Early on July 31st, the FBI, IRS, US Secret Service, and Florida law enforcement placed 17-year-old Graham Clark of Tampa, Florida, under arrest. He’s accused of being the “mastermind” behind the biggest security and privacy breach in Twitter’s history, one that took over the accounts of President Barack Obama, Democratic presidential candidate Joe Biden, Bill Gates, Elon Musk, Kanye West, Apple, and more to perpetrate a huge bitcoin scam on July 15th.
Apparently, he wasn’t alone: shortly after the Tampa arrest was revealed and after we published this story, two more individuals were formally charged by the US Department of Justice: 22-year-old Nima Fazeli in Orlando and 19-year-old Mason Sheppard in the UK. They go by the hacker aliases “Rolex” and “Chaewon,” respectively, according to the DOJ. The FBI says that two individuals in total are in custody. An unidentified minor in California also admitted to federal agents that they’d helped Chaewon sell access to Twitter accounts.
But according to an affidavit released late Friday, authorities have probable cause to believe Clark, the Tampa teen, was the one who got access to Twitter’s internal tools and directly carried out the scam. Specifically, he allegedly convinced a Twitter employee that he worked in the Twitter IT department and tricked that employee into giving him the credentials.
From the affidavit:
To wit: Clark without authorization gain [sic] access to Twitter Inc.’s Customer Service Portal. Clark used social engineering to convince a Twitter employee that he was a co-worker in the IT department and had the employee provide credentials to access the customer service portal.
Clark then accessed the Twitter accounts of prominent individuals, including VP Joe Biden, former President Barack Obama and business [sic] such as Apple and Coinbase. Clark then posted on their Twitter accounts a communication that if Bitcoins are sent to accounts they will be doubled and returned to the victim. Clark did not return the funds and he moved the funds to another account. 10 prominent people had their personal identification information in the form of a verifide [sic] Twitter Account use without consent be used [sic] in the fraudulent activity. Clark received approximately $117,000 during the commission of his scheme to defraud.
How Twitter’s systems were accessed had been an open question until now; Twitter merely said that it fell victim to a “phone spear phishing attack”, and previous reports suggested the hacker either found their way into Twitter’s internal Slack channel or managed to bribe an employee.
According to federal agents, Sheppard was found out partly because he used a personal driver’s license to verify himself with the Binance and Coinbase cryptocurrency exchanges, and his accounts were found to have sent and received some of the scammed bitcoin. Fazeli also used a driver’s license to verify with Coinbase, where accounts controlled by “Rolex” allegedly received payments in exchange for stolen Twitter usernames.
Fazeli is facing five years in prison and a $250,000 fine for one count of computer intrusion. Sheppard is being charged with computer intrusion, wire fraud conspiracy, and money laundering conspiracy, the most serious of which comes with a 20-year sentence and a $250,000 fine in the US.
Sheppard and Fazeli appear to just be middlemen for the scam — a hacker with the handle “Kirk#5270” is believed to be the one who got access to Twitter’s internal systems as of July 22nd. It’s not clear if Clark is Kirk#5270, though it sounds like that’s the case based on the new affidavit. However, the FBI says its investigation is ongoing and it’s still looking for more suspects.
Originally, “Kirk” claimed to be a Twitter employee, according to a Discord chat log:
Either way, Clark is currently in jail and being charged with over 30 felony counts, including organized fraud, communications fraud, identity theft, and hacking, Hillsborough State Attorney Andrew Warren said in a news conference describing the arrest. Local NBC affiliate WFLA alerted us to that news.
Initially, it wasn’t clear whether the 17-year-old was the only suspect in the case. “I can’t comment on whether he worked alone,” said Warren, the Florida prosecutor. He was arrested at his apartment where he lives by himself, authorities stated.
He’s being charged as an adult — “This was not an ordinary 17-year old,” said the state attorney — and the press conference made clear that law enforcement is considering how bad consequences of the hack could have been, beyond the $100,000-plus in bitcoin that the teen is alleged to have scammed out of unsuspecting Twitter users.
“This could have had a massive, massive amount of money stolen from people, it could have destabilized financial markets within America and across the globe; because he had access to powerful politicians’ Twitter accounts, he could have undermined politics as well as international diplomacy,” said Warren.
“This is not a game... these are serious crimes with serious consequences, and if you think you can rip people off online and get away with it, you’ll be in for a rude awakening, a rude awakening that comes in the form of a 6 AM knock on your door from federal agents,” he added later.
