Press "Enter" to skip to content

What Happened? Twitter Hack

Charity ‘Bit-Con’ Scam by Teenage ‘Mastermind’ Hits VIP Accounts, Takes Over Internal Systems

By Najmeh Tima

“What Happened?” is an occasional feature by Digital Privacy News that looks back on some of the tech industry’s biggest data breaches last year.

The 17-year-old Florida resident behind the last July’s global Twitter hacking incident pleaded guilty in March to 30 felony counts of breaching the VIP accounts of then-presidential candidate Joe Biden, former President Barack Obama, Tesla founder Elon Musk and others for donations to buy cryptocurrency.

Graham Ivan Clark, now 18, of Tampa, was prosecuted as an adult by Hillsborough State Attorney’s Office, in a March 16 Zoom hearing.

Described as the “mastermind” of the “Bit-Con” scam by prosecutors, Clark was sentenced to three years of in prison to be followed by three years’ probation.

He will face a minimum 10-year term in an adult prison if he violates probation. Clark turned over all of the cryptocurrency obtained through the scheme — as much as $117,000, according to court records — at his arrest.

“They tried to change a tire while the car was moving.”

Allan Liska, Recorded Future.

Twitter took more than a month to discover the attack, prosecutors said.

Clark had been charged with organized fraud, communication fraud, fraudulent use of personal information and access computer or electronic device without authority, court papers said.

‘Coordinated … Attack’

In what prosecutors called a “coordinated social-engineering attack,” Clark posted a fake humanitarian fundraising campaign via the Twitter VIP accounts in exchange for cryptocurrency, promising to send it back twice in return.  

Two others — Mason John Sheppard, 19, of Bognor Regis, a town in the U.K., and Nima Fazeli, 22, of Orlando, Fla. — agreed to advertise the sale of Clark’s access to any Twitter accounts in exchange for Bitcoin transfers on OGUsers, a forum and marketplace popular with hackers.

Sheppard was charged in U.S. District Court in San Francisco with computer intrusion, wire fraud conspiracy and conspiracy to launder money. Fazeli was charged in the same court with computer intrusion and aiding and abetting the intentional access of a protected computer.

The investigation surrounding Sheppard is “ongoing,” Jess Kyeremateng, assistant communications officer at the National Crime Agency in the U.K. told Digital Privacy News. 

Fazeli’s attorney, Paul Wallin, did not return several requests for comment — and Twitter did not respond to repeated queries from Digital Privacy News.

Graham Ivan Clark, now 18, of Tampa, Fla., was sentenced in March to three years in prison and three years’ probation in a guilty plea in the “Bit-Con” scheme. Credit: Wall Street Journal

Looking Back

Twitter announced the hack in posts on July 15.

“Tough day for us at Twitter,” CEO Jack Dorsey said in his post. “We all feel terrible this happened.”

In one of many tweets that day, Twitter said: “We detected what we believe to be a coordinated social-engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.”

Of the 130 accounts hacked, 45 were used to lure users for the “charity” scam, according to prosecutors.

Among the verified accounts breached included billionaires Jeff Bezos, Bill Gates, Mike Bloomberg and Warren Buffet, along with Kanye West and Kim Kardashian.

Companies like Apple and Uber also were hacked — as were such cryptocurrency exchanges as Bitcoin, Binance, Gemini and Coinbase.

“Everyone is asking me to give back,” a tweet from Gates’ account said. “You send $1,000, I send you back $2,000.”

According to court documents, the hackers completed hundreds of transfers within two days, bringing in more than $100,000 in one day alone.

“Everyone is asking me to give back. You send $1,000, I send you back $2,000.” A scam tweet prosecutors said was from Microsoft cofounder Bill Gates’ account.

Twitter said it had taken “significant steps” to limit access to its internal systems and tools and had blocked users from tweeting Bitcoin wallet addresses during its investigation.

The company posted updates over the next week.

“We communicated directly with the impacted account owners and worked to restore access to any accounts who may have been temporarily locked out during its remediation efforts,” Twitter posted on July 18.

A July 22 post said: “We believe that for up to 36 of the 130 targeted accounts, the attackers accessed the DM inbox, including one elected official in the Netherlands.

