Prosecutors Said A 17-Year-Old And Two Others Hacked All Those Famous Twitter Accounts In A Bitcoin Scam
“These crimes were perpetrated using the names of famous people and celebrities, but they’re not the primary victims here," prosecutors said.
Three people, including two teens, have been charged for their alleged roles in a wide-ranging Twitter hack that compromised the accounts of presumptive Democratic presidential candidate Joe Biden, former president Barack Obama, Tesla CEO Elon Musk, and other prominent figures in order to promote a bitcoin scam, authorities announced Friday.
Florida prosecutors said Graham Ivan Clark, 17, of Tampa, was the "mastermind" of the July 15 hack and is facing 30 felony charges, including 10 counts of fraudulent use of personal information and 17 counts of communications fraud. Clark was arrested early Friday, according to the Hillsborough County State Attorney's office.
In addition to Clark, federal authorities in the Northern District of California also charged Mason Sheppard, 19, of Bognor Regis in the United Kingdom with conspiracy to commit wire fraud, conspiracy to commit money laundering, and the intentional access of a protected computer. Nima Fazeli, a 22-year-old in Orlando, was charged with one count of aiding and abetting the intentional access of a protected computer in connection to the scam.
“These crimes were perpetrated using the names of famous people and celebrities, but they’re not the primary victims here. This ‘Bit-Con’ was designed to steal money from regular Americans from all over the country, including here in Florida," State Attorney Andrew Warren said in a statement. "This massive fraud was orchestrated right here in our backyard, and we will not stand for that."
Fazeli was arrested Friday and released to home confinement following a court appearance in Florida, according to Abraham Simmons, a spokesperson for the Northern District of California US Attorney's Office. No arrest information was available for Sheppard.
It was unclear whether Clark is also facing federal charges. Federal prosecutors did not identify him in a statement about the charges, noting that "juvenile proceedings in federal court are sealed to protect the identity of the juvenile," and that the federal government had referred the juvenile to Warren's office.
Simmons told BuzzFeed News he could not comment on the issue.
According to prosecutors, the perpetrators of the hack received more than $100,000 in Bitcoin as a result of the scam, which involved hacking the accounts of Obama, Biden, Musk, and other prominent figures, and then posting tweets from their accounts saying that they would double any bitcoin payments sent to the same bitcoin wallet.
Hacked accounts pinned the tweets promoting the giveaway scam to the top of their profiles or retweeted the posts. Other accounts that were hit included rappers Wiz Khalifa and the late XXXTentacion, boxer Floyd Mayweather, and billionaires Jeff Bezos, Michael Bloomberg, and Warren Buffett.
While previous cryptocurrency scams have tended to mimic verified Twitter users by creating accounts that look similar to the real ones, the July 15 scam was different in that the hackers gained access to real, verified accounts to proliferate their scam.
In response to the security threat, Twitter prevented many verified accounts from tweeting for the rest of the day, though the accounts that were affected were still able to like, retweet, and send direct messages.
According to Twitter, the hackers gained access to the social media company's internal network and support tools by targeting "a small number of employees through a phone spear phishing attack." They then used the employees' credentials to target 130 accounts, "ultimately Tweeting from 45, accessing the DM inbox of 36, and downloading the Twitter Data of 7."
"We appreciate the swift actions of law enforcement in this investigation and will continue to cooperate as the case progresses," Twitter's communications team tweeted Friday. "For our part, we are focused on being transparent and providing updates regularly."
The bitcoin wallet associated with the scam address sent or received 426 transfers between July 15 and 16, 415 of which "consisted of transfers from other bitcoin addresses into" the account, according to affidavits filed in federal court. The other 11 transfers were from the wallet associated with the scam address to other bitcoin addresses, "siphoning off 99.74% of the bitcoin deposited" and leaving a balance of just $274.01 in the account.
"No bitcoin was returned to the victims," the documents state.
According to the affidavits, authorities were able to identify the three individuals by tracing messages sent on Discord, an online messaging platform popular with gamers and hackers. The New York Times reported on the hackers' communications shortly after the attack, saying that scheme originated from a "teasing message" from a user named "Kirk."
“I work for Twitter. I can claim any @ for you," Kirk wrote, according to the affidavits.
"Prove it," the second user "Rolex," later identified by authorities as Fazeli, wrote back.
From there, Kirk showed Rolex and another Discord user later identified as Sheppard that he could take control of other people's Twitter accounts. The two then acted as "brokers" for Kirk, advertising "the sale of compromised Twitter accounts," procuring buyers, and "sending criminally derived proceeds from the sale of Twitter accounts to [Kirk] for the exchange for compromised Twitter accounts," according to the affidavits.
