Everything we know about the alleged teen mastermind behind the biggest hack in Twitter history
Last month, Twitter experienced one of the largest and strangest hacks in the company's history. Over the course of nearly three hours, about 130 high-profile Twitter accounts—including Joe Biden, Barack Obama, Elon Musk, and Kanye West—were hijacked and used to tweet out a message asking their millions of followers to send Bitcoin to a designated address, with the promise that they would receive twice as much in return. It was a scam, and while it could have been much worse, it highlighted significant security flaws within Twitter's operation.
The person accused of being responsible for that hack is now in police custody. While there were rumblings that perhaps the attack was carried out by nation state-sponsored actors, particularly after it was learned that the direct messages of at least one politician were accessed, authorities now believe the major security breach was carried out by a kid in Florida who just graduated high school.
Who is the Twitter hacker?
Graham Ivan Clark, a 17-year-old living in Tampa, is accused of being the mastermind behind the hack.
According to the New York Times, Clark is something of a troubled youth. He had a strained relationship with his family and struggled in school, and as a result, spent a lot of time online. He was a relatively popular YouTuber, amassing "thousands of fans," according to the paper, mostly by playing Minecraft.
By the age of 15, Clark started to turn himself into a prolific scammer. He would offer rare items or usernames in Minecraft, collect a payment, and never deliver. By 15, he started frequenting the hacker forum OGUsers, where he became interested in rare and valuable usernames, though he was eventually banned for trying to scam another user. His time on the forum also got him interested in cryptocurrencies, and he fancied himself a trader.
Was this his first hack?
Clark actually pulled off a more profitable hack prior to gaining access to hundreds of high-profile Twitter accounts but did not face any consequences for it.
According to the Times, Clark used his connections from OGUsers to make in-roads in another hacker community that was known for carrying out SIM swapping attacks, a type of social engineering hack in which attackers trick mobile carriers into switching a victim's phone number over to a different SIM card. Clark and the others used this technique to gain access to devices and drain a person of any cryptocurrency that they might hold.
In 2019, Clark was allegedly involved in a SIM swapping attack that hijacked access to a phone belonging to tech investor Gregg Bennett. Clark and his co-conspirators managed to steal 164 Bitcoins from Bennett, valued at $856,000 at the time. In April of last year, the Secret Service was able to recover 100 Bitcoins from Clark and return them to their rightful owner. Clark was not arrested and did not face any charges for the crime because he was a minor.
How did he pull off the Twitter hack?
Usually, when people imagine hackers, they think of someone furiously typing in a dark room, maybe with a 2-liter of Mountain Dew on a sticky desk, as they navigate their way around digital firewalls and security systems. Clark's hack was more in line with the type of scam he had carried out before. According to the Times, the 17-year-old managed to convince a Twitter employee that he was also working for the company in the IT department and needed the employee's credentials so he could access a customer service portal. The Twitter employee obliged the request, and suddenly Clark found himself with complete access to many high-profile Twitter accounts, including verified accounts and legacy accounts that have highly sought after handles.
Clark allegedly recruited help from a couple of contacts on OGUsers. Prosecutors have identified the alleged accomplices as Mason John Sheppard, 19, of the United Kingdom, and Nima Fazeli, 22, of Orlando. They offered to help Clark broker sales of unique and single-character Twitter handles, which Clark would use his access to Twitter's internal tools to hijack. The account selling scheme took place Wednesday morning, before the more high-profile Bitcoin scam that occurred later that day. According to the New York Times, Clark nearly immediately started cheating the buyers out of the accounts. According to his accomplices, he would take the money, provide access to the stolen account, then revoke access using Twitter's tools and reclaim the account for himself.
At the same time, Clark operated his Bitcoin scheme that caught the attention of the public as he attempted to trick people into sending Bitcoin by sharing the wallet address on dozens of verified accounts. He ended up receiving about $120,000 worth of Bitcoin through this scheme.
What charges does he face?
Even though he is 17 and considered a minor, Clark is being charged as an adult. He will face a total of 30 criminal charges, including 17 counts of communications fraud, 10 counts of fraudulent use of personal information, one count of organized fraud over $50,000, one count of fraudulent use of personal information over $100,000, and one count of access to computer or electronic device without authority.
While he will be charged as an adult, his status as a minor means that he will be charged by the Florida state attorney rather than federal authorities. Likewise, details of his case will remain private for the time being because he is underage.
Derek Bambauer, Professor of Law at the University of Arizona, tells Mic that charging Clark as an adult in federal court would be a challenge. "Florida state law is more flexible, though," he says, noting that Florida law specifically allows for minors to be charged as adults in financial fraud cases. "The underlying elements of the charged offenses are basically the same—not a surprise since state computer crime law tends to mirror federal computer crime law. Most of the charges against Clark are, essentially, standard fraud offenses that happen to have been committed using a computer," Bambauer says.
Will he go to jail, and for how long?
It is not clear what Clark's maximum sentence could be at this point. His accomplices, who are adults and have been charged by the federal government, face large fines and potential jail time. Fazeli could receive five years in prison and a $250,000 fine for one count of computer intrusion. Sheppard faces up to 20 years in prison and a $250,000 fine for computer intrusion, conspiracy to commit wire fraud, and conspiracy to commit money laundering.
According to Bambauer, the next phase of legal proceedings will move to evidentiary questions, where it is possible that one or more of the defendants may "opt for a quick plea bargain in exchange for testifying against the others." He notes that Clark appears to be the central figure of the cases, which "may pressure the other two defendants to agree to testify against him."
"While this was a successful attack on Twitter that seems to have generated a fair amount of financial gain, according to press coverage, Clark was not particularly adept at concealing his actual identity," Bambauer says. "If that proves to be correct, it’s likely that he will strike a deal with the prosecuting attorney, pleading guilty to some or all of the charges in exchange for a more advantageous sentencing recommendation."