“If sophisticated hackers had wanted to use people’s accounts for ‘political manipulation’ or other purposes, they could have tested the waters in a much less-intrusive way.”

Ray Walsh, ProPrivacy.

“To date, we have no indication that any other former or current elected official had their DMs accessed.”

‘Voice Phishing’

According to prosecutors, Clark used “phone spear phishing” — also known as “vishing” or “voice phishing” — to persuade a Twitter employee in the IT department to provide credentials to access the customer-service panel.

Clark could then access the Twitter accounts without needing user credentials, according to court documents.

In a July 31 Zoom news conference, Hillsborough State Attorney Andrew Warren said the Twitter breach occurred from May 30 to July 16.

In a July 30 tweet, the company confirmed that the attackers had obtained access to their “internal network” — as well as to “specific employee credentials” due to “human vulnerabilities” — and then had accessed its “internal systems.”

Studying the Situation

In analyzing the breach, Allan Liska of Boston-based Recorded Future, a firm involved in corporate security programs, told Digital Privacy News: “They tried to change a tire while the car was moving.

“They didn’t have any controls in place to prevent this type of breach, so they had to figure out how to stop it without completely shutting down the service.

“Tough day for us at Twitter. We all feel terrible this happened.”

CEO Jack Dorsey.

“They didn’t plan for this type of hack beforehand,” he added.

Ray Walsh, a researcher with the U.K.-based ProPrivacy firm, put the breach in broader context.

“If sophisticated hackers had wanted to use people’s accounts for ‘political manipulation’ or other purposes, they could have tested the waters in a much-less-intrusive way,” he said.

As such, he told Digital Privacy News, attackers potentially could have remained inside the system without detection, then executing the hack later for greater leverage.

Ahmed Banafa, an engineering professor at San Jose State University, said that “a breach like this results in loss of trust, reputation, besides legal actions.”

The Federal Trade Commission (FTC) declined to disclose whether it was investigating the Twitter hack, but the company said in an Aug. 3 regulatory filing announcement that it had received a draft FTC complaint alleging violations of a 2011 consent decree in which Twitter had agreed to better protect personal data.

“The range of probable loss is between $150 million to $250 million,” Twitter said regarding possible damages from the complaint, which accused the company of using personal information to serve targeted ads to users.

The filing was with the U.S. Securities and Exchange Commission.

Looking Ahead

Michael Gazeley, managing director of Network Box, a Hong Kong security service provider, told Digital Privacy News that Twitter needed to prevent such future hacks.

“The art is to prepare for the ‘next attack’ — not only for the last one,” he said. “They need cybersecurity training, especially focusing on social engineering.”

“A breach like this results in loss of trust, reputation, besides legal actions.”

Ahmed Banafa, San Jose State University.

Recorded Future’s Liska noted: “Management tools that aren’t built with security in mind made Twitter that much vulnerable to the hack.

“A tool that is used to manage accounts, even sensitive accounts, had very few security controls.”

ProPrivacy’s Walsh recommended that “biometric multi-factor authentication and tier-structured access to admin panel tools” greatly could have reduced the potential for the attack in the first place.

In a Sept. 24 blog post, Twitter outlined additional security measures under consideration, including upgrading its access-management processes — as well as its authentication systems, detection and monitoring capabilities — and investing in tools and training for its employees and contractors.

Republicans Outraged

The breach particularly drew the ire of congressional Republicans, who long had accused Twitter of unfair treatment of conservatives on the platform.

“It cannot be overstated how troubling this incident is, both in its effects and in the apparent failure of Twitter’s internal controls to prevent it,” Republican Sen. Roger Wicker, Miss., wrote to CEO Dorsey in a July 16 letter.

Photo: South China Morning Post

“The art is to prepare for the ‘next attack’ — not only for the last one.”

Michael Gazeley, Network Box.

“Millions of Americans who follow notable figures on Twitter believe that the posts they see from those figures are legitimate,” he wrote. 

In his July 15 letter to Dorsey, Missouri Sen. Josh Hawley said: “A successful attack on your system’s servers represents a threat to all of your users’ privacy and data security.” 

Najmeh Tima is a writer in Iran.