The alleged mastermind behind the July 15 hack of Twitter accounts of business titans, celebrities and a former president didn’t need sophisticated hacking tools to pierce the company’s security system. Rather, he convinced an information technology employee at Twitter that he was a colleague who needed login credentials to access the company’s customer support platform, according to law enforcement officials.
It worked, in spectacular fashion.
Graham Ivan Clark, 17, allegedly hijacked 130 Twitter accounts as part of a cryptocurrency scam, according to a criminal affidavit filed in Tampa, Florida. The accounts that were hacked included those of former President
Clark, who authorities said had just graduated from high school, now faces 30 felony charges for hacking those accounts, posting messages on their behalf and luring additional victims into sending him Bitcoin donations worth more than $100,000, according to law enforcement. Two others were charged by federal authorities for allegedly aiding in the scheme by serving as brokers on the sale of compromised Twitter accounts: Mason Sheppard, 19, of the U.K., and Nima Fazeli, 22, of Orlando.
Lawyers or family members for the defendants couldn’t be located for comment. Clark’s mother, Emiliya Clark, told NBC News that her son was innocent. “I believe he didn’t do it. I’ve spoken to him every day,” she said. “I’m devastated.”
Twitter thanked law enforcement for swiftly making arrests. In its most recent update on the hack, on July 30, the company acknowledged that employees were duped into sharing sensitive information over the phone and that it has decided to temporarily limit access to its internal tools as it seeks to understand the scope of the breach, while improving its security protocols to “make them even more sophisticated.”
Of the 130 accounts that were targeted, 45 had Tweets sent from them, according to Twitter. Direct message inboxes were accessed in 36 of the accounts, and Twitter data was downloaded from seven of them, the company said.
The defendants were allegedly part of an underground subculture of hackers -- known as “OGUsers” -- who are dedicated to stealing, buying and selling online accounts with desirable usernames. In the OGUser world, a short username on Instagram or Twitter sells for tens of thousands of dollars in cryptocurrency. Winning ownership of usernames, like “@6” or “@dark,” yield their own form of virtual bragging rights.
The hackers in this community are particularly skilled in social engineering, which relies on the art of impersonation and deception rather than traditional hacking, according to cybersecurity experts. Those tools have been successfully leveraged against individuals to steal their social media usernames or credit card details, but not typically in such a brazen fashion.
In one instance, according to the federal complaint, a user named Kirk#5270 said in an online forum, “I work for Twitter. I can claim any @ for you.” Another user, Rolex#0373, who authorities said is an alias used by Fazeli, responded, “Prove it.” During their exchange, Kirk#5270 provided Rolex#0373 with access to the Twitter handle @Foreign for $500, according to authorities. Kirk#5270 isn’t identified in the complaint, though federal authorities said he played a central role in the Twitter hack.
“Chaewon,” an alleged alias of Sheppard’s, posted an OGUser thread entitled, “Pulling email for any Twitter/Taking Requests.” In it, Chaewon “advertised that he could change email addresses tied to any Twitter account for $250 and provide direct access to accounts for between $2,500 and $3,000,” according to a federal government filing.
Clark has allegedly been active in hacking since before he was a teenager, according to Logan Derouanna, 19, who lives in Florida and said he is no longer part of the OGUser scene.
Derouanna said Clark stole his Instagram account in 2014. “I had my Instagram account hacked when I was 13, and he was literally only 11,” Derouanna said, adding that his account had more than 500,000 followers at the time. “All I did was click a link he sent me.”
Two other hackers independently confirmed Clark has been active since at least 2014.
State authorities have charged Clark as an adult under Florida law, rather than federal, because “Florida law allows us greater flexibility to charge a minor as an adult in a financial fraud case,” said Hillsborough District Attorney Andrew Warren. “He gained access to Twitter accounts and to the internal controls of Twitter through compromising a Twitter employee.”
U.S. Attorney David Anderson, of the Northern District of California, said there is a “a false belief” among hackers that they can pull off attacks like the Twitter hack “anonymously and without consequence.”
The charging announcement “demonstrates that the elation of nefarious hacking into a secure environment for fun or profit will be short-lived,” he said.
(Adds background on Clark)
To contact the editors responsible for this story:
© 2020 Bloomberg L.P. All rights reserved. Used with permission.