Leader of Twitter celebrity hack and bitcoin scam sentenced to three years

A Florida teen believed to be the mastermind behind last year’s seizure of celebrity Twitter accounts to push a bitcoin scam has been sentenced to three years in a Florida juvenile facility plus three years probation.

It comes after Graham I. Clark pleaded guilty to four charges including committing organized fraud, committing communications fraud, fraudulent use of personal information and accessing a computer without authority. The sentence includes the seven months he has spent in jail awaiting trial.

According to a statement Tuesday from the Hillsborough State Attorney’s Office, the sentence is the maximum under Florida’s young offender law.

Although 18 years old now, he was a minor last summer at the time of the offences and had to be sentenced as a juvenile. If he violates the terms of his probation he risks being sent to an adult prison.

Two others have been indicted for their roles in the scam.

Pretending to be from Twitter’s IT department, employees of the social media firm were persuaded to give them access to Twitter accounts of politicians, celebrities, and entrepreneurs, including Barack Obama, Kim Kardashian West, Jeff Bezos, and Elon Musk, as well as accounts of several cryptocurrency companies regulated by the New York State Department of Financial Services. The access was then used to push tweets seemingly from these well-known people suggesting a bitcoin giveaway, with a link to a scam address.

A report from New York state’s Department of Financial Services says the hackers stole approximately US$118,000 worth of bitcoin through the scam. Under the terms of Clark’s sentence, he has turned that over to authorities.

Hillsborough State Attorney Andrew Warren said in a statement that Clark “took over the accounts of famous people, but the money he stole came from regular, hard-working people.”

Behind the scenes

The New York regulator’s report offers the most information about the scam. “Given that Twitter is a publicly-traded, US$37 billion technology company, it was surprising how easily the hackers were able to penetrate Twitter’s network and gain access to internal tools allowing them to take over any Twitter user’s account.

“Notably, the Twitter Hack did not involve any of the high-tech or sophisticated techniques often used in cyberattacks–no malware, no exploits, and no backdoors.”

The attack started on the afternoon of July 14 when one or more hackers called several Twitter employees and claimed to be from the company’s help desk responding to a reported problem the staffer was having with Twitter’s virtual private network. Since switching to remote working, VPN problems were common at Twitter. The hackers then tried to direct the employee to a phishing website that looked identical to the real Twitter VPN website and was hosted by a similarly named domain. As the employee entered their credentials into the phishing website, they would simultaneously enter the information into the real Twitter website.

For protection, Twitter strengthens logins by making employees use multi-factor authentication. However, because the hackers were logging into the real site, if a staffer entered their MFA code on the fake site, the attackers could copy it into the real site.

To aid the attack, the hackers used personal information about the employees to convince them that the callers were real Twitter staff and could, therefore, be trusted. The report doesn’t say how the attackers got this information other than speculating it did research to identify staffers and their titles.

While some employees were suspicious and reported the calls to Twitter’s internal fraud monitoring team, at least one employee fell for the scam. Getting into this person’s corporate account didn’t get the attackers what they wanted, which was the ability to take over celebrity Twitter accounts. They took the time to wander around Twitter’s internal websites and learn more about the company’s systems. That gained them information about how to access other internal applications.

On July 15, the hackers targeted Twitter employees who had access to certain internal tools to help take over accounts. Some of them were part of the department responsible, in part, for responding to sensitive global legal requests, such as court orders or content removal requests, as well as for developing and enforcing policies to prohibit abusive online behaviour.

Initially, the hackers went after valuable so-called “original gangster” (“OG”) Twitter usernames, which are usually designated by a single word, letter, or number and adopted by Twitter’s early users.  Access to a hijacked OG account could be resold for bitcoin. To show off their prowess, the hackers tweeted screenshots of one of the internal tools from some of the accounts.

Next, the hackers upped their game, going after “verified” accounts of well-known people who bear the blue verified badge as a source of authenticity. But a hacked verified account would make fraudulent demands for bitcoin appear more legitimate.

The first hijacked verified account belonged to a cryptocurrency trader—direct messages sent from that account asking for 0.01 bitcoin for trading information. After hijacking Twitter accounts of cryptocurrency exchanges, the hackers sent tweets suggesting a bitcoin giveaway, with a link to a scam address. Finally, the attackers gained access to verified accounts of celebrities and fired tweets with the scam offer to millions of their followers.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Related Tech News

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Featured Reads