3 charged in massive Twitter hack, including alleged teenage ‘mastermind’

Graham Ivan Clark, 17, of Tampa was arrested “without incident” at his apartment Friday morning by FBI and Internal Revenue Service agents, Hillsborough State Attorney Andrew Warren said during a news conference. He faces 30 felony counts.

“I guess I was surprised that it was someone so young,” Warren said of Clark, whom he called the hack’s mastermind, “but at the same time, we see a lot of people who are extremely sophisticated and savvy with computers at a young age.”

The FBI and the U.S. Department of Justice will coordinate with the state attorney’s office in prosecuting Clark in Florida. The federal government can’t charge Clark as an adult, but Florida law allows minors to be charged as adults in certain cases of financial fraud, Warren said.

Clark is expected to make his first court appearance Saturday morning. He faces one count of organized fraud, one count of accessing a computer or electronic device without authority, one count of fraudulent use of personal information, 10 counts of fraudulent use of personal information, and 17 counts of communications fraud.

“These crimes were perpetrated using the names of famous people and celebrities, but they’re not the primary victims here,” Warren said in a news release. “This ‘Bit-Con’ was designed to steal money from regular Americans from all over the country, including here in Florida. This massive fraud was orchestrated right here in our backyard, and we will not stand for that.”

Also charged Friday were Nima Fazeli, 22, of Orlando, and Mason Sheppard, 19, of Bognor Regis, England, according to a release from the U.S. attorney’s office for the Northern District of California. According to complaints unsealed Friday morning, Fazeli is accused of aiding and abetting the intentional access of a protected computer, and Sheppard faces accusations of conspiracy to commit wire fraud, conspiracy to commit money laundering, and the intentional access of a protected computer. It was unclear whether any of the accused had secured legal counsel.

FBI San Francisco Assistant Special Agent in Charge Sanjay Virmani said in a statement that the investigation is still ongoing.

“Our goal was to identify those responsible, put a stop to their illegal activity, and hold them responsible for these crimes,” Virmani said. “Today’s arrests represent just the first step for law enforcement. Our investigation will continue to identify anyone else who may have been involved in these crimes.”

In a Friday tweet, Twitter’s communications team expressed appreciation for the “swift actions of law enforcement.”

The cyberattack that took down big parts of Twitter’s site involved manipulating employees over a rather old-school method: the phone.

Hackers called a “small number” of employees in a phone spearphishing scheme, Twitter tweeted from its support account. Phishing attacks are designed to fool people into thinking the sender or caller is safe by imitating a company or trusted person. The hackers were able to access some internal tools from the initial targeted employees and then learned specifically who had access to account support controls and targeted them next.

It took Twitter hours to regain control of the site, and the company had to temporarily lock all verified accounts. Others lost control of their accounts completely if they tried to change their passwords. It took Twitter days to fully restore access to those accounts.

The hack drew concern from lawmakers and others about the strength of Twitter’s cybersecurity system and triggered an FBI investigation. Cybersecurity experts have said it was fortunate that hackers appeared only interested in scamming people for money and were not, for example, attempting to compromise national security. Many politicians, including President Trump, use Twitter as a main form of communication.

“This attack relied on a significant and concerted attempt to mislead certain employees and exploit human vulnerabilities to gain access to our internal systems,” Twitter said Thursday, adding that the incident was a “striking reminder” of how important each employee is in protecting security.

Twitter previously said hackers gained access to 130 accounts and tweeted from 45 of them. CEO Jack Dorsey apologized for the hack last week during a company earnings call, saying Twitter “fell behind” in some security restrictions.

Twitter said that employee access to internal account management tools is “strictly limited” and that it would now be looking at making its processes “even more sophisticated.”

It was not the first time that Twitter employees have triggered security issues.

Trump’s Twitter account was taken down for 11 minutes in 2017 by a departing company employee. After the incident, Twitter tweeted that it had “implemented safeguards to prevent this from happening again.” It declined to share details at the time.