Four suspects charged for roles in Twitter hack, Bitcoin scam

Four suspects were charged today for their supposed involvement in this month's Twitter hack according to press releases from the Department of Justice and State Attorney Andrew H. Warren.

17-year-old Graham Ivan Clark from Tampa, Florida, the first suspect and the one who orchestrated the hack, was arrested earlier today and charged as an adult after an operation coordinated by the FBI, the IRS, and the Secret Service as reported by WFLA.

"I want to congratulate our federal law enforcement partners, the US Attorney’s Office for the Northern District of California, the FBI, the IRS, the US Secret Service, and the Florida Department of Law enforcement. These partners worked extremely quickly to investigate and identify the perpetrators of this sophisticated and extensive fraud," State Attorney Warren said in a video news conference from today.

"This defendant lives here in Tampa, he committed the crimes here, and he’ll be prosecuted here," Warren added. "The State Attorney's Office is handling this prosecution rather than federal prosecutors because Florida law allows for us greater flexibility to charge a minor as an adult in a financial fraud case like this."

According to Warren, Clark gained access to Twitter accounts and internal support tools by compromising a Twitter employee. He then sold access to those accounts and, later, used the Twitter accounts of companies, politicians, executives, and celebrities he took over to run a Bitcoin scam on the social network's platform.

Hijacked Twitter accounts used to push the Bitcoin scam

The other three individuals indicted today are 19-year-old Mason Sheppard (Chaewon) from Bognor Regis, United Kingdom, 22-year-old Nima Fazeli (Rolex) from Orlando, Florida, and an unnamed juvenile whose identity is protected by the federal court.

Sheppard is facing a maximum penalty of 45 years of imprisonment after being charged with conspiracy to commit wire fraud and money laundering, and for intentionally accessing a protected computer, while Fazeli faces a maximum penalty of 5 years of imprisonment for aiding and abetting the intentional access of a protected computer.

Sheppard and Fazeli were charged in criminal complaints unsealed earlier today in federal court in San Francisco, California, and available here and here.

"There is a false belief within the criminal hacker community that attacks like the Twitter hack can be perpetrated anonymously and without consequence," US Attorney David L. Anderson said. "Today’s charging announcement demonstrates that the elation of nefarious hacking into a secure environment for fun or profit will be short-lived."

The Twitter hack

Twitter said today that the attackers behind this month's hack took control of high-profile accounts after stealing Twitter employees' credentials following a phone spear phishing attack on July 15, 2020. 

Using credentials of Twitter employees with access to internal support tools, they targeted a total of 130 high-profile accounts, tweeting Bitcoin scam messages from 45 of them, accessing the direct messages of 36 (including the inbox of Dutch Member of House of Representatives Geert Wilders), and eventually downloading the Twitter Data for 7 accounts.

By obtaining employee credentials, they were able to target specific employees who had access to our account support tools. They then targeted 130 Twitter accounts - Tweeting from 45, accessing the DM inbox of 36, and downloading the Twitter Data of 7.

They used the hijacked accounts to push a Bitcoin scam to the accounts' followers which filled their crypto-wallets with roughly $120,000 worth of bitcoins.

According to a Reuters report, more than 1,000 Twitter employees and contractors had access to the company's internal support tools before the defendants' attack.

Twitter also said that it found no evidence that the scammers gained access to the hijacked accounts' passwords and that they will not be reset.

However, for 45 of these accounts, the attackers were able to reset passwords and then log into the accounts to send their scam messages.