See also <a href="https://www.justice.gov/usao-ndca/pr/three-individuals-charged-alleged-roles-twitter-hack" rel="nofollow">https://www.justice.gov/usao-ndca/pr/three-individuals-charg...</a><p>(via <a href="https://news.ycombinator.com/item?id=24012968" rel="nofollow">https://news.ycombinator.com/item?id=24012968</a>, but we merged the threads)<p>Also: don't miss that this thread has multiple pages of comments. That's what the "More" link at the bottom of the page points to. Or you can click here for page 2:<p><a href="https://news.ycombinator.com/item?id=24011939&p=2" rel="nofollow">https://news.ycombinator.com/item?id=24011939&p=2</a>
Hitting a 17yo with 30 felony charges feels a bit steep to me.<p>Also should any repercussions be considered against Twitter that a 17yo was able to gain access to the private messages of potentially some of the most important individuals in the world?<p>If a 17yo could do it, I'm sure a nation state could do it.
If this turns out to be true, then we can conclude two things:<p>1. It's incredible that the security of Twitter allows for a solitary 17-year old to gain full access to (any) account.<p>2. This also explains why the profit of the hack was 'only' ~$100k. Many speculated about how incredibly valuable such a hack could be and how much more a group could have profited from this hack. Using it for two hours of bitcoin scamming seemed very amateurish. I suppose this explains it.
I have an unrealistic idea (more of a thought experiment) that companies should face equal culpability to criminal hackers in attacks. After all, technically the way the hackers use systems /is/ authorized in a sense, even if the method of obtaining authorization is unconventional. Maybe this would get companies to pay more attention to securing their systems.<p>From a certain perspective, Twitter is an accomplice to fraud by providing the platform and the access to the fraudsters (although I'm fuzzy on whether knowledge of one's aiding of a crime is necessary for an entity to be legally considered an accomplice - probably is).<p>And yes, the charge count is insane but the US loves holding a bit of life-ruining theater when they catch hackers threatening commercial interests. e.g. Aaron Swartz's conviction: <a href="https://en.wikipedia.org/wiki/Aaron_Swartz#Arrest_and_prosecution" rel="nofollow">https://en.wikipedia.org/wiki/Aaron_Swartz#Arrest_and_prosec...</a>
I was under the (apparently false?) assumption that under-18s couldn't be named. The alleged mastermind here is 17, yet is named and pictured.<p>Interestingly, when I first checked this out ~8 minutes ago, they stated that they would not name the alleged mastermind due to the fact he was under 18. In the update ~4 minutes ago, they have removed that section and named him.
"Our European visitors are important to us.<p>This site is currently unavailable to visitors from the European Economic Area while we work to ensure your data is protected in accordance with applicable EU laws."<p>nice
It's sad to me how the authorities are bragging about how quickly they caught them and how effective they are at solving this type of crime.<p>The truth is, the vast majority of these crimes go unpursued. They handled this quickly because it was so prominent, but if this happened to an everyday individual, the police wouldn't even bother.<p>I don't see this as much of a triumph. It never should have happened in the first place, and the consequences could have been utterly dire if it hadn't just been teenagers running a Bitcoin scam. This isn't a victory for nation-state security, it's an utter failure, and no policy changes have been made to prevent it happening again.<p>So what we have is a world in which our leadership is vulnerable to hackers, as are the rest of us, but only attacks against the rich and famous have actual consequences. It's the worst of all worlds.
Obviously what they did is wrong but the kid is 17. To me this is a prime example of where a short sentence or community service should be used. Don't ruin his life - he could be a useful employee for a tech company.
Imagine a 17 year old robs a bank and steal 100k from the savings accounts of random people.<p>Or a 17 year old steals a couple of cars from random people off the street...<p>The crime is not breaking into Twitter. The crime is theft. Twitter didn't steal that money, this guy did. Let's not pretend the internet is a magical land without consequences.
Trying to paint this 17-year old kid as a criminal mastermind strikes me as rather gross. I can see it as a kid doing it to see if he could, and using an obviously meme-worthy fake post that got out of hand. I think everyone has done some dumb things at this age without thinking about the consequences. If that is the case here, I hope this doesn't ruin the guys life.
