A Florida teenager accused of orchestrating one of last summer’s Twitter hacks—this one used celebrity accounts to make more than $100,000 in a cryptocurrency scam—pleaded guilty on Tuesday in exchange for a three-year sentence, it was widely reported.
Authorities said that Graham Ivan Clark, now 18, and two other men used social engineering and other techniques to gain access to internal Twitter systems. They then allegedly used their control to take over what Twitter has said were 130 accounts. A small sampling of the account holders included President Joe Biden, Tesla founder Elon Musk, pop star Kanye West, and philanthropist and Microsoft founder and former CEO and Chairman Bill Gates.
The defendants, prosecutors have alleged, then caused the high-profile accounts—many with millions of followers—to promote scams that promised to double the returns if people deposited bitcoins into attacker-controlled wallets. The scheme generated more than $117,000. The hackers also took over accounts with short usernames, which are highly coveted in a criminal hacking forum circle calling itself OGusers.
According to the Tampa Bay Times, Clark agreed to plead guilty in return for a three-year prison sentence followed by three years’ probation. The agreement allows Clark to be sentenced as a “youthful offender,” a status that allows him to avoid a minimum 10-year sentence he would have received if he was convicted as an adult.
Clark will serve time in a state prison designated for young adults, and he may be eligible to serve some of his sentence in a military-style boot camp. He will also receive the mandatory minimum if he violates terms of his probation.
The plea agreement bars Clark from using computers without permission and supervision from law enforcement. He will have to submit to searches of his property and give up the passwords to any accounts he controls.
A researcher who worked with the FBI on the investigation into the Twitter breach said that the hack was the result of painstaking research Clark and the other two hackers did into Twitter employees. They started by scraping LinkedIn in search of Twitter employees who were likely to have access to account-holder tools. The hackers then used features LinkedIn makes available to job recruiters to obtain the employees’ cell phone numbers and other private contact information.
The attackers called the employees and used the information obtained from LinkedIn and other public sources to convince them they were authorized Twitter personnel. Work-at-home arrangements caused by the COVID-19 pandemic also prevented the employees from using normal procedures such as face-to-face contact to verify the identities of the callers.
“Giving back to the community”
With the trust of the targeted employees, the attackers directed them to a phishing page that mimicked an internal Twitter VPN. The attackers then obtained credentials as the targeted employees entered them. To bypass two-factor authentication protections Twitter has in place, the attackers entered the credentials into the real Twitter VPN portal within seconds of the employees entering their info into the fake one. Once the employee entered the one-time password, the attackers were in.
The hackers then took over celebrity accounts and used them to push a cryptocurrency scam.
“I am giving back to the community,” an account belonging to President Joe Biden soon tweeted. “All Bitcoin sent to the address below will be sent back doubled! If you send $1,000, I will send back $2,000. Only doing this for 30 minutes… Enjoy!”
Similar tweets came from other celebrity accounts.
Clark appeared by video conference at the Tuesday court hearing from the Hillsborough County jail, where he has been held since his arrest. Mason Sheppard, 19, and Nima Fazeli, 22, face federal charges for their alleged role in the Twitter intrusion and cryptocurrency scam.