- Hacker exploited access to Twitter’s internal tools to post scam from high profile accounts
- Elon Musk, Joe Biden, Barack Obama, Apple, and Uber amongst accounts exploited
A teenager who hacked into the Twitter accounts of the rich and famous in an attempt to trick millions of their followers into a cryptocurrency scam will spend three years in prison as part of a plea agreement with prosecutors.
Graham Ivan Clark, of Tampa, Florida, was arrested last year following the hack of Twitter accounts belonging to the likes of Bill Gates, Elon Musk, Barack Obama, Joe Biden, Kanye West, and others.
The scam attempted to trick potential victims into moving Bitcoin into a cryptocurrency wallet with the “promise” that they would receive more in return.
It seems too good to be true, and of course it was too good to be true. But because the messages were posted by the real, genuine, verified accounts of high profile figures and popular brands there was a good chance that some people would have been tempted.
Clark, who was 17 years old at the time, is said to have managed to raise Bitcoin worth over $117,000 through the scam.
Twitter subsequently described how the hackers had gained access to the accounts after targeting a small number of its employees with what it described as a “phone spear phishing attack.”
“The social engineering that occurred on July 15, 2020, targeted a small number of employees through a phone spear phishing attack. A successful attack required the attackers to obtain access to both our internal network as well as specific employee credentials that granted them access to our internal support tools.”
Alarmingly, it was reported that over 1000 Twitter staff and external contractors had access to internal systems that allowed access to any Twitter accounts, with the power to post messages and reset passwords.
In other words, a large number of Twitter workers with access to highly sensitive tools, were high value potential targets for attackers to target and then impersonate.
Even following his apprehension by the authorities, Clark continued to make the headlines. An online court appearance was gatecrashed by Zoom bombers who streamed 15 seconds of an x-rated porn movie before the judge was able to kick them out.
Due to Clark’s age at the time of the offence, he has been sentenced to three years in a juvenile detention facility, with a further three years of probation where he his usage of email accounts, digital devices, and social media profiles will be strictly monitored. He has already served 7.5 months in a facility since his arrest.
If Clark violates the terms of his probation he could be detained for much longer in an adult prison.
The cryptocurrency taken by Clark has been turned over to officials for purposes of restitution.
Two alleged accomplices of Clark – Mason “Chaewon” Sheppard of Bognor Regis, UK, and Nima “Rolex” Fazeli of Orlando, Florida – have also been charged in relation to the attack.