This article is more than 1 year old
Who was behind that stunning Twitter hack? State spies? Probably this Florida kid, say US prosecutors
Alleged 17-year-old mastermind among trio charged over account mass hijackings
Three individuals were charged on Friday for allegedly hijacking a string of high-profile Twitter accounts after hoodwinking the social network's staff.
It is claimed a social-engineering-driven phishing campaign against Twitter employees led to the brief takeover on July 15 of 45 out of 130 targeted prominent accounts to promote a Bitcoin scam. Accounts belonging to Bill Gates, Elon Musk, Kanye West, Joe Biden, Barack Obama, Jeff Bezos, Mike Bloomberg, Warren Buffett, Benjamin Netanyahu, and Kim Kardashian, and to companies like Apple, Uber, and various cryptocurrency exchanges were among those commandeered.
The hijacked accounts were used to urge Twitter users to donate Bitcoin to a specific address, with the promise that a larger sum would be returned. Those involved collected more than $100,000 worth of cryptocurrency. The miscreants also managed to access the Twitter Direct Messages in 36 accounts, and to download Twitter account data for seven accounts.
The account takeovers attracted national and international attention, and elicited concern that the social network's lax internal security could threaten social stability and national security.
"Increasingly we rely on platforms like Twitter to receive news and other information that is important to our lives," said US Attorney for the Northern District of California David Anderson in the video statement below. "The Twitter VIP hack undermines public confidence in those information platforms."
Anderson announced the charges, in conjunction with federal officials from the FBI, the Secret Service, the IRS, and the UK's National Crime Agency.
"There is a false belief within the criminal hacker community that attacks like the Twitter hack can be perpetrated anonymously and without consequence,” he said in a statement. "Today's charging announcement demonstrates that the elation of nefarious hacking into a secure environment for fun or profit will be short-lived."
Mason Sheppard, aka “Chaewon,” 19, of Bognor Regis, England, was charged with conspiracy to commit wire fraud, conspiracy to commit money laundering, and the intentional access of a protected computer.
Nima Fazeli, aka “Rolex,” 22, of Orlando, Florida, was charged with aiding and abetting the intentional access of a protected computer.
The third defendant was not identified by the Department of Justice because he's a juvenile. A press release from the Hillsborough County State Attorney's Office in Florida, however, names the boy, a 17-year-old from Tampa, Florida, who faces 30 felony charges for his alleged role as the "mastermind" of the attack.
Twitter says spear-phishing attack hooked its staff and led to celebrity account hijackREAD MORE
The minor defendant is being prosecuted as an adult, the Hillsborough County State Attorney's Office said, "because Florida law allows minors to be charged as adults in financial fraud cases such as this when appropriate."
The complaint [PDF] against Sheppard includes an affidavit from IRS Special Agent Tigran Gambaryan that describes how the suspects were identified.
The IRS investigator relied on account information obtained through a warrant for account data from chat service Discord, data from the public disclosure of a hacked OGUsers.com forum database, records from cryptocoin exchanges Coinbase and Binance, and blockchain analysis.
The affidavit of US Secret Service Agent John A. Szydlik, which recounts how Fazeli was identified, also cites the publicly disclosed OGUsers.com database as a source of information.
The two complaints mention unidentified Discord user "Kirk#5270" who is said to have brokered access to the hacked Twitter accounts and is presumably the 17-year-old "mastermind" arrested in Tampa.
Authorities believe "Kirk#5270" and Sheppard were assisted in their efforts to sell access to Twitter accounts by another unidentified juvenile Discord user who resides in Northern California and was interviewed by federal agents. ®