The teen Clark was “taken into custody without any incident”; his first appearance may be as soon as tomorrow morning, Warren said. He’s being prosecuted in Florida so he can be charged as an adult, suggesting that there may not currently be any federal charges against him.
Twitter provided the following tweet as its statement:
We appreciate the swift actions of law enforcement in this investigation and will continue to cooperate as the case progresses. For our part, we are focused on being transparent and providing updates regularly.— Twitter Comms (@TwitterComms) July 31, 2020
For the latest, see here https://t.co/kHty8TXaly
In addition to scamming users out of bitcoin, the attackers accessed the private direct messages of 36 Twitter users, including one elected official, and may have downloaded even larger caches of data for seven other users. Twitter claims that no verified users had their private messages or data caches compromised, though, suggesting that Biden, Obama, and others’ DMs could have been safe. President Trump’s Twitter account has long had extra protections, which could explain why it wasn’t hacked.
Here’s the whole press release from the Hillsborough State Attorney’s Office with additional info about the arrest as well as DOJ complaints about the other two individuals.
Hillsborough State Attorney’s Office tapped to prosecute worldwide “Bit-Con” hack of prominent Twitter users
Tampa, FL (July 31, 2020) — Hillsborough State Attorney Andrew Warren has filed 30 felony charges against a Tampa resident for scamming people across America, perpetrating the “Bit-Con” hack of prominent Twitter accounts including Bill Gates, Barack Obama, and Elon Musk on July 15, 2020.
The Federal Bureau of Investigation and the U.S. Department of Justice conducted a complex nationwide investigation, locating and apprehending the suspect in Hillsborough County.
“These crimes were perpetrated using the names of famous people and celebrities, but they’re not the primary victims here. This ‘Bit-Con’ was designed to steal money from regular Americans from all over the country, including here in Florida. This massive fraud was orchestrated right here in our backyard, and we will not stand for that,” State Attorney Warren said.
The investigation revealed Graham Ivan Clark, 17, was the mastermind of the recent hack of Twitter. He was arrested in Tampa early on July 31. Clark’s scheme to defraud stole the identities of prominent people, posted messages in their names directing victims to send Bitcoin to accounts associated with Clark, and reaped more than $100,000 in Bitcoin in just one day. As a cryptocurrency, Bitcoin is difficult to track and recover if stolen in a scam.
“I want to congratulate our federal law enforcement partners—the US Attorney’s Office for the Northern District of California, the FBI, the IRS, and the Secret Service—as well as the Florida Department of Law enforcement. They worked quickly to investigate and identify the perpetrator of a sophisticated and extensive fraud,” State Attorney Warren said.
“This defendant lives here in Tampa, he committed the crime here, and he’ll be prosecuted here,” Warren added. The Hillsborough State Attorney’s Office is prosecuting Clark because Florida law allows minors to be charged as adults in financial fraud cases such as this when appropriate. The FBI and Department of Justice will continue to partner with the office throughout the prosecution.
The specific charges Clark faces are:
ORGANIZED FRAUD (OVER $50,000) – 1 count
COMMUNICATIONS FRAUD (OVER $300) – 17 counts
FRAUDULENT USE OF PERSONAL INFORMATION (OVER $100,000 OR 30 OR MORE VICTIMS) – 1 count
FRAUDULENT USE OF PERSONAL INFORMATION – 10 counts
ACCESS COMPUTER OR ELECTRONIC DEVICE WITHOUT AUTHORITY (SCHEME TO DEFRAUD) – 1 count
“Working together, we will hold this defendant accountable,” Warren said. “Scamming people out of their hard-earned money is always wrong. Whether you’re taking advantage of someone in person or on the internet, trying to steal their cash or their cryptocurrency—it’s fraud, it’s illegal, and you won’t get away with it.”
Update, 3:33PM ET: We had been continually updating this post, most prominently when the two additional individuals in the UK and Orlando were charged. This marks a breaking point.
Update, 3:50PM ET: Added some of the specific charges against the 17-year-old.
Update, 6:28PM ET: Added that the FBI is still investigating, and authorities have taken two individuals in total into custody.
Update, 7:08PM ET: With new information that Clark is believed to have been the one to access Twitter’s internal tools.
Update, 8:29PM ET: Added info about the minor in California who also assisted Chaewon.