A 17 year-old Florida teenager has been arrested for the massive Twitter hack that targeted celebrities and cryptocurrency-related businesses earlier in July. Federal law enforcement arrested student Graham Ivan Clark in Tampa on Friday after an investigation led by the FBI and DOJ.
A press release from the Office of the State Attorney, Andrew Warren, states that 30 felony charges have been filed against Clark, who they accuse of stealing more than $100,000 with the scam. While initial reports suggested that the Bit-Con hack might have been carried out with the assistance of Twitter employees, additional investigating has found a different avenue of attack: Targeted phishing.
According to Ars Technica, Clark and the hackers he worked with scraped data from LinkedIn to identify Twitter employees who were likely to have access to the backend tools that could be used to send Tweets from various high-profile celebrity accounts. The attackers then used tools from LinkedIn to gain access to cell phone numbers for the engineers in question.
The next step was to contact the employees and direct them to log into a phishing page that mimicked an internal Twitter VPN. The hackers stole enough work history data to fool the employees they spoke with, and the current work from home restrictions also snarled communication lines. Once employees attempted to log into the fake Twitter VPN, Clark and his compatriots stole their actual account credentials and used them to access the real site. Two-factor authentication was bypassed by having data relayed from the fake VPN to the hackers in real-time, allowing them to sign into genuine Twitter seconds after the 2FA authentication keys were generated. From there, it was relatively easy to go romping through the flowerbeds.
Clark is charged with one count of organized fraud, 11 counts of fraudulent use of personal information, 17 counts of communications fraud, and one count of accessing a computer without permission. He’s being prosecuted in Florida because he can be legally tried as an adult for financial crimes under Florida law. Two other individuals have also been charged: Mason Sheppherd (19, UK) and Nima Fazeli (22, Orlando).
If Clark and his co-conspirators had hacked Twitter simply to demonstrate they could do it, the entire situation would look very different. By targeting so many high-profile brands and businesses, they made it clear that this wasn’t an attempt to embarrass Twitter or expose poor security practices. It was a deliberate financial fraud perpetrated at a time of great financial anxiety when frightened people might find this kind of rumor at least a little easier to believe than they otherwise would.
- Hackers Might Have Paid a Twitter Employee to Conduct Massive Crypto Scam
- Gates, Musk, Others Hacked in Comprehensive Twitter Attack
- Swatter Sentenced to 20 Years For Hoax That Caused Fatal Shooting