The alleged mastermind behind the biggest hack in Twitter’s history—one that targeted accounts of celebrities and a former president—was barely out of high school.
Graham Clark, a 17-year-old from Orlando, Florida, hijacked 130 Twitter profiles as part of a cryptocurrency scam, according to a complaint filed Friday in the Northern California federal court district in San Francisco.
The U.S. Department of Justice accused Clark of carrying out the scheme with 19-year-old UK resident Mason “Chaewon” Sheppard, 22-year-old Nima “Rolex” Fazeli from Orlando and a third defendant whose name is being withheld because he’s a minor.
Federal officials say Clark pulled it off by convincing a Twitter IT employee that he was a colleague who forgot his login credentials to access the Bay Area-based social media firm’s customer support system.
Accounts that were compromised in the July 15 hack included those of former President Barack Obama, Amazon CEO Jeff Bezos and Tesla’s Elon Musk.
Clark, who only recently graduated high school, now faces 30 felony charges for the scheme, in which he allegedly posted messages from the hacked accounts to lure victims into sending him upward of $100,000 in Bitcoin donations. The feds say the codefendants helped Clark by brokering sales of the hijacked Twitter profiles.
In an interview with NBC, Clark’s mother Emiliya Clark maintained her son’s innocence. “I believe he didn’t do it,” she said. “I’ve spoken to him every day. I’m devastated.”
Twitter thanked the FBI for the swift investigation and promised to improve security measures to “make them even more sophisticated.”
Meanwhile, the social media behemoth is in damage control mode, having to acknowledge the possibility that a 17-year-old kid outsmarted its army of engineers and supposedly state-of-the-art cybersecurity protections.
Federal officials say the defendants managed to beat Twitter’s controls through a tactic called social engineering, which involves impersonation instead of traditional hacking techniques. Cybersecurity experts say the methods alleged are more often used to pilfer credit card info and usernames—but never in such a high-profile way.
Per the federal complaint, the defendants were part of a collective of hackers who billed themselves “OGUsers” and devoted their efforts to bilking, buying and selling accounts with sought-after usernames. In the shadowy world of OGUsers, the shortest social media handles are the most lucrative.
Hackers who commandeer accounts with names such as a single letter or numeral earn bragging rights and the ability to sell them off for the highest profits.
Investigators tracked down Clark and the other defendants partly because of the boasts they posted in online forums, according to the recently filed federal complaint.
“There is a false belief within the criminal hacker community that attacks like the Twitter hack can be perpetrated anonymously and without consequence,” U.S. Attorney David A. Anderson said in a news release sent out Friday.
What may seem like fun and games for members of OGUsers can have devastating real-world consequences, Caroline O’Brien Buster, special agent in charge of the U.S. Secret Service Orlando Field Office, warned in the same written announcement. “Our identities and reputations are sacred,” she said. “We will continue to aggressively defend and protect individuals, companies, and other entities from new-age cyber-fraud, especially those who scheme to hack, defraud and wreak havoc on U.S. citizens across the country.”
The charging announcements should make other hackers think twice before winding up in the same position as the defendants, Anderson added.
“Criminal conduct over the internet may feel stealthy to the people who perpetrate it, but there is nothing stealthy about it,” he said. “In particular, I want to say to would-be offenders, break the law, and we will find you.”