The story has been updated, three people have now been charged, the teen, a man from Orlando and a man from the UK.<p><a href="https://www.theverge.com/2020/7/31/21349920/twitter-hack-arrest-florida-teen-fbi-irs-secret-service" rel="nofollow">https://www.theverge.com/2020/7/31/21349920/twitter-hack-arr...</a>
I'm not really surprised.<p>* the attacker (allegedly) bragged to the press
* the attack only involved phising and social engineering. (Its a bit unclear, but that's what it looks like)<p>Bragging to the press is a definite sign of someone doing it for the lulz. Criminals know better than to brag about their crimes publicly, that is how you get caught. Bragging definitely fits into the sterotypical motivation for most teenage hackers.<p>Social engineering is a skill, but its also a skill that a smart teenager is likely to have. Its not a super high sophistication attack. Its not a spy movie attack where people are breaking into offices, coercing employees, finding 0-days in the webserver etc. Its an attack that a dedicated teen could teach themselves and pull off themselves, no special resources needed.
> Today’s announcement proves that cybercriminals can no longer hide behind perceived global anonymity<p>Anyone know what the loose end was that got these guys busted?
Probably could have earned a lot more from his exploits if he went the formal route and directly confronted Twitter. But then who even knows if Twitter are a good 'first responder' when it comes to high-profile exploits of their system.<p>There was a recent post about some researcher who exposed flaws in Tor's architecture (which allowed third parties to detect Tor traffic easily) and Tor's staff didn't respond; so she published the finding without going through the proper channels, both embarrassing Tor staff, and simultaneously strengthening the Tor network.<p>The 'I'm going to publish this sploit because you didn't respond' is a good tactic and I want to see more people do it. It's just unfortunate that the various channels like HackerOne[0] or wherever the skiddies flock to these days are not utilized thoroughly.<p>[0] <a href="https://www.hackerone.com/" rel="nofollow">https://www.hackerone.com/</a>
"Someone has to go to prison, Ben" - quoting Harvey Keitel from National Treasure movie (1:50) [1]<p>[1] <a href="https://www.youtube.com/watch?v=co4EsnwAM1Q" rel="nofollow">https://www.youtube.com/watch?v=co4EsnwAM1Q</a>
> the scheme reaped more than $100,000 in Bitcoin in just one day<p>That's actually...pretty disappointing. I would have guessed into the 7 digits just based on how many Americans, and people in general, love a get-rich-quick-scheme.
When I was a teen I made long distance phone calls using calling card numbers that were not my own, obtained through a war dialer. I'm pretty sure I never would've gone as far as this kid did, but who knows. I hope this doesn't ruin his life.
The announcement video is quite intense and feels odd for some reason. Maybe it's the aspect ratio or cold intro - not sure. <a href="https://youtu.be/z80K3-q3Kqg" rel="nofollow">https://youtu.be/z80K3-q3Kqg</a>
Interesting to see that he's being charged in Florida, instead of federally. I mean yes, normally, when one commits a crime in a particular area, they're charged in that area. But my understanding is that once stuff crosses state lines, it becomes a federal issue, and this is part of why its usually the FBI that comes knocking.
No where in the article it mentions how did they nail him or how did he do. With Twitter saying that this entire process was done by social engineering some employee and then gaining system access of others by monitoring the process - this seems to have been done by someone with Corporate process understanding and hard to believe it could be a 18 yold.
> According to federal agents, Sheppard was found out partly because he used a personal driver’s license to verify himself with the Binance and Coinbase cryptocurrency exchanges, and his accounts were found to have sent and received some of the scammed bitcoin. Fazeli also used a driver’s license to verify with Coinbase, where accounts controlled by “Rolex” allegedly received payments in exchange for stolen Twitter usernames.<p>That is such a simple mistake to make, wow.
Given how many of these attacks have been social engineering ones, companies might benefit from having bug bounties for employees who get fooled.<p>Yes, this will initially be very expensive as there will be thousands of payouts, but eventually the employees will learn.<p>Offer $200 if you can get an employee's password.
I’m very uncomfortable about the fact a very young person (only 17 years old) has had his identity released like this... where was his fair trial first?<p>Regardless if he was behind the hack or not, this is not the way forward to a decent society.
Off topic, but the linked WFLA video highlights how factual reporting takes a backseat to an insidious "breaking news", headlines-first approach. Twice we hear Mr. Buinno misstate the Twitter attack as occurring "a few months ago" before being corrected by his colleague after the second instance. I realize this is a trivial criticism, but it makes one question their general preparation and fact-checking processes. Is it too much to expect alignment on the basic details of a story before broadcasting it to hundreds of thousands of people?
