A Florida teenager has been charged with 30 felonies in connection to a Twitter hack on July 15 that impacted such globally prominent individuals as Elon Musk, Barack Obama, Jeff Bezos and Joe Biden.
Graham Ivan Clark, 17, was arrested Friday in Tampa, where the Hillsborough State Attorney’s Office will prosecute him as adult.
Besides Clark, a British man and a Florida man were identified by authorities Friday as the hackers, whose goal reportedly was to scam people around the globe out of more than $100,000 in Bitcoin.
Mason Sheppard, 19, of Bognor Regis, U.K., and Nima Fazeli, 22, of Orlando, were charged in California federal court.
The tweets offered to send $2,000 for every $1,000 sent to an anonymous Bitcoin address.
“There is a false belief within the criminal hacker community that attacks like the Twitter hack can be perpetrated anonymously and without consequence,” U.S. Attorney David L. Anderson for the Northern District of California said in a news release. “Today’s charging announcement demonstrates that the elation of nefarious hacking into a secure environment for fun or profit will be short-lived.”
Although the case against the teen was also investigated by the FBI and the U.S. Department of Justice, Hillsborough State Attorney Andrew Warren explained that his office is prosecuting Clark in Florida state court because Florida law allows minors to be charged as adults in financial fraud cases such as this when appropriate. He added that Clark was the leader of the hacking scam.
“This defendant lives here in Tampa, he committed the crime here, and he’ll be prosecuted here,” Warren said.
Security experts were not surprised that the alleged mastermind of the hack is a 17-year-old, given the relative amateur nature both of the operation and the hackers’ willingness afterward to discuss the hack with reporters online.
“I think this is a great case study showing how technology democratizes the ability to commit serious criminal acts,” said Jake Williams, founder of the cybersecurity firm Rendition Infosec. “I’m not terribly surprised that at least one of the suspects is a minor. There wasn’t a ton of development that went into this attack.”
Williams said the hackers were “extremely sloppy” in how they moved the Bitcoin around.
He also said he was conflicted about whether Clark should be charged as an adult.
“He definitely deserves to pay (for jumping on the opportunity) but potentially serving decades in prison doesn’t seem like justice in this case,” Williams said.
We appreciate the swift actions of law enforcement in this investigation and will continue to cooperate as the case progresses. For our part, we are focused on being transparent and providing updates regularly.— Twitter Comms (@TwitterComms) July 31, 2020
For the latest, see here 👇 https://t.co/kHty8TXaly
Twitter previously said hackers used the phone to fool the social media company’s employees into giving them access. It said hackers targeted “a small number of employees through a phone spear-phishing attack.”
To recap:— Twitter Support (@TwitterSupport) July 23, 2020
🔹130 total accounts targeted by attackers
🔹45 accounts had Tweets sent by attackers
🔹36 accounts had the DM inbox accessed
🔹8 accounts had an archive of “Your Twitter Data” downloaded, none of these are Verified
“This attack relied on a significant and concerted attempt to mislead certain employees and exploit human vulnerabilities to gain access to our internal systems,” the company tweeted.
After stealing employee credentials and getting into Twitter's systems, the hackers were able to target other employees who had access to account support tools, the company said.
The hackers targeted 130 accounts. They managed to tweet from 45 accounts, access the direct message inboxes of 36 and download the Twitter data from seven. Dutch anti-Islam lawmaker Geert Wilders has said his inbox was among those accessed.
Internal Revenue Service investigators in Washington were able to identify two of the hackers by analyzing Bitcoin transactions on the blockchain — the ledger where transactions are recorded — including ones the hackers attempted to keep anonymous, federal prosecutors said.
Spear-phishing is a more targeted version of phishing, an impersonation scam that uses email or other electronic communications to deceive recipients into handing over sensitive information.
Twitter said it would provide a more detailed report later “given the ongoing law enforcement investigation.”
Fazeli’s father said Friday he hasn’t been able to talk to his son since Thursday.
“I’m 100% sure my son is innocent,” Mohamad Fazeli said. “He’s a very good person, very honest, very smart and loyal.”
“We are as shocked as everybody else,” he said by phone. “I’m sure this is a mix-up.”
Attempts to reach relatives of the other two weren’t immediately successful. Hillsborough County court records didn’t list an attorney for Clark, and federal court records didn’t list attorneys for Sheppard or Fazeli.
The Associated Press contributed to this report.
About the Author
Credit: Ben Hendren for the Atlanta Journal-Constitution
Credit: John Spink / John.Spink@ajc.com