen by a hacker who
identified himself as “Kirk” and said he could “reset, swap and control any
Twitter account at will” in exchange for cybercurrency payments, claiming to be
a Twitter employee.
The documents do not specify Kirk’s real identity
but say he is a teen being prosecuted in the Tampa area.
Twitter has said the hacker gained access to a company
dashboard that manages accounts by using social engineering and spear-phishing
smartphones to obtain credentials from “a small number” of Twitter employees
“to gain access to our internal systems.” Spear-phishing uses email or other
messaging to deceive people into sharing access credentials.
“There is a false belief within the criminal hacker
community that attacks like the Twitter hack can be perpetrated anonymously and
without consequence,” U.S. Attorney David L. Anderson for the Northern District
of California said in a news release.
The evidence suggests, however, that those
responsible did a poor job indeed of covering their tracks. The court documents
released Friday show how federal agents tracked down the hackers through
Bitcoin transactions and by obtaining records of their online chats.
Although the case was investigated by the FBI and
the U.S. Department of Justice, Hillsborough State Attorney Andrew Warren said
his office is prosecuting Clark in state court because Florida law allows
minors to be charged as adults in financial fraud cases when appropriate. He
called Clark the leader of the hacking scam.
“This defendant lives here in Tampa, he committed
the crime here, and he’ll be prosecuted here,” Warren said.
Security experts were not surprised that the alleged
mastermind is a 17-year-old, given the relatively amateurish nature of both the
operation and how participants discussed it with New York Times reporters
afterward.
“This is a great case study showing how technology
democratizes the ability to commit serious criminal acts,” said Jake Williams,
founder of the cybersecurity firm Rendition Infosec. “There wasn’t a ton of
development that went into this attack.”
Williams said the hackers were “extremely sloppy” in
how they moved the Bitcoin around. It did not appear they used any services
that make cryptocurrency difficult to trace by “tumbling” transactions of
multiple users, a technique akin to money laundering, he said.
He also said he was conflicted about whether Clark
should be charged as an adult.
“He definitely deserves to pay (for jumping on the
opportunity) but potentially serving decades in prison doesn’t seem like
justice in this case,” Williams said.
The hack targeted 130 accounts with tweets being
sent from 45 accounts, obtained access to the direct message inboxes of 36, and
downloaded Twitter data from seven. Dutch anti-Islam lawmaker Geert Wilders has
said his inbox was among those accessed.
Court papers suggest Fazeli and Sheppard got
involved in the scheme after Clark dangled the possibility of obtaining
so-called OG Twitter handles, short account names that due to their brevity are
highly prized and considered status symbols in a certain milieu. They said
Sheppard purchased @anxious and Faceli wanted @foreign.
Internal Revenue Service investigators in
Washington, D.C., identified two of the defendants by analyzing Bitcoin
transactions on the blockchain — the universal ledger that records Bitcoin
transactions — that they had sought to make anonymous, federal prosecutors
said.
Marcus Hutchins, the 26-year-old British cybersecurity
expert credited with helping stop the WannaCry computer virus in 2017, said the
skillset involved in the actual hack was nothing special.
“I think people underestimate the level of
experience needed to pull off these kinds of hacks. They may sound extremely
sophisticated, but the techniques can be replicated by teens,” added Hutchins,
who pleaded guilty last year to creating malware designed to steal banking
information and just completed a year’s supervised release.
British cybersecurity analyst Graham Cluley said his
guess was that the targeted Twitter employees got a message to call what they
thought was an authorized help desk and were persuaded by the hacker to provide
their credentials. It’s also possible the hackers got a call from the company’s
legitimate help line by spoofing the number, he said.
“I’m 100%
sure my son is innocent,” Mohamad Fazeli said. “He’s a very good person, very
honest, very smart and loyal.”
“We are as shocked as everybody else,” he said by
phone. “I’m sure this is a mix up.”
Attempts to reach relatives of the other two weren’t
immediately successful. Hillsborough County court records didn’t list an
attorney for Clark, and federal court records didn’t list attorneys for
Sheppard or Fazeli.
