A Florida teen accused of masterminding the hacks of several high-profile Twitter accounts last summer as part of a widespread cryptocurrency scam pleaded guilty to fraud charges in exchange for a three-year prison sentence. Graham Ivan Clark, 18, will also serve an additional three years on probation.
The development comes after the U.S. Department of Justice (DoJ) charged Mason Sheppard (aka Chaewon), Nima Fazeli (aka Rolex), and Clark (then a juvenile) with conspiracy to commit wire fraud and money laundering.
Specifically, 30 felony charges were filed against Clark, including one count of organized fraud, 17 counts of communications fraud, one count of fraudulent use of personal information with over $100,000 of 30 or more victims, 10 counts of fraudulent use of personal information, and one count of access to computer or electronic device without authority.
Subsequent investigation into the incident revealed that Clark and the other attackers seized the accounts after stealing Twitter employees’ credentials through a successful phone spear-phishing attack, subsequently using them to gain access to the company’s internal network and account support tools, change user account settings, and take over control.
“By obtaining employee credentials, they were able to target specific employees who had access to our account support tools. They then targeted 130 Twitter accounts – Tweeting from 45, accessing the DM inbox of 36, and downloading the Twitter Data of 7,” the company said on July 31st, 2020.
Additionally, the three individuals attempted to monetize this entrenched access by selling the hijacked accounts on OGUsers, a forum notorious for peddling access to social media and other online accounts.
Cryptocurrency scams are not new on Twitter, although this was a whole new level. Usually, fake accounts posing as celebrities try to convince users to send money to anonymous Bitcoin addresses with the promise of making money. This scam was being carried out via celebrities’ actual accounts.
(Note: You should never send Bitcoin or any type of currency to anyone you don’t know online. These transactions can often be irreversible, leaving victims with little-to-no recourse to recuperate their stolen funds.)
Three years may seem like a lot of prison time for a hack but when you consider that the 18-year-old hacker reached a plea deal with prosecutors which helped Clark avoid a minimum 10-year sentence, perhaps it doesn’t seem that long.
Clark, who was 17-years-old at the time of the hack, was sentenced as a “youthful offender” under the arrangement. Along with avoiding the minimum sentence for adults, the hacker will be able to serve out his time in a prison specifically for young adults. Clark may also be able to serve a portion of the sentence in a “military-style boot camp.” After he serves out his sentence, Clark will also serve three years of probation. Violating that probation will result in the reinstatement of the minimum 10-year sentence.
In addition to serving time, the Tampa Bay Times reports that Clark will not be able to use computers without supervision, and will be forced to turn over login credentials for accounts that he owns. David Weisbrod, Clark’s defense attorney, said that the teen turned over all of the cryptocurrency he had scammed in the hack.
In light of the hacks, Twitter said it’s making security improvements aimed at detecting and preventing inappropriate access to its internal systems, which were used by more than 1,000 employees and contractors as of early 2020.
“He took over the accounts of famous people, but the money he stole came from regular, hard-working people. Graham Clark needs to be held accountable for that crime, and other potential scammers out there need to see the consequences. In this case, we’ve been able to deliver those consequences while recognizing that our goal with any child, whenever possible, is to have them learn their lesson without destroying their future.” Hillsborough State Attorney Andrew Warren said in a statement.