The FBI and local officials have arrested three individuals who allegedly committed the largest hack in Twitter’s history.
Florida resident Graham Clark was arrested Friday morning, according to Florida news channel WFLA. State Attorney Andrew Warren filed 30 felony charges, including organized fraud, communications fraud, fraudulent use of personal information and access to computer or electronic devices without authority, WFLA reported.
Federal officials are also charging Nima Fazeli and Mason John Sheppard with aiding in the “intentional access of a protected computer” and conspiracy to commit wire fraud and money laundering, according to criminal complaints published Friday.
Warren intends to try Clark, who is 17 years old, as an adult; Florida law allows minors to be charged as adults in some financial fraud cases.
The Twitter hack compromised the accounts of top cryptocurrency exchanges, and prominent crypto twitter accounts (including CoinDesk), before moving on to mainstream accounts including Elon Musk, Warren Buffet, Kanye West, Joe Biden and former President Barack Obama.
Overall 130 accounts were compromised, according to Twitter.
The accounts all tweeted a bitcoin scam, promising to double senders bitcoin if they sent them to a specific address. It only netted the hackers about $120,000. The hack went on for hours, highlighted extensive security breaches, and led to Twitter CEO Jack Dorsey being added to the others testifying before a congressional anti-trust hearing.
In a tweet Friday, Twitter said, “We appreciate the swift actions of law enforcement in this investigation and will continue to cooperate as the case progresses.”
The Federal Bureau of Investigation, Internal Revenue Service, the U.S. Secret Service, Florida law enforcement and the U.S. Attorney’s Office for the Northern District of California assisted in the investigation, according to Warren’s press release.
In an effort to stop the hackers, Twitter locked some verified accounts out, stopping them from changing their password, or being able to tweet. CoinDesk was one such account, and we did not regain our ability to tweet again until Thursday, over a week after the hack. With as much access as the hackers seemingly had, security experts were particularly concerned about the security of accounts direct messages.
The day after the hack, Sen. Ron Wyden (D-Ore.) said he met with Dorsey privately in 2018 and discussed implementing end-to-end encryption of users’ direct messages. Wyden says Dorsey told him at the time that Twitter was working on encrypted DMs, but by 2020, it was clear the company hadn’t delivered.
“This is a vulnerability that has lasted for far too long, and one that is not present in other, competing platforms. If hackers gained access to users’ DMs, this breach could have a breathtaking impact for years to come,” Wyden said in a statement.
Thirty-six accounts, including CoinDesk, were told by Twitter that the hackers had the ability to access their DMs.
Twitter has previously said the attackers downloaded account information from eight victims, though none of those victims were verified.
Reuters also reported over 1,000 employees and contractors, or nearly a fifth of the company, had access to the tools that were used to access the accounts.
“We fell behind, both in our protections against social engineering of our employees and restrictions on our internal tools,” Dorsey told investors on a Twitter earnings call in July.
In a tweet Thursday, Twitter gave further details about how the attack occurred.
“The attack on July 15, 2020, targeted a small number of employees through a phone spear phishing attack,” the company tweeted. “This attack relied on a significant and concerted attempt to mislead certain employees and exploit human vulnerabilities to gain access to our internal systems.”
In the days following the hack, reporting from numerous outlets not only followed the flow of where the money was going, by tracking the bitcoin wallet the funds were sent to, but also started to unwind the story behind the hack.
Numerous hackers flipped on “Kirk”, as identified by the New York Times, who was selling access to a Twitter admin panel. They allegedly bailed after larger account takeovers spooked them, given the likelihood that compromising such accounts would attract law enforcement attention.
Given that the FBI was on the case from the start, as CoinDesk reported, those concerns seem to have played out.
UPDATE (July 31, 2020, 20:15 UTC): This article has been updated with additional information.