22-year-old Brit accused of Twitter SIM-swap heists charged with $784k cryptocurrency theft

He's in Spain, faces extradition to the US to stand trial


A Briton accused of carrying out SIM-swapping attacks to compromise high-profile Twitter users' accounts has been charged with stealing $784,000 in cryptocurrency.

Joseph James O'Connor, 22, currently languishing in a Spanish prison, has been charged by US federal prosecutors with stealing Bitcoin, Ethereum, and Litecoin from an unnamed Manhattan-based crypto trading company in early 2019.

Damian Williams, the US attorney for the Southern District of New York, accused O'Connor and other unnamed co-conspirators of SIM-swapping three company execs' phones. After pwning their victims, Williams alleged, O'Connor and his friends "fraudulently diverted cryptocurrency of various types from cryptocurrency wallets maintained by Company-1 on behalf of two of its clients."

Although prosecutors have been tight-lipped, the timing of incidents referred to in public court material seems to refer to a spate of high-profile Twitter account hijacks used to promote Bitcoin scams.

O'Connor, who prosecutors claim used the social media handle PlugWalkJoe, is further accused of laundering the stolen cryptocurrency "through dozens of transfers and transactions." His charge sheet currently stands at conspiracy to commit computer hacking, wire fraud, and money laundering, as well as aggravated identity theft. Total potential sentences for all these max out at 20 years in prison.

The Briton was previously charged by the US with fraudulently taking control of TikTok and Snapchat user accounts. He was arrested in Spain and currently faces extradition to the US to stand trial. A co-accused, Graham Clark, previously pleaded guilty and is serving three years in an American youth prison.

Earlier this year British police arrested eight on suspicion of being linked to SIM-swapping attacks targeting high-profile Twitter users.

As Reg readers know, SIM-swapping attacks consist of criminals tricking telco staff into rebinding targets' phone numbers to a mobile phone SIM card controlled by the attacker, typically posing as an upset victim of crime hastily trying to disable a stolen device. Once the phone number is transferred to the criminal's SIM, the miscreants can access messages containing multi-factor authentication codes and the like at will.

Occasionally angry people sue telcos for their unwitting part in SIM-swapping attacks, as has happened in the US a couple of times over the past few years, most notably in July last year, when a man sued AT&T for $1.9m after he had (so he said) $24m in cryptocurrency stolen via a SIM-swap attack. ®

Similar topics

Narrower topics


Other stories you might like

Biting the hand that feeds IT © 1998–2021