> Washington DC Field Office Cyber Crimes Unit analyzed the blockchain and de-anonymized bitcoin transactions allowing for the identification of two different hackers.<p>Anyone with Bitcoin Transaction knowledge, what's this de-anonymization of Bitcoins transaction?<p>>Today’s announcement proves that cybercriminals can no longer hide behind perceived global anonymity,” said Thomas Edwards, Special Agent in Charge, U.S. Secret Service, San Francisco Field Office.<p>This reads like an Ad copy of a company that's against <i>perceived</i> anonymity.
> "Washington DC Field Office Cyber Crimes Unit analyzed the blockchain and de-anonymized bitcoin transactions allowing for the identification of two different hackers"
I hope they will provide some more details about how they got caught. If this person can hack Twitter and they know about Bitcoin, then I'd be very surprised if they didn't take some basic steps to hide their tracks. E.g. Tor, VPN, cafe wifi, etc. I heard that some social engineering was involved, so maybe they called someone and their phone number was traced.<p>I would be interested to know if they forgot about one small detail. I think the FBI / NSA probably has full visibility into the Tor network and can easily deanonymise any users. Or it could be like the Harvard bomb hoax in 2013 [1]. (They used Tor, but they were also the <i>only</i> person using Tor at the time.)<p>[1] <a href="https://www.theverge.com/2013/12/18/5224130/fbi-agents-tracked-harvard-bomb-threats-across-tor" rel="nofollow">https://www.theverge.com/2013/12/18/5224130/fbi-agents-track...</a>
From the Verge[1] article it seems like there was someone else providing access to the accounts? So was it social engineering or not?<p>> Intriguingly, Sheppard and Fazeli may just be middlemen for the scam — “an unknown individual” with the handle “Kirk#5270” is believed to be the one who got access to Twitter’s internal systems. It’s not clear if the Tampa teen is Kirk#5270, though it sounds like that’s possible. The Sheppard complaint is dated July 22nd, and the Tampa teen wasn’t arrested until today. Originally, “Kirk” claimed to be a Twitter employee, according to a Discord chat log:<p>[1]: <a href="https://www.theverge.com/2020/7/31/21349920/twitter-hack-arrest-florida-teen-fbi-irs-secret-service" rel="nofollow">https://www.theverge.com/2020/7/31/21349920/twitter-hack-arr...</a>
Yeah no surprise there. The second Discord logs of the scam being planned started circulating around Twitter I knew it'd be a matter of weeks before these guys were caught. Absolutely unreal that one of them was dumb enough to not only post chatlog screenshots on Twitter with their usernames uncensored, but to use something like Discord to plan this in the first place.<p>Since the crimes were financially-motivated all of them get upgraded to felonies. I have sympathy for people who get fucked by the US' dumb CJ system, but uh... touching a Presidential candidate's Twitter account was whose idea, exactly? What did they expect would happen? I have a hard time believing the "for the lulz" defense some people are making for these people when the whole thing was clearly financially motivated.
i was assured by the cybersecurity experts of hacker news that REALLY this was all a mastermind ploy to steal and sell twitter DMs. who would they sell them to? doesn't matter! what information of actual value is sent through twitter DMs? doesn't matter! we did it, hacker news.
<p><pre><code> \/\The Conscience of a Hacker/\/
by
+++The Mentor+++
Written on January 8, 1986</code></pre>
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=<p><pre><code> Another one got caught today, it's all over the papers. "Teenager</code></pre>
Arrested in Computer Crime Scandal", "Hacker Arrested after Bank Tampering"...
Damn kids. They're all alike.
The only reason he got caught was because he used his access to attempt a BTC scam.<p>The likelihood that more sophisticated individuals and organizations have access to Twitter (and probably various other tech companies), and understand the importance of not letting your access be discovered, is probably far far higher than we realize.<p>Should we just assume all data held by Twitter and various other tech companies is compromised (by multiple different actors)?<p>Twitter seems to be wording things to make the attack seem out-of-this-world sophisticated, but I just have serious doubts about that.
Anybody ever seen one of these?<p><a href="http://www.vintagecalculators.com/html/invicta.html" rel="nofollow">http://www.vintagecalculators.com/html/invicta.html</a>
Whenever I read news like these, I just think that this is such a waste of talent (assuming Twitter's security isn't analogous to Swiss cheese). This kid could have gone into ethical hacking and general security.<p>Now not only he's getting thrown in prison (over something he probably wasn't even convinced he could do, if the subpart attempt at capitalizing on it is any indication) for years, he's lost any potential career on the field.
