How a Teenager Allegedly Hacked Twitter

Twitter’s high-profile hack on July 15 featured an ‘only-in-Silicon Valley’ level of absurdity. As the internet followed the action live, attackers commandeered the accounts of major public figures on Twitter to facilitate a Bitcoin payment scam. Absurd or not, the damage was real: in the end, CNN reported the account “received more than $100,000 worth of Bitcoins through hundreds of transactions.” It was the kind of damage that Twitter CEO Jack Dorsey admitted made for a “tough day for us at Twitter” in a subsequent tweet.

The incident prompted plentiful speculation about who was behind the attack, and now we (allegedly) have our answer. Florida teenager Graham Ivan Clark, 17, was accused of masterminding the incident and faces 30 felony charges as a result. Separate charges were filed against alleged co-conspirators Mason Sheppard, 19, and Nima Fazelli, 22. The attack is part of an ongoing trend responsible for millions of lost dollars across the internet, and is only the latest incident to raise questions about hacking methodology, punishment, and security issues.

A “Classic” Scam

Bitcoin scams are nothing new: Wired wrote a comprehensive look at the tack in early 2018. A “new version of a classic online scam” – the ubiquitous Nigerian prince – is “pretty straightforward,” writes Lily Hay Newman. Hackers “make Twitter handles that closely mimic the verified accounts of well-known figures… [then] respond to one of those genuine tweets, giving the appearance of having started a thread, in which they claim that they’ll send a significant quantity of cryptocurrency (like 2 bitcoin) to anyone who sends a smaller amount of currency (like 0.02 bitcoin) to a particular wallet.”

While bitcoin-centric cons are relatively common, cases usually involve people impersonating celebrity accounts versus actually hacking them. But as Ronnie Tokazowski of email security firm, Agari, told Wired, the gambling mentality required to pull a scam off successfully is “especially dangerous right now, because so many people are struggling [during the global coronavirus pandemic].”

Beyond the financial implications to the victims, there is another, more vexing layer of concern among cybersecurity experts: the fact that the nature of the hacks “suggest[ed] that the hackers may have [had] full access to [the compromised] accounts, in which case they would also be able to read all of their private direct messages.” That two-factor authentication systems failed to prevent the attacks was yet another source of anxiety for specialists.

Explanations and Arrests

The arrests came on July 31 – relatively quickly under the circumstances. Court documents revealed the hackers managed to convince a Twitter employee that he/there were co-workers in the technology department. The hackers then requested the employee’s credentials to access the customer service portal. The original plan quickly fell apart, however, as the hackers left “hints about their real identities and scrambled to hide the money they’d made once the hack became public.” An interview with a minor who admitted participating in the scheme revealed information that eventually led law enforcement to Sheppard. The other alleged perpetrators soon followed.

The hack allegedly began in an effort “to steal and sell unusual usernames” on the platform – status symbols of sorts that “confe[r] a measure of… perceived influence and wealth” and are often hijacked and resold via ‘SIM swapping’ scams, explains former Washington Post reporter and security expert Brian Krebs. Doing so required being able to “disable multi-factor authentication” for the in-demand accounts – something possible only by gaining access to Twitter’s internal tools.

How Hacking is Prosecuted, and New Concerns in a New Normal

Computer crime laws are codified in all 50 states, though specificity varies. On a federal level, the Computer Fraud and Abuse Act (CFAA) is the standard prosecutorial tool. It has a track record of success since its passage in 1986, though it has also drawn criticism from digital rights activists and mixed legal opinions for its breadth and ability to warrant what some perceive as excessive penalties. Prosecutors continue to leverage it in many circumstances, however, and may do so here.

The Twitter attack is perhaps the most high-profile case thus far to be aided by the new normal – working from home. As CNN Business indicates, the coronavirus meant “employers had to scramble to get a huge percentage of the country’s workforce to transition to remote working for the first time, a massive task that may have involved corner-cutting when it came to security.”

Even companies that allowed employees to work from home pre-pandemic “likely also had to develop new ‘access controls,” including “sign[ing] into a virtual private network (VPN) or other portal to securely access the information needed to do their jobs.” That the hackers were able to pretend to be a co-worker and gain access to Twitter’s internal tooling is the clearest indicator yet that protocols may need to be re-evaluated to maintain safety in the current climate. Clark has plead not guilty to the charges; he is being held on $725,000 bail while awaiting trial.

Quandary Peak Research

Based in Los Angeles, Quandary Peak Research provides software litigation consulting and expert witness services. We rapidly analyze large code bases, design documents, performance and usage statistics, and other data to answer technical questions about the structure and behavior of software systems.