Officials Arrest 3 Allegedly Behind Twitter Hack

A Florida teenager suspected of spearheading the massive Twitter hack and subsequent high-profile bitcoin scam is in custody.

AccessTimeIconJul 31, 2020 at 7:03 p.m. UTC
Updated Sep 14, 2021 at 9:38 a.m. UTC
10 Years of Decentralizing the Future
May 29-31, 2024 - Austin, TexasThe biggest and most established global hub for everything crypto, blockchain and Web3.Register Now

The FBI and local officials have arrested three individuals who allegedly committed the largest hack in Twitter’s history. 

Florida resident Graham Clark was arrested Friday morning, according to Florida news channel WFLA. State Attorney Andrew Warren filed 30 felony charges, including organized fraud, communications fraud, fraudulent use of personal information and access to computer or electronic devices without authority, WFLA reported.

Federal officials are also charging Nima Fazeli and Mason John Sheppard with aiding in the "intentional access of a protected computer" and conspiracy to commit wire fraud and money laundering, according to criminal complaints published Friday.

Warren intends to try Clark, who is 17 years old, as an adult; Florida law allows minors to be charged as adults in some financial fraud cases.

The Twitter hack compromised the accounts of top cryptocurrency exchanges, and prominent crypto twitter accounts (including CoinDesk), before moving on to mainstream accounts including Elon Musk, Warren Buffet, Kanye West, Joe Biden and former President Barack Obama. 

Overall 130 accounts were compromised, according to Twitter. 

The accounts all tweeted a bitcoin scam, promising to double senders bitcoin if they sent them to a specific address. It only netted the hackers about $120,000. The hack went on for hours, highlighted extensive security breaches, and led to Twitter CEO Jack Dorsey being added to the others testifying before a congressional anti-trust hearing

In a tweet Friday, Twitter said, “We appreciate the swift actions of law enforcement in this investigation and will continue to cooperate as the case progresses.”

The Federal Bureau of Investigation, Internal Revenue Service, the U.S. Secret Service, Florida law enforcement and the U.S. Attorney's Office for the Northern District of California assisted in the investigation, according to Warren's press release.

‘Breathtaking impact’

In an effort to stop the hackers, Twitter locked some verified accounts out, stopping them from changing their password, or being able to tweet. CoinDesk was one such account, and we did not regain our ability to tweet again until Thursday, over a week after the hack. With as much access as the hackers seemingly had, security experts were particularly concerned about the security of accounts direct messages. 

The day after the hack, Sen. Ron Wyden (D-Ore.) said he met with Dorsey privately in 2018 and discussed implementing end-to-end encryption of users’ direct messages. Wyden says Dorsey told him at the time that Twitter was working on encrypted DMs, but by 2020, it was clear the company hadn’t delivered. 

“This is a vulnerability that has lasted for far too long, and one that is not present in other, competing platforms. If hackers gained access to users’ DMs, this breach could have a breathtaking impact for years to come,” Wyden said in a statement. 

Thirty-six accounts, including CoinDesk, were told by Twitter that the hackers had the ability to access their DMs.

Twitter has previously said the attackers downloaded account information from eight victims, though none of those victims were verified

Reuters also reported over 1,000 employees and contractors, or nearly a fifth of the company, had access to the tools that were used to access the accounts. 

“We fell behind, both in our protections against social engineering of our employees and restrictions on our internal tools,” Dorsey told investors on a Twitter earnings call in July. 

In a tweet Thursday, Twitter gave further details about how the attack occurred. 

“The attack on July 15, 2020, targeted a small number of employees through a phone spear phishing attack,” the company tweeted. “This attack relied on a significant and concerted attempt to mislead certain employees and exploit human vulnerabilities to gain access to our internal systems.”

In the days following the hack, reporting from numerous outlets not only followed the flow of where the money was going, by tracking the bitcoin wallet the funds were sent to, but also started to unwind the story behind the hack. 

Numerous hackers flipped on “Kirk”, as identified by the New York Times, who was selling access to a Twitter admin panel. They allegedly bailed after larger account takeovers spooked them, given the likelihood that compromising such accounts would attract law enforcement attention. 

Given that the FBI was on the case from the start, as CoinDesk reported, those concerns seem to have played out.

Twitter Hack 2020
Twitter Hack 2020

UPDATE (July 31, 2020, 20:15 UTC): This article has been updated with additional information.

Disclosure

Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.


Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.