> Although the case against the teen was also investigated by the FBI and the U.S. Department of Justice, the Hillsborough State Attorney’s Office is prosecuting Clark because Florida law allows minors to be charged as adults in financial fraud cases such as this when appropriate. The FBI and the Department of Justice will continue to partner with the office throughout the prosecution.<p>Wow. It isn’t news, but what a terrible reflection of the US approach to criminal justice.
Wonder when we'll get details on how he was actually able to do this - like how he got access to the internal tools, how did he succeed in social engineering, etc
The third person has been identified in an Ars Technica article [1].<p>1. <a href="https://arstechnica.com/tech-policy/2020/07/florida-teen-arrested-charged-with-being-mastermind-of-twitter-hack/" rel="nofollow">https://arstechnica.com/tech-policy/2020/07/florida-teen-arr...</a>
I don't have examples, but it seems to me you really hear a lot of teens pulling off successful social engineering attacks, even back to the days of phone-hacking. I guess that is evidence that some teens develop a fairly comprehensive understanding of social interaction.
I’m very uncomfortable about the fact a very young person (only 17 years old) has had his identity released like this... where was this boys fair trial first? Regardless if he was behind the hack or not, this is not the way forward to a decent society.
I’d imagine the FBI has more than just the link to these individuals via their drivers licenses being used for verification. Surely, these drivers licenses may have been used fraudulently by a hacker who wishes not to be found out so embarrassingly?
Wasn't there inside help? I read several articles saying that there was. Any of those insiders charged?<p>Twitter is in a bind. If there was no inside help, that says their security is pretty lax. If there was inside help, why have they not identified or named them.
My thoughts go to the fact they were able to hunt someone down based on their bitcoin address.<p>Either they got help, this kid was already being watched or it just speaks to the DOJs data collection to all citizens.
> The two other suspects were identified as 22-year-old Nima Fazeli, a.k.a. “Rolex,” of Orlando and 19-year-old Mason Sheppard, a.k.a. “Chaewon,” of the United Kingdom.
What's the big deal, he stole some bit coin and embarrassed Jack.<p>Wall Street Insiders steal billions everyday from Joe6pack with the Governments help and they get to laugh about over a drink after work.<p>Now we can spend millions in tax payer money incarcerating him....<p>He should get a reward for exposing how shitty Twatter is. Besides the NSA is reading every txt you send and listening to every call you make. They know where you are 24/7 and what you bought for lunch. No one is punishing them.....<p>It's all theater for the masses I suppose....we caught the bad guys.....LOL...
Summary for Europeans who are blocked from this site:<p>A Tampa teenager, 17-year-old Graham Clark, is in jail, accused of being the “mastermind” behind a hack on the social media website Twitter that caused limited access to the site and high-profile accounts.<p>The state attorney's office says the scheme to defraud “stole the identities of prominent people” and “posted messages in their names directing victims to send Bitcoin” to accounts that were associated with the Tampa teen. According to the state attorney, the scheme reaped more than $100,000 in Bitcoin in just one day.<p>(The rest of the article just rehashes the attack.)
many years in prison for what this kid probably thought is a prank. while twitter will likely get no punishment for having so little security that even a child can hack them.
> Our European visitors are important to us.<p>> This site is currently unavailable to visitors from the European Economic Area<p>So we're not important to them then? Gotcha!<p>Block us, fine, whatever, but don't give us this BS about being important to you then.
>White House officials were concerned about President Donald Trump’s Twitter account, which he uses daily to push out news and other information. They assured the public that his account has extra protections.<p>I had suspected that they had added special protections on his account after the (2017?) incident where an employee temporarily deactivated his account (and got fired for it). I guess this confirms it.
Blocked with "Our European visitors are important to us"<p>Edit: <a href="http://archive.is/caOFK" rel="nofollow">http://archive.is/caOFK</a>
It will be interesting to learn more as the case proceeds. Was he not using tor?<p>I'm actually not super surprised that they've arrested a teenager. Considering the thoroughness of the hack, just using it to scam a few bitcoins seemed a bit blasé. Imagine the shitshow he could've started by tweeting as Trump
> The day after the hack, White House officials were concerned about President Donald Trump’s Twitter account, which he uses daily to push out news and other information. They assured the public that his account has extra protections.<p>Really? Like what? And why? Are they afraid someone will start posting stuff that is actually TRUE?
(If this is actually the person behind the attacks) Yes he may serve jail time for this, but he did get to read DMs of some of these people, and has had enough time to copy those contents to be read later. That's still valuable knowledge, he should leverage this to get people interested in those details to fund his legal defense in return for providing the contents of the DMs. Or is that illegal?