“There is a false belief within the criminal hacker community that attacks like the Twitter hack can be perpetrated anonymously and without consequence,” David Anderson, the US Attorney for the Northern District of California, said. “Today’s charging announcement demonstrates that the elation of nefarious hacking into a secure environment for fun or profit will be short-lived. Criminal conduct over the Internet may feel stealthy to the people who perpetrate it, but there is nothing stealthy about it. In particular, I want to say to would-be offenders, break the law, and we will find you.”
Florida prosecutors said Graham Ivan Clark, 17, of Tampa, was the "mastermind" of the July 15 hack and is facing 30 felony charges, including 10 counts of fraudulent use of personal information and 17 counts of communications fraud. Clark was arrested early Friday, according to the Hillsborough County State Attorney's office.
In addition to Clark, federal authorities in the Northern District of California also charged Mason Sheppard, 19, of Bognor Regis in the United Kingdom with conspiracy to commit wire fraud, conspiracy to commit money laundering, and the intentional access of a protected computer. Nima Fazeli, a 22-year-old in Orlando, was charged with one count of aiding and abetting the intentional access of a protected computer in connection to the scam.
“These crimes were perpetrated using the names of famous people and celebrities, but they’re not the primary victims here. This ‘Bit-Con’ was designed to steal money from regular Americans from all over the country, including here in Florida," State Attorney Andrew Warren said in a statement. "This massive fraud was orchestrated right here in our backyard, and we will not stand for that."
Fazeli was arrested Friday and released to home confinement following a court appearance in Florida, according to Abraham Simmons, a spokesperson for the Northern District of California US Attorney's Office. No arrest information was available for Sheppard.
It was unclear whether Clark is also facing federal charges. Federal prosecutors did not identify him in a statement about the charges, noting that "juvenile proceedings in federal court are sealed to protect the identity of the juvenile," and that the federal government had referred the juvenile to Warren's office.
Simmons told BuzzFeed News he could not comment on the issue.
According to prosecutors, the perpetrators of the hack received more than $100,000 in Bitcoin as a result of the scam, which involved hacking the accounts of Obama, Biden, Musk, and other prominent figures, and then posting tweets from their accounts saying that they would double any bitcoin payments sent to the same bitcoin wallet.
Hacked accounts pinned the tweets promoting the giveaway scam to the top of their profiles or retweeted the posts. Other accounts that were hit included rappers Wiz Khalifa and the late XXXTentacion, boxer Floyd Mayweather, and billionaires Jeff Bezos, Michael Bloomberg, and Warren Buffett.
While previous cryptocurrency scams have tended to mimic verified Twitter users by creating accounts that look similar to the real ones, the July 15 scam was different in that the hackers gained access to real, verified accounts to proliferate their scam.
In response to the security threat, Twitter prevented many verified accounts from tweeting for the rest of the day, though the accounts that were affected were still able to like, retweet, and send direct messages.
According to Twitter, the hackers gained access to the social media company's internal network and support tools by targeting "a small number of employees through a phone spear phishing attack." They then used the employees' credentials to target 130 accounts, "ultimately Tweeting from 45, accessing the DM inbox of 36, and downloading the Twitter Data of 7."
"We appreciate the swift actions of law enforcement in this investigation and will continue to cooperate as the case progresses," Twitter's communications team tweeted Friday. "For our part, we are focused on being transparent and providing updates regularly."
The bitcoin wallet associated with the scam address sent or received 426 transfers between July 15 and 16, 415 of which "consisted of transfers from other bitcoin addresses into" the account, according to affidavits filed in federal court. The other 11 transfers were from the wallet associated with the scam address to other bitcoin addresses, "siphoning off 99.74% of the bitcoin deposited" and leaving a balance of just $274.01 in the account.
"No bitcoin was returned to the victims," the documents state.
According to the affidavits, authorities were able to identify the three individuals by tracing messages sent on Discord, an online messaging platform popular with gamers and hackers. The New York Times reported on the hackers' communications shortly after the attack, saying that scheme originated from a "teasing message" from a user named "Kirk."
“I work for Twitter. I can claim any @ for you," Kirk wrote, according to the affidavits.
"Prove it," the second user "Rolex," later identified by authorities as Fazeli, wrote back.
From there, Kirk showed Rolex and another Discord user later identified as Sheppard that he could take control of other people's Twitter accounts. The two then acted as "brokers" for Kirk, advertising "the sale of compromised Twitter accounts," procuring buyers, and "sending criminally derived proceeds from the sale of Twitter accounts to [Kirk] for the exchange for compromised Twitter accounts," according to the affidavits.
“There is a false belief within the criminal hacker community that attacks like the Twitter hack can be perpetrated anonymously and without consequence,” David Anderson, the US Attorney for the Northern District of California, said. “Today’s charging announcement demonstrates that the elation of nefarious hacking into a secure environment for fun or profit will be short-lived. Criminal conduct over the Internet may feel stealthy to the people who perpetrate it, but there is nothing stealthy about it. In particular, I want to say to would-be offenders, break the law, and we will find you.”
