National Crime Agency says Brit teen accused of Twitter hack has not been arrested

Bognor Regis man still faces 20 years in clink, though


The British teenager accused of being part of the gang that hacked Twitter and posted a cryptocurrency scam from various US celebrities' accounts has not yet been arrested.

Mason Sheppard, a 19-year-old of Bognor Regis in the English county of West Sussex, has been visited by the National Crime Agency but no arrests have been made on this side of the Atlantic.

However, one of Sheppard's co-accused, 17-year-old Graham Clark of Florida, USA, appeared in a local court on Saturday to enter a not-guilty plea over the account hijackings.

On 15 July, a flurry of tweets from verified Twitter accounts exhorted followers to send Bitcoin to a specified wallet. Those endorsing this bizarre message included Bill Gates, Elon Musk, Kanye West, Joe Biden, Barack Obama, Jeff Bezos, Mike Bloomberg, Warren Buffett, Benjamin Netanyahu, and Kim Kardashian, among others.

Three teenagers alleged to have masterminded the social-engineering attack necessary to pull off the hack were charged last Friday. Among the accused was Sheppard, said to have used the Discord username "ever so anxious#001" and another handle, "Chaewon".

A National Crime Agency spokeswoman told The Register: "The Agency has supported the US investigation and on Friday 31 July officers from the NCA and the South East Regional Organised Crime Unit searched a property in Bognor Regis, West Sussex. We remain in continued liaison with the US authorities."

El Reg understands no arrests have been made by the NCA. In an affidavit against Sheppard published online by the US Department of Justice, it is said that "Chaewon" had "discussed turning themselves in to law enforcement after the Twitter hack became publicly known". US prosecutor Tigran Gambaryan alleged that he was able to identify Sheppard after tracing his Bitcoin wallet back to US-based cryptocurrency exchange Coinbase, which gave investigators access to account records revealing a copy of Sheppard's email address, passport and driving licence, with the latter revealing his address.

Sheppard stands accused of conspiracy to commit wire fraud, computer intrusion and money laundering, all US federal offences. He faces a maximum potential prison sentence of 20 years and a $250,000 fine.

It is said by American prosecutors that Sheppard acted as a middleman, brokering the theft of Twitter accounts and payments by those eager to claim so-called OG (original gangster) usernames as a status symbol; ones that are either very short or consist of one word.

It appears likely that an extradition hearing will form part of Sheppard's medium-term future.

Yesterday's US court hearing for Clark was livestreamed on Zoom, leading to some predictable and unpleasant results, according to infosec journalist Brian Krebs:

A third member of the alleged hacking crew was named last Friday by prosecutors as Nima Fazeli, 22, of Orlando, Florida.

The US Department of Justice has been asked for comment. America's London embassy did not return phone calls to its press office seeking comment. ®

Similar topics


Other stories you might like

  • Meet Wizard Spider, the multimillion-dollar gang behind Conti, Ryuk malware
    Russia-linked crime-as-a-service crew is rich, professional – and investing in R&D

    Analysis Wizard Spider, the Russia-linked crew behind high-profile malware Conti, Ryuk and Trickbot, has grown over the past five years into a multimillion-dollar organization that has built a corporate-like operating model, a year-long study has found.

    In a technical report this week, the folks at Prodaft, which has been tracking the cybercrime gang since 2021, outlined its own findings on Wizard Spider, supplemented by info that leaked about the Conti operation in February after the crooks publicly sided with Russia during the illegal invasion of Ukraine.

    What Prodaft found was a gang sitting on assets worth hundreds of millions of dollars funneled from multiple sophisticated malware variants. Wizard Spider, we're told, runs as a business with a complex network of subgroups and teams that target specific types of software, and has associations with other well-known miscreants, including those behind REvil and Qbot (also known as Qakbot or Pinkslipbot).

    Continue reading
  • Supreme Court urged to halt 'unconstitutional' Texas content-no-moderation law
    Everyone's entitled to a viewpoint but what's your viewpoint on what exactly is and isn't a viewpoint?

    A coalition of advocacy groups on Tuesday asked the US Supreme Court to block Texas' social media law HB 20 after the US Fifth Circuit Court of Appeals last week lifted a preliminary injunction that had kept it from taking effect.

    The Lone Star State law, which forbids large social media platforms from moderating content that's "lawful-but-awful," as advocacy group the Center for Democracy and Technology puts it, was approved last September by Governor Greg Abbott (R). It was immediately challenged in court and the judge hearing the case imposed a preliminary injunction, preventing the legislation from being enforced, on the basis that the trade groups opposing it – NetChoice and CCIA – were likely to prevail.

    But that injunction was lifted on appeal. That case continues to be litigated, but thanks to the Fifth Circuit, HB 20 can be enforced even as its constitutionality remains in dispute.

    Continue reading
  • How these crooks backdoor online shops and siphon victims' credit card info
    FBI and co blow lid off latest PHP tampering scam

    The FBI and its friends have warned businesses of crooks scraping people's credit-card details from tampered payment pages on compromised websites.

    It's an age-old problem: someone breaks into your online store and alters the code so that as your customers enter their info, copies of their data is siphoned to fraudsters to exploit. The Feds this week have detailed one such effort that reared its head lately.

    As early as September 2020, we're told, miscreants compromised at least one American company's vulnerable website from three IP addresses: 80[.]249.207.19, 80[.]82.64.211 and 80[.]249.206.197. The intruders modified the web script TempOrders.php in an attempt to inject malicious code into the checkout.php page.

    Continue reading

Biting the hand that feeds IT © 1998–2022