A Florida teenager who was behind a massive hack of celebrity Twitter accounts last July pleaded guilty and is likely to serve three years in prison.
Eighteen-year-old Graham Ivan Clark was 17 when he commanded some of the platform’s most famous accounts, including those of Elon Musk and former President Barack Obama, and ended up cheating on people with around $ 120,000 worth of bitcoin. The verified accounts sent tweets instructing followers to send bitcoin to a wallet and promised that they would get double their money in return. They didn’t get double their money back, despite prosecutors saying Clark turned over the leftover bitcoin to pay compensation to the victims.
Clark was charged with 30 crimes related to the hack, but his juvenile offender status enabled him to bypass the mandatory minimum 10 year sentence. Instead, he will be served three years in a state prison for young adults and three years on probation, provided a judge signs the agreement.
Two other people – Mason John Sheppard, 19, from the UK and Nima Fazeli, 22, from Orlando, Florida – were also charged with crimes related to the hack by the Justice Department. Sheppard was charged with three and Fazeli with one. Your cases have not yet been resolved; Fazeli’s attorney claims his client was not guilty and the only aiding and abetting charges against him had nothing to do with celebrity hacks.
There could be more arrests; The indictments say that an as yet unidentified hacker named “Kirk” “played a central role”. This is in line with TechCrunch’s earlier reporting that a hacker named “Kirk” was behind the attack. Last September, the New York Times reported that a 16-year-old boy in Massachusetts was also being examined and his house was ransacked.
Although initial reports said the hack might be an inside job, Twitter later confirmed that its employees had been hit by a “phone spear phishing attack”. Provided this is true, it should serve as a cautionary story. Mobile device spear phishing has become more common, especially as users don’t check links on their mobile devices as they would in a message received on their computers.
“People often overlook their phone because they see it as a personal device rather than a work device,” Mark Ostrowski, security evangelist at cybersecurity firm Check Point, told Recode last May.
The details of the hack suggest that Twitter employees should have been practicing better cyber hygiene, and there was nothing the account holders themselves could have done to prevent something from happening.
“We will organize ongoing company-wide phishing exercises throughout the year,” Twitter said in a statement shortly after the hack.
Details from the indictment appear to show that locating the suspected hackers was not a difficult task for investigators. Fazeli and Sheppard’s handles on Discord, where they allegedly discussed buying access to hacked accounts with “Kirk”, were the same as their handles on a forum for people interested in buying “OG” Twitter accounts, the are usually very short (one letter or number each) and among the first few profiles created for the service. Using the records of this forum, investigators were able to link these accounts to email addresses, Coinbase accounts, and IP addresses, which made identification quite easy. For example, Fazeli used his real name in his email address, which he verified with his driver’s license.
Legislators blame Twitter for lax security
Politicians on both sides of the aisle had scathing words and warnings for Twitter after the mid-July attack, which resulted in 45 accounts requesting Bitcoin from their followers and promising they would receive the double donation in return. The hacker was also able to access direct messages from 36 accounts and Twitter data from seven accounts. However, politicians insisted that the violation – and its aftermath – could have been much worse, and they urged Twitter to do better to prevent something like this from ever happening again.
Senator Ron Wyden (D-OR) expressed concern about the security of direct messages in the attack, saying Twitter did not do enough to protect it, despite previous assurances. In a statement, Senator Recode said he was disappointed with Twitter and its executives, particularly because they had promised to improve their security:
In September 2018, just before he testified before the Senate Intelligence Committee, I met privately with Twitter CEO Jack Dorsey. During that conversation, Mr. Dorsey told me that the company was working on end-to-end encrypted direct messaging. It has been almost two years since our meeting, and Twitter DMs are still unencrypted, leaving them vulnerable to employees who abuse their internal access to the company’s systems, as well as hackers who gain unauthorized access. While it’s still not clear whether the hackers behind yesterday’s incident got access to Twitter direct messages, this is a security flaw that has lasted far too long and doesn’t exist on other competing platforms. If hackers gain access to users’ DMs, the breach could have staggering effects for years to come.
Meanwhile, others have drawn direct lines between the threats exposed by the violation and the upcoming presidential election. Senator Richard Blumenthal (D-CT) blamed Twitter for its “repeated security breaches” and “failures to secure accounts” that may have caused the incident.
“Count this incident as a near miss or shot over the bow,” Blumenthal, a Connecticut Democrat, said in a tweet. “With different goals, things could have been much worse.”
Senator Josh Hawley (R-MO), a frequent big tech critic during his brief tenure in DC, tweeted a letter he sent to Twitter CEO Jack Dorsey while the attack was taking place.
“Millions of your users rely on your service not only to tweet publicly, but also to communicate privately through your direct message service,” wrote Hawley. “A successful attack on your system’s servers poses a threat to the entire privacy and data security of your users.”
Hawley then asked how accounts protected by two-factor authentication could potentially be hacked if user data were stolen, and what steps Twitter is taking to prevent system-level hacks.
As Senator Edward Markey (D-MA) said, both the service and its users have largely dodged a sizable bullet.
“While this program appears financially motivated and, as a result, poses a threat to Twitter users, imagine if these bad actors had a different intention of using strong voices to spread disinformation, possibly to disrupt our elections to the stock market disrupt or upset our international relations, “he said in a statement to Recode. “So Twitter needs to fully disclose what happened and what it is doing to make sure it never happens again.”
Why the most famous and most influential Twitter account of all, President Trump, was not affected by the hack, it is possible that his account offers special security measures that the other accounts did not take. Trump’s Twitter account was deleted by an employee in 2017 and finally banned in January last year after the riots in the Capitol.
Update, March 17th, 2021, 11:45 a.m .: Updated with Clark’s admission of guilt.
Open Sourced is made possible by Omidyar Network. All open sourced content is editorially independent and is produced by our journalists.