A Florida teen accused of orchestrating one of last summer’s Twitter hacks — which used celebrity accounts to make more than $100,000 from a cryptocurrency scam — pleaded guilty Tuesday in exchange for a three-year jail term , it was widely reported.
Authorities said Graham Ivan Clark, now 18, and two other men used social engineering and other techniques to access internal Twitter systems. They would then have used their control to take over what Twitter claimed were 130 accounts. A small sampling of account holders included then-Vice President Joe Biden, Tesla founder Elon Musk, pop star Kanye West and philanthropist, and Microsoft founder and former CEO and chairman Bill Gates.
Being in jail
The defendants, the prosecutors alleged, then caused the high-profile accounts — many with millions of followers — to promote scams that promised to double returns if people deposited bitcoins in attacker-controlled wallets. The scheme generated more than $117,000. The hackers also took over accounts with short usernames, which are highly sought after in a criminal hacking forum circle calling itself OGusers.
According to the Tampa Bay Times, Clark agreed to plead guilty in exchange for a three-year prison term followed by three years’ probation. The agreement allows Clark to be convicted as a “juvenile delinquent,” a status that allows him to avoid a minimum 10-year prison term that he would have received had he been convicted as an adult.
Clark will be serving time in a state prison designed for young adults, and he may be eligible to serve part of his sentence in a military boot camp. He also gets the mandatory minimum if he violates the terms of his probation.
The plea deal prohibits Clark from using computers without law enforcement permission and supervision. He will have to submit to searches of his property and provide the passwords for all the accounts he manages.
An investigator who worked with the FBI to investigate the Twitter breach said the hack was the result of close investigations by Clark and the other two hackers into Twitter employees. They started scraping LinkedIn looking for Twitter employees who would likely have access to account holder tools. The hackers then used features LinkedIn makes available to recruiters to obtain the employees’ cell phone numbers and other personal contact information.
The attackers called the employees and used the information obtained from LinkedIn and other public sources to convince them that they were authorized Twitter personnel. Work-from-home arrangements caused by the COVID-19 pandemic also prevented employees from using normal procedures, such as face-to-face contact to verify callers’ identities.
“Giving back to the community”
With the confidence of the targeted employees, the attackers sent them to a phishing page that mimicked an internal Twitter VPN. The attackers then obtained credentials when the targeted employees entered them. In order to bypass the two-factor authentication protection Twitter has, the attackers entered the credentials into the real Twitter VPN portal within seconds of the employees entering their information into the fake portal. After the employee entered the one-time password, the attackers were inside.
The hackers then took over celebrity accounts and used them to push a cryptocurrency scam.
“I’m giving back to the community,” a Biden account quickly tweeted. “All Bitcoin sent to the address below will be returned double! If you send $1,000, I’ll send $2,000 back. Just do this for 30 minutes… Enjoy it!”
Similar tweets came from other celebrity accounts.
Clark appeared via videoconference at Tuesday’s court hearing from the Hillsborough County Jail, where he has been held since his arrest. Mason Sheppard, 19, and Nima Fazeli, 22, are facing federal charges for their alleged role in the Twitter break-in and cryptocurrency scam.