Alleged Twitter hackers arrested.
US Federal prosecutors have charged three individuals in connection with the July 15th Twitter hack. Graham Ivan Clark, 17, of Tampa, Florida, Mason Sheppard, 19, of Bognor Regis, England, and Nima Fazeli, 22, of Orlando, Florida, are the three under indictment. The US Attorney for the Northern District of California declined to name Mr. Clark because of his age, but his arrest has been so widely reported by the press in Florida and elsewhere that there seems little point in finessing the identification at this point.
The Hillsborough State Attorney's Office in Florida asserts that Graham Clark was the "mastermind" of the scheme, and he's being charged as an adult. Mr. Clark faces thirty felony charges: one count of organized fraud (over $50,000), seventeen counts of communications fraud (over $300), one count of fraudulent use of personal information (over $100,000 or thirty or more victims), ten counts of fraudulent use of personal information, and one count of accessing a computer or electronic devices without authority. Mason Sheppard and Nima Fazeli have been charged in the Northern District of California: Sheppard with "conspiracy to commit wire fraud, conspiracy to commit money laundering, and the intentional access of a protected computer," and Fazeli with "aiding and abetting the intentional access of a protected computer."
ZDNet has a timeline of the incident and the investigation. According to the indictment, Mr. Clark infiltrated some part of Twitter's network on May 3rd. The New York Times says he first gained access to Twitter's internal Slack channel, where he found credentials for an administrative tool that allowed Twitter employees to access and manipulate user accounts. This tool was protected by two-factor authentication, which Clark was able to bypass on July 15th by using social engineering against Twitter employees over the phone. He then contacted Mr. Sheppard and Mr. Fazeli over Discord and sold them access to several Twitter accounts with swanky handles (e.g., "@dark," "@vague," "@drug," and "@vampire").
Later the same day, Sheppard and Fazeli allegedly began brokering deals for Graham on the OGUsers forum, advertising access to any Twitter account for between $2000 and $3000 per account. WIRED says Clark made approximately $33,000 selling access to accounts, while Sheppard received $7,000 for brokering the deals. ZDNet notes that authorities are still investigating the users who purchased these accounts.
Finally, Clark is accused of perpetrating the high-profile Bitcoin scam on the afternoon of July 15th after hijacking the Twitter accounts of Barack Obama, Joe Biden, Elon Musk, Kanye West, Bill Gates, Jeff Bezos, Mike Bloomberg, Warren Buffet, Floyd Mayweather, Kim Kardashian, Apple, Uber, Coinbase, Kucoin, Gemini, Binance, and the "@Bitcoin" account. Hillsborough State Attorney Andrew Warren alleges that Clark "stole the identities of prominent people, posted messages in their names directing victims to send Bitcoin to accounts associated with Clark, and reaped more than $100,000 in Bitcoin in just one day." His bail has been set at $725,000.
It appears that the FBI tracked online activity in Discord and OGUsers until they came to points where the three defendants used either their real identities or their home IP addresses or both. The Bureau also made use of a leaked database of OGUsers member information, which was posted online when the forum was hacked in April. That database contained private messages, IP addresses, and email addresses. Fazeli and Sheppard also used their real driver's licenses to verify accounts on Coinbase, which were linked to various email and IP addresses involved in the hacks.