The teenager behind last year’s big celebrity Twitter hack is going to prison

Open Sourced logo

A Florida teenager who was behind a massive hack of celebrity Twitter accounts last July has pleaded guilty and will likely serve three years in prison.

Graham Ivan Clark, now 18, was 17 when he commandeered some of the platform’s highest-profile accounts, including those belonging to Elon Musk and former President Barack Obama, and ended up scamming people out of about $120,000 in bitcoin. The verified accounts sent tweets directing followers to send bitcoin to a wallet, promising they’d get double their money back in return. They did not get double their money back, though prosecutors said Clark turned over whatever bitcoin he had left to go toward paying restitution to the victims.

Clark was charged with 30 felonies related to the hack, but his youthful offender status allowed him to avoid the mandatory 10-year minimum sentence. Instead, he’ll serve three years in a state prison for young adults and three on probation, assuming a judge signs off on the agreement.

Two others — Mason John Sheppard, 19, of the United Kingdom, and Nima Fazeli, 22, of Orlando, Florida — were also charged by the Department of Justice with felonies related to the hack. Sheppard was charged with three, and Fazeli was charged with one. Their cases have not yet been resolved; Fazeli’s lawyer maintains that his client is not guilty and that the one charge leveled against him, for aiding and abetting, is unrelated to the celebrity account hacks.

There may be more arrests to come; the charging documents say an as-yet-unidentified hacker named “Kirk” “played a central role.” This is consistent with TechCrunch’s earlier reporting that said a hacker named “Kirk” was behind the attack. Last September, the New York Times reported that a 16-year-old in Massachusetts was also being investigated and his home was searched.

Though initial reports said the hack might be an inside job, given how much access the perpetrator had to the company’s internal controls, Twitter later confirmed its employees were targeted by a “phone spear phishing attack.” Assuming this is true, it should serve as a cautionary tale. Spear phishing via mobile devices has become more common, especially since people don’t check links on their mobile devices the way they might in a message received on their computers.

“People often overlook their phone because they think of it more as a personal device, not a work device,” Mark Ostrowski, security evangelist at cybersecurity company Check Point, told Recode last May.

The details of the hack suggest that Twitter employees should have practiced better cyber hygiene, and there was nothing the account holders themselves could have done to prevent what happened.

“We will continue to organize ongoing company-wide phishing exercises throughout the year,” Twitter said in a statement shortly after the hack.

Details from the charging documents appear to show that finding the alleged hackers wasn’t a heavy lift for investigators. Fazeli and Sheppard’s handles on Discord, where they allegedly discussed purchasing access to hacked accounts with “Kirk,” were the same as their handles on a forum for people interested in acquiring “OG” Twitter accounts, which are typically very short (one letter or number each) and among the first profiles created for the service. Using that forum’s records, investigators were able to link those accounts to email addresses, Coinbase accounts, and IP addresses that made identifying them fairly simple. Fazeli, for example, used his real name in his email address, which he verified with his driver’s license.

Lawmakers blame Twitter for lax security

Politicians on both sides of the aisle had scathing words and warnings for Twitter in the wake of the mid-July attack, which caused 45 accounts to request bitcoin from their followers, promising they would receive double their donation in return. The hacker was also able to access 36 accounts’ direct messages and seven accounts’ Twitter data. But, politicians stressed, the breach — and its consequences — could have been much worse, and they demanded that Twitter do better to stop something like this from ever happening again.

Sen. Ron Wyden (D-OR) expressed concern over the security of direct messages in the attack and said Twitter hadn’t done enough to protect them, despite previous assurances that it would. In a statement, the senator told Recode that he felt let down by Twitter and its executives, especially as they promised him they would improve their security:

In September of 2018, shortly before he testified before the Senate Intelligence Committee, I met privately with Twitter’s CEO Jack Dorsey. During that conversation, Mr. Dorsey told me the company was working on end-to-end encrypted direct messages. It has been nearly two years since our meeting, and Twitter DMs are still not encrypted, leaving them vulnerable to employees who abuse their internal access to the company’s systems, and hackers who gain unauthorized access. While it still isn’t clear if the hackers behind yesterday’s incident gained access to Twitter direct messages, this is a vulnerability that has lasted for far too long, and one that is not present in other, competing platforms. If hackers gained access to users’ DMs, this breach could have a breathtaking impact, for years to come.

Meanwhile, others drew direct lines between the threats exposed by the breach and the upcoming presidential election. Sen. Richard Blumenthal (D-CT) blamed Twitter for its “repeated security lapses” and “failure to safeguard accounts” that could have caused the incident.

“Count this incident as a near miss or shot across the bow,” Blumenthal, a Connecticut Democrat, said in a tweet. “It could have been much worse with different targets.”

Sen. Josh Hawley (R-MO), who has been a frequent Big Tech critic in his short DC tenure, tweeted a letter that he said he sent to Twitter CEO Jack Dorsey even as the attack was happening.

“Millions of your users rely on your service not just to tweet publicly but also to communicate privately through your direct message service,” Hawley wrote. “A successful attack on your system’s servers represents a threat to all of your users’ privacy and data security.”

Hawley then asked how accounts protected by two-factor authentication could possibly be hacked, if user data was stolen, and what measures Twitter takes to prevent system-level hacks.

As Sen. Edward Markey (D-MA) said, both the service and its users mostly dodged a considerable bullet.

“While this scheme appears financially motivated and, as a result, presents a threat to Twitter users, imagine if these bad actors had a different intent to use powerful voices to spread disinformation to potentially interfere with our elections, disrupt the stock market, or upset our international relations,” he said in a statement to Recode. “That is why Twitter must fully disclose what happened and what it is doing to ensure this never happens again.”

As for why arguably the most high-profile and influential Twitter account of all, President Trump, wasn’t affected by the hack, it’s possible that his account has special safeguards that the other accounts didn’t. Trump’s Twitter account was famously deleted by an employee in 2017, only to be permanently suspended last January following the Capitol riots.

Update, March 17, 2021, 11:45 am: Updated with Clark’s guilty plea.

Open Sourced is made possible by Omidyar Network. All Open Sourced content is editorially independent and produced by our journalists.