A Tampa teenage “mastermind” was one of three people charged on Friday for their alleged roles in a huge Twitter hack that targeted some of the world’s wealthiest and most influential people.
The Hillsborough State Attorney’s Office filed 30 felony charges against Graham Ivan Clark, 17, for “scamming people across America” in the July 15 attack. The scheme “stole the identities of prominent people” and “posted messages in their names directing victims to send bitcoin” to accounts associated with the Tampa teen, prosecutors said.
“He’s a 17-year-old kid who apparently just graduated high school,” State Attorney Andrew Warren said in a Friday press conference. “But make no mistake, this was not an ordinary 17-year-old. This was a highly sophisticated attack on a magnitude not seen before.”
The U.S. Attorney’s Office Northern District of California charged two others for their role in the hack: Mason “Chaewon” Sheppard, 19, from Bognor Regis, in the United Kingdom; and Nima “Rolex” Fazeli, 22, from Orlando, Florida.
The trio hacked 130 accounts belonging to musicians, politicians, and celebrities. About 400 people transferred bitcoin worth more than $100,000.
Sheppard was charged with conspiracy to commit wire fraud, conspiracy to commit money laundering, and the intentional access of a protected computer. Fazeli was charged with aiding and abetting the intentional access of a protected computer.
The charges against Clark, however, are more severe. The youngest member of the trio—who will be prosecuted as an adult under Florida law—was charged with organized fraud, 17 counts of communications fraud, one count of fraudulent use of personal information with over $100,000 or 30 or more victims, 10 counts of fraudulent use of personal information, and one count of access to computer or electronic device without authority. WLFA first reported the arrest.
“These crimes were perpetrated using the names of famous people and celebrities, but they’re not the primary victims here,” Warren said in a statement. “This ‘Bit-Con’ was designed to steal money from regular Americans from all over the country, including here in Florida. This massive fraud was orchestrated right here in our backyard, and we will not stand for that.”
In the space of minutes on July 15, Twitter accounts for Barack Obama, Joe Biden, Bill Gates, Warren Buffet, Michael Bloomberg, Apple, Uber, Floyd Mayweather, Kanye West, Elon Musk, Jeff Bezos, Wiz Khalifa, Kim Kardashian West, and many more were hacked.
“I am giving back to my fans. All Bitcoin sent to my address below will be sent back doubled. I am only doing a maximum of $10,000,000. Only going on for 30 minutes!” the tweets read, along with an address for a bitcoin wallet.
The coordinated attack forced Twitter to temporarily prevent almost every verified Twitter user from posting tweets or retweets.
At the time, Twitter said the hackers used employees’ corporate accounts to gain access to internal tools with vast capabilities. The hijackers used “social engineering,” whereby malicious actors trick account owners into divulging sensitive information like login credentials, to wrest control from the employees themselves.
On Thursday, in an update on its internal investigation, Twitter said that employees were targeted using a phone spear-phishing attack.
Warren said on Friday that Clark “compromised the security of a Twitter employee,” which allowed him to get access to Twitter’s internal controls. He then sold access to those targeted accounts and used the identities of prominent people to solicit bitcoins that he kept for himself.
No further details about Clark’s alleged involvements were given. Criminal complaints against Sheppard and Fazeli described their alleged role in a complicated scheme but didn’t mention Clark by name or outline his alleged involvement.
Sheppard and Fazeli acted as “middle-men” for an unnamed individual they met on the messaging app Discord, who went by the username “Kirk#5270,” the criminal complaints say.
On the day of the attack, according to the complaint, Kirk#5270 was boasting on Discord about being able to “reset, swap, and control any Twitter account at will” and offering to do so “in exchange for bitcoin transfers.” He demonstrated proof by providing images of the social media company’s internal administrative tool.
“I work for Twitter. I can claim any @ for you,” the Discord user allegedly told “Rolex#0373,” who investigators identified as Fazeli.
After proving he could access an account, the indictment says that Fazeli offered to be a broker for Kirk#5270 and posted a thread in an online forum advertising Twitter handles. The indictment says the two agreed that prospective clients would have to pay $1,000 per account “for non-‘OG’ names” and $2,500 minimum “for ‘OG’ names,” referring to original, or OG, Twitter handles that are seen as status symbols or desirable handles.
Prosecutors allege Kirk#5270 worked with Sheppard, who went by the moniker “ever so anxious#001,” in a similar scheme after reaching out to him on Discord on July 15. “Based on the chat as a whole, it appears that ‘ever so anxious#0001’ began to find buyers for Twitter usernames,” the indictment says.
Both individuals allegedly advertised the illicit scheme on UGUsers.com, a “forum abused by criminal networks," the indictment says. In one post titled “Pulling email for any Twitter/Taking Requests,” Sheppard “advertised that he could change email addresses tied to any Twitter account for $250 and provide direct access to accounts for between $2,500 and $3,000.”
Prosecutors allege that between 7 a.m. and 2 p.m. on July 15, Sheppard discussed the takeover of at least 50 Twitter accounts with Kirk#5270, though the complaint notes none of the accounts belonged to celebrities or political figures. “According to Twitter, at least ten of the transactions brokered by ‘ever so anxious#0001’ resulted in Twitter usernames being stolen from their actual owners—to include @obinna and @drug,” the indictment says.
Investigators were able to link “Rolex#0373” with Fazeli through several IP addresses that were used to access both the Discord account and his Coinbase records. The complaint says Fazeli also used his Florida driver’s license to verify his Coinbase account. Coinbase accounts controlled by Fazeli allegedly received payments for the stolen Twitter accounts. Sheppard also allegedly used his personal driver’s license to verify himself in cryptocurrency exchanges and investigators found that his accounts sent and received some of the scammed bitcoins.
After a nationwide investigation involving the FBI and the Department of Justice, authorities located Clark in Hillsborough County. Warren said the attack had the potential to “destabilize financial markets” and, because the hackers had access to powerful politicians’ Twitter accounts, “could have undermined U.S. politics as well as international diplomacy.”
“There is a false belief within the criminal hacker community that attacks like the Twitter hack can be perpetrated anonymously and without consequence,” U.S. Attorney David Anderson said in a Friday statement.
“Criminal conduct over the Internet may feel stealthy to the people who perpetrate it, but there is nothing stealthy about it. In particular, I want to say to would-be offenders, break the law, and we will find you.”
In a statement, Twitter said they “appreciate the swift actions of law enforcement.”