One by one, the celebrity Twitter accounts posted the same strange message: Send Bitcoin and they would send back double your money. Elon Musk. Bill Gates. Kanye West. Joe Biden. Former President Barack Obama. They, and dozens of others, were being hacked, and Twitter appeared powerless to stop it.
While some initially thought the hack was the work of professionals, it turns out the “mastermind” of one of the most high-profile hacks in recent years was a 17-year-old recent high school graduate from Florida, authorities said Friday.
Graham Ivan Clark was arrested in his Tampa apartment, where he lived by himself, early Friday, state officials said. He faces 30 felony charges in the hack, including fraud, and is being charged as an adult.
Two other people, Mason John Sheppard, 19, of the United Kingdom, and Nima Fazeli, 22, of Orlando, Florida, were accused of helping Clark during the takeover. Prosecutors said the two appeared to have aided the central figure in the attack, who went by the name Kirk. Documents released Friday do not provide the real identity of Kirk, but they suggest that it was Clark.
Clark was skilled enough to go unnoticed inside Twitter’s network, said Andrew Warren, the Florida state attorney handling the case.
“This was not an ordinary 17-year-old,” Warren said.
Clark convinced one of the company’s employees that he was a co-worker in the technology department who needed the employee’s credentials to access the customer service portal, a criminal affidavit from Florida said. By the time the hackers were done, they had broken into 130 accounts and raised significant new questions about Twitter’s security.
Despite the hackers’ cleverness, their plan quickly fell apart, according to court documents. They left hints about their real identities and scrambled to hide the money they’d made once the hack became public. Their mistakes allowed law enforcement to quickly track them down.
Less than a week after the incident, federal agents, search warrant in hand, went to a home in Northern California, according to the documents. There, they interviewed another youngster who admitted participating in the scheme. The individual, who is not named in the documents because he or she is a minor, gave authorities information that helped them identify Sheppard and said that Sheppard had discussed turning himself in to law enforcement.
Because Clark is under 18, he was charged by the Florida state attorney in Tampa, rather than by federal authorities. His age also means that many details of his case are being kept under wraps.
Federal authorities were already tracking Clark’s online activity before the Twitter hack, according to legal documents. In April, the Secret Service seized over $700 000 worth of Bitcoin from him, but it was unclear why.
The documents released Friday largely repeat what several hackers involved in the attack told The New York Times two weeks ago: The hack began early July 15 as a quiet scheme to steal and sell unusual usernames.
But as the day wore on, the attack, led by Kirk, took over dozens of accounts belonging to cryptocurrency companies and celebrities. Bitcoin flowed into the hackers’ accounts. The scheme netted Bitcoin worth more than $180 000, according to a New York Times estimate.
A special agent with an IRS investigative unit said in a court filing that Sheppard participated in the hack while using the screen name “ever so anxious.” A person using that name told the Times a few days after the attack that he got involved because he wanted to acquire unique Twitter usernames.
“i just kinda found it cool having a username that other people would want,” “ever so anxious” said in a chat with the Times. He ultimately brokered the sale of at least 10 addresses, such as @drug, @w and @L, according to the indictment against him.
Fazeli is also accused of serving as a middleman, helping to sell stolen Twitter accounts on the day of the attack under the user name “Rolex.” But the indictment provides few details on Fazeli’s work as a middleman.
By the time Twitter finally managed to stop the attack, the hackers had tweeted from 45 of the accounts they had broken into, gained access to the direct messages of 36 accounts, and downloaded full information from seven accounts, the company said.
Fazeli and Clark were arrested Friday. Sheppard has not been arrested but is expected to be taken into custody, the FBI said.
“While investigations into cyber breaches can sometimes take years, our investigators were able to bring these hackers into custody in a matter of weeks,” said John Bennett, a special agent in charge with the FBI. The investigation is still underway, and it is possible there will be additional arrests, a bureau spokeswoman said.
The young men who participated in the breach come from a loose-knit community of hackers who focus on account takeovers, cybersecurity experts said. Using a practice known as SIM-swapping, they often target telecom companies to compromise victims’ phone numbers and intercept login credentials.
The attackers targeted Twitter employees, stealing their account credentials in order to gain access to an internal system that allowed them to reset the passwords of most Twitter users. (Some users, like President Donald Trump, have extra security on their accounts to prevent takeovers.)
“These people come trained to be efficient and creative at their attack methods,” said Allison Nixon, chief research officer of security firm Unit 221B. “They’ve realized there’s this world of soft targets.”