US police in the state of Florida have arrested a 17-year-old boy accused of being the mastermind behind a hack of multiple celebrity Twitter accounts which scammed people worldwide out of around $US100,000 ($138,980).
A prosecutor identified the teenager as Graham Clark from the city of Tampa, charging him as an adult with 30 felony charges
“He’s a 17-year-old kid who just graduated from high school,” said Florida State Attorney Andrew Warren in Hillsborough County, which includes Tampa.
“But make no mistake: This was not an ordinary 17-year-old.”
Mason Sheppard, 19, from Bogner Regis in Britain, who used the alias Chaewon, was also charged with wire fraud and money laundering while Orlando-based Nima Fazeli, 22, nicknamed Rolex, was accused of aiding and abetting the crimes, according to a Justice Department statement.
Twitter said it appreciated the “swift actions of law enforcement”.
In one of the most high-profile security breaches in recent years, hackers sent out bogus tweets on July 15 from the accounts of Barack Obama, Joe Biden, Mike Bloomberg and a number of tech billionaires including Amazon CEO Jeff Bezos, Microsoft co-founder Bill Gates and Tesla CEO Elon Musk.
Celebrities Kanye West and his wife, Kim Kardashian West, were also hacked.
The tweets offered to send $2,000 for every $1,000 sent to an anonymous Bitcoin address.
“There is a false belief within the criminal hacker community that attacks like the Twitter hack can be perpetrated anonymously and without consequence,” US Attorney David L Anderson for the Northern District of California said in a news release.
“Today’s charging announcement demonstrates that the elation of nefarious hacking into a secure environment for fun or profit will be short-lived.”
Security experts were not surprised that the alleged mastermind of the hack is a 17-year-old, given the relative amateur nature both of the operation and the hackers’ willingness afterwards to discuss the hack with reporters online.
“I think this is a great case study showing how technology democratises the ability to commit serious criminal acts,” said Jake Williams, founder of the cybersecurity firm Rendition Infosec.
“I’m not terribly surprised that at least one of the suspects is a minor. There wasn’t a ton of development that went into this attack.”
Mr Williams said the hackers were “extremely sloppy” in how they moved the Bitcoin around.
It did not appear that the three used any services that make cryptocurrency difficult to trace by “tumbling” transactions of multiple users, a technique akin to money laundering, he said.
Mr Williams also said he was conflicted about whether Mr Clark should be charged as an adult.
“He definitely deserves to pay (for jumping on the opportunity) but potentially serving decades in prison doesn’t seem like justice in this case,” Mr Williams said.
Twitter has said the hacker gained access to a company dashboard that manages accounts by using social engineering and spear-phishing smartphones to obtain credentials from “a small number” of Twitter employees “to gain access to our internal systems”.
Spear-phishing uses email or other messaging to deceive people into sharing access credentials.
“This attack relied on a significant and concerted attempt to mislead certain employees and exploit human vulnerabilities to gain access to our internal systems,” the company tweeted.
After stealing employee credentials and getting into Twitter’s systems, the hackers were able to target other employees who had access to account support tools, the company said.
The hackers targeted 130 accounts. They managed to tweet from 45 accounts, access the direct message inboxes of 36, and download the Twitter data from seven.
Dutch anti-Islam politician Geert Wilders has said his inbox was among those accessed.
Mr Fazeli’s father said on Friday (local time) he hadn’t been able to talk to his son since Thursday.
“I’m 100 per cent sure my son is innocent,” Mohamad Fazeli said, adding he was “sure this is a mix up”.
“We are as shocked as everybody else,” he said.