Federal and state authorities believe that the worst security breach in Twitter’s history was perpetrated by three people: 19-year-old Mason Sheppard of the United Kingdom; 22-year-old Nima Fazeli of Orlando, Florida; and 17-your-old Graham Ivan Clark of Tampa, Florida. An investigation by the Federal Bureau of Investigation, the Department of Justice, the Internal Revenue Service, the Secret Service, the U.S. Attorney’s Office for the Northern District of California, and the Florida Department of Law Enforcement led them to conclude the three individuals were behind a massive hack on July 15 that commandeered accounts belonging to prominent figures including Barack Obama, Bill Gates, Kanye West, Joe Biden, and Elon Musk. According to law enforcement, the hackers were able to rake in more than $100,000 by posting a Bitcoin scam using the hacked accounts. The hackers also allegedly accessed the DMs of 36 accounts and may have downloaded even more data from seven accounts.
Clark’s arrest was announced first. Authorities took him into custody on Friday morning. Twitter said on Thursday that the hackers were able to talk their way into sensitive systems by launching a spear phishing attack over the phone and targeting 130 accounts. However, Twitter did not spell out the specifics of how the attack occurred.
“He’s a 17-year-old kid who apparently just graduated high school. But make no mistake, this was not an ordinary 17-year-old. This was a highly sophisticated attack on a magnitude not seen before. It could have been an extremely high amount of loss,” said Andrew Warren, state attorney for Hillsborough County, Florida, of Clark. “It could have destabilized financial markets, both in America and across the globe, because he had access to powerful politicians’ Twitter accounts.” Warren added that Clark was able to access Twitter’s internal controls by compromising the company’s employees.
The state attorney’s office has charged Clark with 17 accounts of felony communications fraud, one count of aggravated identity theft, 10 counts of identity theft, and one count of unlawful access to a computer in furtherance of a scheme to defraud. Warren declined to comment as to whether Clark worked alone. The state attorney’s office is handling the case instead of a federal prosecutor because, Warren said in a press conference, Florida law allows for greater latitude in charging a minor as an adult in financial fraud cases.
Shortly after Clark’s arrest in Florida was announced, the U.S. Attorney’s Office for the Northern District of California reported that the other two suspects had also been charged.
Federal agents said that Sheppard used his personal driver’s license to set up accounts with the Binance and Coinbase Bitcoin exchanges. These accounts allegedly transmitted and received some of the filched cryptocurrency. Authorities also claimed that Fazeli’s Coinbase account, which he’d used his driver’s license to verify, had received payments in exchange for control over the hacked Twitter accounts. Sheppard faces a maximum 20-year sentence and a $250,000 fine for wire fraud conspiracy and money laundering conspiracy. Fazeli faces a five-year sentence and a $250,000 fine for computer intrusion.
Vice’s Motherboard reported that its reporters were able to get in contact with the hackers shortly after the scam occurred. “We used a rep that literally done all the work for us,” one hacker told the reporter. Another claimed that they paid a Twitter employee for the access.