Twitter Hacked by 17 Year Old in Tampa -- What A Robust Security Infrastructure Jack Has For Us

Graham Clark, a 17 year old resident of Tampa, Florida, has been charged by the Hillsborough State Attorney’s Office with having been the “mastermind” behind the hack of Twitter last week that shut out high profile “Blue Checkmark” accounts from being accessed or used by the account holders.  Local News Channel 8 in Tampa was the first to report the arrest.

According to Forbes, the Florida officials identified Clark as the “mastermind” behind the attack.

The intrusion happened on July 15.  Clark was taken into custody early Friday morning, charged with 30 felony counts involving unauthorized access to computer accounts under Florida law, and fraudulent use of personal information under Florida law, among other charges.

The goal of the hack was financial — after taking over Twitter accounts of prominent individuals he directed messages in their names to others, asking them to send bitcoin payments to accounts that were associated with Clark, and he realized approximately $100,000 from the scheme in one day.

The hacked accounts posted the same message of a common Bitcoin scam: “I am giving back to the community. All Bitcoin sent to the address below will be sent back doubled! If you send $1,000, I will send back $2,000. Only doing this for 30 minutes.” Twitter later said the hackers were able to access the accounts by gaining access internal systems with a successful “social engineering” scheme played on several employees.

As Motherboard reported on the day of the hack, the hackers managed to leverage an internal tool used by Twitter workers in order to take control of the accounts. The hackers changed the email address associated with the target accounts to one they controlled, and then initiated a password reset to gain entry.

Just that simple — use internal access tool apparently widely available to engineers within Twitter, change the email addresses associated with the targeted accounts, then use the changed email addresses to initiate a password reset on the targeted accounts, and voila — takeover.

Glad you have it locked down Jack.  Maybe you could spend a bit more on internal security, and a bit less on social warriors monitoring conservative accounts looking for “offensive” content.

In a public statement announcing the arrest, the State’s Attorney’s Office noted that Bitcoin is very difficult to track and recover if stolen as part of a fraud.  While the hacking of Twitter accounts of famous people was the vehicle by which the fraud was executed, the real victims were the persons who sent Bitcoin to the perpetrators.

The investigation was spearheaded by the IRS Criminal Investigations Division, the FBI, and the Department of Justice, with the cooperation of Florida Law Enforcement authorities.  Two other individuals have been charged by federal authorities in the Northern District of California for their participation in the fraud — 22-year-old Nima Fazeli, a.k.a. “Rolex,” of Orlando, and 19-year-old Mason Sheppard, a.k.a. “Chaewon,” of the United Kingdom.

Clark will be prosecuted by state authorities in Florida.  The likely reason for that decision is that there is no process in federal court for prosecuting juveniles.  In order to prosecute Clark for his role in the crime along with the two others, the Justice Department would first need to go through a difficult process of having him declared to be an “adult” by a federal court judge, and he would then be prosecuted as an adult offender.  It is nearly impossible to proceed in that fashion when the defendant has no prior criminal history.  And waiting for him to turn 18 to charge him would not work either, as the age determination that is relevant is the defendant’s age at the time of the offense.

Twitter later reported that 130 accounts of prominent individuals were accessed, 45 of those accounts were used to send messages soliciting the Bitcoin donations, and 36 of the accounts had their “Direct Message” functions accessed by the hackers.