Early on July 31st, the FBI, IRS, US Secret Service, and Florida law enforcement placed a 17-year-old in Tampa, Florida, under arrest. He’s accused of being the “mastermind” behind the biggest security and privacy breach in Twitter’s history, one that took over the accounts of President Barack Obama, Democratic presidential candidate Joe Biden, Bill Gates, Elon Musk, Kanye West, Apple, and more to perpetrate a huge bitcoin scam on July 15th.
But apparently, he wasn’t alone: shortly after the Tampa arrest was revealed and after we published this story, two more individuals were formally charged by the US Department of Justice: 22-year-old Nima Fazeli in Orlando and 19-year-old Mason Sheppard in the UK. They go by the hacker aliases “Rolex” and “Chaewon,” respectively, according to the DOJ.
According to federal agents, Sheppard had used a personal driver’s license to verify himself with the Binance and Coinbase cryptocurrency exchanges, and his accounts were found to have sent and received some of the scammed bitcoin. Fazeli also used a driver’s license to verify with Coinbase, where accounts controlled by “Rolex” allegedly received payments in exchange for stolen Twitter usernames.
Who got inside Twitter’s systems, though?
Fazeli is facing five years in prison and a $250,000 fine for one count of computer intrusion. Sheppard is being charged with computer intrusion, wire fraud conspiracy, and money laundering conspiracy, the most serious of which comes with a 20-year sentence and a $250,000 fine in the US.
Intriguingly, Sheppard and Fazeli may just be middlemen for the scam — “an unknown individual” with the handle “Kirk#5270” is believed to be the one who got access to Twitter’s internal systems. It’s not clear if the Tampa teen is Kirk#5270, though it sounds like that’s possible. The Sheppard complaint is dated July 22nd, and the Tampa teen wasn’t arrested until today. Originally, “Kirk” claimed to be a Twitter employee, according to a Discord chat log:
Either way, the Tampa teen is currently in jail and being charged with over 30 felony counts, including organized fraud, communications fraud, identity theft, and hacking, Hillsborough State Attorney Andrew Warren said in a news conference describing the arrest. Local NBC affiliate WFLA alerted us to that news.
According to county documents, the teen did “access” the computer systems or networks of Twitter “for the purpose of devising and executing a scheme,” but it’s unclear if that means he had access to Twitter’s internal tools or simply that he had access to the stolen accounts. He’s primarily being charged with “engaging in a scheme to defraud” using each of the high-profile Twitter accounts that were accessed, and using and possessing the “the personal identification information” of Obama, Biden, Bezos, Gates, Musk and many others.
Initially, it wasn’t clear whether the 17-year-old was the only suspect in the case. “I can’t comment on whether he worked alone,” said Warren, the Florida prosecutor. He was arrested at his apartment where he lives by himself, authorities stated.
“This was not an ordinary 17-year old” — proscecutor
He’s being charged as an adult — “This was not an ordinary 17-year old,” said the state attorney — and the press conference made clear that law enforcement is considering how bad consequences of the hack could have been, beyond the $100,000-plus in bitcoin that the teen is alleged to have scammed out of unsuspecting Twitter users.
“This could have had a massive, massive amount of money stolen from people, it could have destabilized financial markets within America and across the globe; because he had access to powerful politicians’ Twitter accounts, he could have undermined politics as well as international diplomacy,” said Warren.
“This is not a game… these are serious crimes with serious consequences, and if you think you can rip people off online and get away with it, you’ll be in for a rude awakening, a rude awakening that comes in the form of a 6 AM knock on your door from federal agents,” he added later.
The teen was “taken into custody without any incident”; his first appearance may be as soon as tomorrow morning, Warren said. He’s being prosecuted in Florida so he can be charged as an adult, suggesting that there may not currently be any federal charges against him.
Twitter provided the following tweet as its statement:
We appreciate the swift actions of law enforcement in this investigation and will continue to cooperate as the case progresses. For our part, we are focused on being transparent and providing updates regularly.
