The alleged mastermind behind the 15 July “hack” of Twitter accounts of business titans, celebrities and a former president didn’t need sophisticated hacking tools to pierce the company’s security system. Rather, he convinced an IT employee at Twitter that he was a colleague who needed login credentials to access the company’s customer support platform, according to law enforcement officials.
It worked, in spectacular fashion.
Graham Ivan Clark, 17, allegedly hijacked 130 Twitter accounts as part of a cryptocurrency scam, according to a criminal affidavit filed in Tampa, Florida. The accounts that were hacked included those of former US President Barack Obama, Amazon.com CEO Jeff Bezos and Tesla CEO Elon Musk.
Clark, who authorities said had just graduated from high school, now faces 30 felony charges for hacking those accounts, posting messages on their behalf and luring additional victims into sending him bitcoin donations worth more than US$100 000, according to law enforcement. Two others were charged by federal authorities for allegedly aiding in the scheme by serving as brokers on the sale of compromised Twitter accounts: Mason Sheppard, 19, of the UK, and Nima Fazeli, 22, of Orlando, Florida, US.
Lawyers or family members for the defendants couldn’t be located for comment. Clark’s mother, Emiliya Clark, told NBC News that her son was innocent. “I believe he didn’t do it. I’ve spoken to him every day,” she said. “I’m devastated.”
Duped
Twitter thanked law enforcement for swiftly making arrests. In its most recent update on the hack, on 30 July, the company acknowledged that employees were duped into sharing sensitive information over the phone and that it has decided to temporarily limit access to its internal tools as it seeks to understand the scope of the breach, while improving its security protocols to “make them even more sophisticated”.
Of the 130 accounts that were targeted, 45 had Tweets sent from them, according to Twitter. Direct message inboxes were accessed in 36 of the accounts, and Twitter data was downloaded from seven of them, the company said.
Having suffered other embarrassing breaches in recent years, Twitter, the preferred social media platform for US President Donald Trump, among other political and business leaders, must now reckon with the possibility that a teenager beat teams of engineers and layers of cybersecurity protections. Former Twitter security employees have said too many people have access to user accounts, including employees and outside contractors, and that the company management has often dragged its heels on upgrades to information security. Twitter disputed the former employees’ characterisation of the company’s oversight of accounts.
The defendants were allegedly part of an underground subculture of hackers — known as “OGUsers” — who are dedicated to stealing, buying and selling online accounts with desirable usernames. In the OGUser world, a short username on Instagram or Twitter sells for tens of thousands of dollars in cryptocurrency. Winning ownership of usernames, like “@6” or “@dark,” yield their own form of virtual bragging rights.
In one instance, according to the federal complaint, a user named Kirk#5270 said in an online forum: “I work for Twitter. I can claim any @ for you.” Another user, Rolex#0373, who authorities said is an alias used by Fazeli, responded: “Prove it.” During their exchange, Kirk#5270 provided Rolex#0373 with access to the Twitter handle @Foreign for $500, according to authorities. Kirk#5270 isn’t identified in the complaint, though federal authorities said he played a central role in the Twitter hack.
“Chaewon,” an alleged alias of Sheppard’s, posted an OGUser thread entitled, “Pulling email for any Twitter/Taking Requests.” In it, Chaewon “advertised that he could change e-mail addresses tied to any Twitter account for $250 and provide direct access to accounts for between $2 500 and $3 000,” according to a federal government filing.
State authorities have charged Clark as an adult under Florida law, rather than federal, because “Florida law allows us greater flexibility to charge a minor as an adult in a financial fraud case”, said Hillsborough district attorney Andrew Warren. “He gained access to Twitter accounts and to the internal controls of Twitter through compromising a Twitter employee.”
US attorney David Anderson, of the northern district of California, said there is a “a false belief” among hackers that they can pull off attacks like the Twitter hack “anonymously and without consequence”.
The charging announcement “demonstrates that the elation of nefarious hacking into a secure environment for fun or profit will be short-lived”, he said. — Reported by Kartikay Mehrotra and William Turton, (c) 2020 Bloomberg LP