A Florida teenager was allegedly the “mastermind” behind the biggest hack in Twitter’s history, which saw the accounts of some of the most high-profile people on the site hijacked to post a bitcoin scam.
Last month saw the biggest ever security and privacy breach at Twitter, with the accounts of former US president Barack Obama, US presidential nominee Joe Biden, Tesla founder Elon Musk, musician Kanye West and Apple, among others, hacked and used to post links to a bitcoin scam.
Once the accounts had been taken over, they were used to post messages saying that if bitcoins were sent to the accounts, they would be doubled and returned.
But the hackers didn’t return the funds, instead moving them to a different account. According to US authorities, the hackers received $US117,000 as part of the scheme.
Three people have now been charged over the incident, including two American teenagers, the New York Times reported.
After an investigation by the FBI, IRS, US Secret Service and Florida law enforcement, 17-year-old Graham Clark from Tampa, Florida, was placed under arrest.
Clark is accused of being the “mastermind” of the hack, and the person who got access to Twitter’s internal tools to carry out the scam.
Two other people have also been formally charged by the US Department of Justice: 22-year-old Nima Fazeli from Orlando, Florida, and 19-year-old Mason Sheppard from the United Kingdom.
The authorities have alleged that the pair, operating under the aliases of Rolex and Chaewon respectively, were also involved with the Twitter hack.
The affidavit, released publicly by authorities over the weekend, also sheds light on how the hack actually happened.
According to the report, Clark allegedly pretended to be an employee at Twitter’s IT department and tricked another employee into giving him the credentials needed to take over the accounts.
“Clark used social engineering to convince a Twitter employee that he was a co-worker in the IT department and had the employee provide credentials to access the customer service portal,” the affidavit stated.
Clark is currently in jail and has been charged with more than 30 felony counts, including organised fraud, communications fraud, identity theft and hacking.
Florida prosecutor Andrew Warren has said he is “not an ordinary 17-year-old” and will be charged as an adult.
“This could have had a massive, massive amount of money stolen from people, it could have destabilised financial markets within America and across the globe, because he had access to powerful politicians’ Twitter accounts, he could have undermined politics as well as international diplomacy,” Warren said.
“This is not a game...these are serious crimes with serious consequences, and if you think you can rip people off online and get away with it, you’ll be in for a rude awakening, a rude awakening that comes in the form of a 6am knock on your door from federal agents.”
Authorities have also charged Fazeli with computer intrusion and he faces five years in prison and a fine of $US250,000.
He was found after using a personal drivers’ licence to verify himself on cryptocurrency exchanges, which he used to make the accounts to receive the scammed bitcoin.
Sheppard also used his own drivers’ licence to verify his cryptocurrency exchange accounts, and has now been charged with computer intrusion, wire fraud conspiracy and money laundering conspiracy – a charge that comes with a potential 20-year sentence and $US250,000 fine.
The hackers also allegedly accessed the private direct messages of 36 other Twitter users, including an unnamed elected official, and reportedly downloaded even larger amounts of data from seven other users.