The major hacking and data breach at Twitter two weeks ago has already produced three alleged culprits, and federal authorities on Friday announced charges against the three, as well as the online moniker of a hacker still at large who is believed to have been the mastermind.
The July 15 hack involved 130 Twitter accounts belonging to celebrities and prominent users, and the hackers ultimately sent tweets — perpetuating one of many longstanding bitcoin scams — from 45 of the accounts, and succeeded in netting about $100,000 in bitcoin under the false promise of being able to "double" people's "investments," according to the criminal complaints.
U.S. attorney announced charges against two men and an unnamed juvenile, and said the three had all been taken into custody — however the alleged mastermind, who went by “Kirk#5270” on Discord, is still out there somewhere. As KPIX reports, the two men arrested have been identified as Mason Sheppard, a.k.a. “Chaewon,” 19, of Bognor Regis, in the United Kingdom; and Nima Fazeli, a.k.a. “Rolex,” 22, of Orlando, Florida. The juvenile was also reportedly in the state of Florida, and has been turned over to authorities there.
According to FBI San Francisco Assistant Special Agent in Charge Sanjay Virmani, the three are facing "either federal or state criminal charges, including computer intrusion, fraud, money laundering, wire fraud, and identity theft."
Sheppard is facing charges of conspiracy to commit wire fraud, conspiracy to commit money laundering, and the intentional access of a protected computer; while Fazeli is facing a charge of aiding and abetting the intentional access of a protected computer.
"There is a false belief within the criminal hacker community that attacks like the Twitter hack can be perpetrated anonymously and without consequence," said U.S. Attorney for the Northern District of California David Anderson in a release. "Today’s charging announcement demonstrates that the elation of nefarious hacking into a secure environment for fun or profit will be short-lived. Criminal conduct over the Internet may feel stealthy to the people who perpetrate it, but there is nothing stealthy about it. In particular, I want to say to would-be offenders, break the law, and we will find you."
The breach was a major embarrassment for Twitter, and the second prominent hack of high-profile accounts in a year — last summer CEO Jack Dorsey's account was hacked through a "SIM swap," after which the company supposedly tightened its security around mobile logins.
A Discord user named Kirk, whom the New York Times identified two weeks ago as the alleged mastermind through chat logs shared by other users — including, apparently, Sheppard — claimed to others on the platform that he was a Twitter employee, and boasted of special access to internal tools at the company.
While Kirk was not likely an employee — the company now says that the access he'd gained had been obtained through phishing attacks on actual employees — it remains unclear who or where he is thus far. The others involved in the hack were young people, the Times says, some of whom had gotten to know one another over their shared status as owning especially short, rare Twitter handles like @6 and @y.
Kirk was not well known to any of these hackers, and his Discord account only dates back to July 7.
A fifth hacker who went by the handle "lol" and said he lived on the West Coast, spoke to the Times right after the hack, seemingly trying to clear his name — and saying he'd only participated in the brokering of a few Twitter handles early in the day, before Kirk began tweeting from accounts belonging to Kanye West, Barack Obama, Elon Musk and others. Kirk had offered him and Sheppard, who goes by the name "ever so anxious," to serve as middlemen in the sale of a collection of much coveted "OG" Twitter handles, for which he said they could take a cut.
Ultimately, though, Kirk appears to have profited the most via the fraudulent bitcoin offer on the celebrity accounts, which was live for an hour or two before Twitter caught on, with 400 transactions that added up to $100,000.
Update: "Kirk" appears to be the juvenile, now identified as 17-year-old Graham Ivan Clark of Tampa, who is being charged as an adult in the case. As the New York Times reports, Clark is facing "30 felony charges in the hack, including fraud." Andrew Warren, the Florida state attorney overseeing Clark's prosecution, said, "This was not an ordinary 17-year-old," which can only be taken as a compliment.
Twitter gave a statement in a blog-post update Thursday, saying, "There has been concern following this incident around our tools and levels of employee access. To run our business, we have teams around the world that help with account support. Our teams use proprietary tools to help with a variety of support issues... We have zero tolerance for misuse of credentials or tools, actively monitor for misuse, regularly audit permissions, and take immediate action if anyone accesses account information without a valid business reason. While these tools, controls, and processes are constantly being updated and improved, we are taking a hard look at how we can make them even more sophisticated."
The company also says it us "improving our methods for detecting and preventing inappropriate access to our internal systems."