For the latest, see here https://t.co/kHty8TXaly
— Twitter Comms (@TwitterComms) July 31, 2020
Yesterday, Twitter took its first full stab at explaining how attackers managed to penetrate its security and access the company’s internal tools, which they used to take over some of the highest-profile accounts on the service. The company said several Twitter employees were targeted in a “phone spear phishing attack,” which presumably means that hackers called up Twitter employees while posing as colleagues or members of Twitter’s security team and got them to reveal their credentials.
Some private messages were also accessed
In addition to scamming users out of bitcoin, the attackers accessed the private direct messages of 36 Twitter users, including one elected official, and may have downloaded even larger caches of data for seven other users. Twitter claims that no verified users had their private messages or data caches compromised, though, suggesting that Biden, Obama, and others’ DMs could have been safe. President Trump’s Twitter account has long had extra protections, which could explain why it wasn’t hacked.
Here’s the whole press release from the Hillsborough State Attorney’s Office with additional info about the arrest as well as DOJ complaints about the other two individuals. We’re currently withholding the 17-year-old’s name, something that the DOJ has done as well.
Hillsborough State Attorney’s Office tapped to prosecute worldwide “Bit-Con” hack of prominent Twitter users
Tampa, FL (July 31, 2020) — Hillsborough State Attorney Andrew Warren has filed 30 felony charges against a Tampa resident for scamming people across America, perpetrating the “Bit-Con” hack of prominent Twitter accounts including Bill Gates, Barack Obama, and Elon Musk on July 15, 2020.
The Federal Bureau of Investigation and the U.S. Department of Justice conducted a complex nationwide investigation, locating and apprehending the suspect in Hillsborough County.
“These crimes were perpetrated using the names of famous people and celebrities, but they’re not the primary victims here. This ‘Bit-Con’ was designed to steal money from regular Americans from all over the country, including here in Florida. This massive fraud was orchestrated right here in our backyard, and we will not stand for that,” State Attorney Warren said.
The investigation revealed REDACTED, 17, was the mastermind of the recent hack of Twitter. He was arrested in Tampa early on July 31. REDACTED’s scheme to defraud stole the identities of prominent people, posted messages in their names directing victims to send Bitcoin to accounts associated with REDACTED, and reaped more than $100,000 in Bitcoin in just one day. As a cryptocurrency, Bitcoin is difficult to track and recover if stolen in a scam.
“I want to congratulate our federal law enforcement partners—the US Attorney’s Office for the Northern District of California, the FBI, the IRS, and the Secret Service—as well as the Florida Department of Law enforcement. They worked quickly to investigate and identify the perpetrator of a sophisticated and extensive fraud,” State Attorney Warren said.
“This defendant lives here in Tampa, he committed the crime here, and he’ll be prosecuted here,” Warren added. The Hillsborough State Attorney’s Office is prosecuting REDACTED because Florida law allows minors to be charged as adults in financial fraud cases such as this when appropriate. The FBI and Department of Justice will continue to partner with the office throughout the prosecution.
The specific charges REDACTED faces are:
ORGANIZED FRAUD (OVER $50,000) – 1 count
COMMUNICATIONS FRAUD (OVER $300) – 17 counts
FRAUDULENT USE OF PERSONAL INFORMATION (OVER $100,000 OR 30 OR MORE VICTIMS) – 1 count
FRAUDULENT USE OF PERSONAL INFORMATION – 10 counts
ACCESS COMPUTER OR ELECTRONIC DEVICE WITHOUT AUTHORITY (SCHEME TO DEFRAUD) – 1 count
“Working together, we will hold this defendant accountable,” Warren said. “Scamming people out of their hard-earned money is always wrong. Whether you’re taking advantage of someone in person or on the internet, trying to steal their cash or their cryptocurrency—it’s fraud, it’s illegal, and you won’t get away with it.”
Update, 3:33PM ET: We had been continually updating this post, most prominently when the two additional individuals in the UK and Orlando were charged. This marks a breaking point.
Update, 3:50PM ET: Added some of the specific charges against the 17-year-old.