Graham Ivan Clark, 17, has been identified as the mastermind of a scheme that dominated prominent Twitter accounts and deceived people
A Florida teenager was identified on Friday as the brain of a scam that dominated Twitter accounts of leading politicians, celebrities and tech moguls and tricked people around the world with more than $ 100,000 in Bitcoin. Two other men were also charged in the case.
Graham Ivan Clark, 17, was arrested on Friday in Tampa, where the Hillsborough district attorney will sue him as an adult. He faces 30 criminal charges, according to a press release.
Two men accused of benefiting from the hack – Mason Sheppard, 19, from Bognor Regis, UK, and Nima Fazeli, 22, from Orlando – were separately charged in California's federal court.
In one of the most well-known security breaches in recent years, on July 15, fake tweets were sent from the accounts of Barack Obama, Joe Biden, Mike Bloomberg and several tech billionaires, including Amazon CEO Jeff Bezos, a co-founder of Microsoft. Bill Gates and Tesla CEO Elon Musk. Celebrities Kanye West and his wife, Kim Kardashian West, were also hacked.
The tweets offered to send $ 2,000 for every $ 1,000 sent to an anonymous Bitcoin address. The hack alarmed security experts because of the serious potential of such an intrusion to create geopolitical disorder with misinformation.
Court documents in California cases say Fazeli and Sheppard brokered the sale of stolen Twitter accounts by a hacker who identified himself as "Kirk" and said he could "redefine, exchange and control any Twitter account at will" in exchange for cybercurrent payments, claiming to be a Twitter employee.
The documents do not specify Kirk's real identity, but say he is a prosecuted teenager in the Tampa area.
Twitter said the hacker gained access to a company panel that manages accounts using social engineering and spearfishing smartphones to obtain credentials from "a small number" of Twitter employees "to gain access to our internal systems". Spear-phishing uses email or other messages to trick people into sharing access credentials.
"There is a false belief in the criminal hacking community that attacks like the Twitter hack can be carried out anonymously and without consequences," US attorney David L. Anderson of the Northern California District said in a press release.
The evidence suggests, however, that those responsible did a terrible job of covering up their tracks. Court documents released on Friday show how federal agents tracked hackers through transactions with Bitcoin and obtaining records of their online chats.
Although the case was investigated by the FBI and the US Department of Justice, Hillsborough State Attorney Andrew Warren said his office is suing Clark in a state court because Florida law allows minors to be charged with adults in cases of financial fraud, where appropriate. He called Clark the leader of the hacking scheme.
"This defendant lives here in Tampa, he committed the crime here and will be prosecuted here," said Warren.
Security experts were not surprised that the alleged intellectual author is 17 years old, given the relatively amateur nature of the operation and how participants discussed it with New York Times reporters later.
"This is a great case study, showing how technology democratizes the ability to commit serious criminal acts," said Jake Williams, founder of cybersecurity company Rendition Infosec. "There was not much development involved in that attack."
Williams said hackers were "extremely sloppy" in the way they moved Bitcoin. They do not appear to use services that make it difficult to track cryptocurrencies by "transacting" multi-user transactions, a technique similar to money laundering, he said.
He also said he was in conflict over whether Clark should be charged as an adult.
"He definitely deserves to pay (for taking the opportunity), but potentially serving decades in prison doesn't seem like justice in this case," said Williams.
The hack was targeted at 130 accounts with tweets sent from 45, gained access to direct mail boxes from 36 and downloaded Twitter data from seven. Dutch anti-Islamic lawmaker Geert Wilders said his inbox was among those accessed.
Court documents suggest that Fazeli and Sheppard became involved in the scheme after Clark changed the possibility of obtaining so-called OG identifiers on Twitter, short account names that, due to their brevity, are highly valued and considered status symbols in a given environment. They said Sheppard bought @anxious and Fazeli wanted @foreign.
Investigators at the Internal Revenue Service in Washington DC identified two of the defendants analyzing the Bitcoin transactions on the blockchain – the universal reason that records the Bitcoin transactions – that they sought to make anonymous, federal prosecutors said.
Marcus Hutchins, a 26-year-old British cybersecurity expert who helped stop the WannaCry computer virus in 2017, said the skill set involved in the actual hack was nothing special.
“I think people underestimate the level of experience needed to carry out these types of hacks. They can look extremely sophisticated, but the techniques can be replicated by teenagers, ”added Hutchins, who pleaded guilty last year for creating malware designed to steal banking information and has just completed a year's supervised release.
British cybersecurity analyst Graham Cluley said his guess is that Twitter employees received a message to call what they thought was authorized technical support and were persuaded by the hacker to provide their credentials. It is also possible that hackers received a call from the company's legitimate helpline forging the number, he said.
Fazeli's father said on Friday that he has not been able to talk to his son since Thursday.
"I am 100% sure that my son is innocent," said Mohamad Fazeli. "He is a very good person, very honest, very intelligent and loyal".
"We are as shocked as everyone else," he said by phone. "I'm sure this is a mess."
Attempts to find relatives of the other two were not immediately successful. Hillsborough County court records did not list a lawyer for Clark, and federal court records did not list lawyers for Sheppard or Fazeli.
Find the latest and future technology gadgets online at Tech2 gadgets. Get tech news, reviews, and gadget ratings. Popular gadgets, including laptop, tablet and mobile specs, features, pricing and comparison.