Skip to content
Naked Security Naked Security

Bitcoin scammer who hacked celeb Twitter accounts gets 3 years

Youngster behind blue-flag Twitter hack of Elon Musk, Bill Gates, Apple Inc. and many others will do three years in prison.

Remember when a whole bunch of celebs and top brands apparently went crazy tweeting about Bitcoin?

It happened in July 2020, when many prominent blue-badged Twitter accounts suddenly starting sending out scammy cryptocoin messages.

Fake tweets were blasted out from compromised accounts belonging to an eclectic range of high-profile people and companies, including Joe Biden, Elon Musk, Barack Obama, Bill Gates, Apple and many others.

The scam was based on a catchy, if unlikely, proposition: pay $X in bitcoins to the the happy-go-lucky celeb, and they’d later pay you back $2X, presumably because you’d have helped to stimulate trading in Bitcoin by doing your $X transaction in the first place.

Feeling greatful [note spelling blunder], doubling all payments made to my Bitcoin address,” said one message, urging people to pay out $1000 now, with a $2000 payback to follow later.

(Cynical recipients of these messages no doubt stopped to think that the world’s richest people generally didn’t achieve their wealth by selling products and services at a 50% loss, given that making a profit depends, by definition, on taking in more money than you pay out.)

Social engineering

It soon transpired that Twitter had lost control of numerous high-profile accounts to gift-of-the-gab cybercriminals – social engineers, in popular parlance – who had tricked Twitter staff into handing over internal account passwords for Twitter systems.

Those passwords ultimately allowed the crooks to login to internal Twitter servers that would usually only be used by Twitter support staff.

Apparently there was (at the time, anyway) no secondary protection such as two-factor authentication or managerial approval to guard against unauthorised updates to critical data such as the email address associated with a Twitter account, even a blue-flagged “verified” account.

The crooks were therefore allegedly able to set themselves up to receive password reset notifications for 45 accounts, out of the 130 that they tried to take over, and thereby to get direct control of the Twitter feeds of Musk, Gates, Apple et al.

But what was embarrasssing for Twitter and 45 of its blue-flag users was much worse for hopeful victims who “invested” a total of BTC 12.86 (about $120,000 at the time) in the scam.

As one of the law enforcement agents who investigated the attack noted wrly in his affidavit, “No bitcoin was ever returned, much less doubled.

Charges brought

The investigation quickly led to arrests, with one of the suspects charged for this attack being just 17 years old at the time.

Despite his youth, he nevertheless had his bail set at a whopping $725,000.

That bail hearing achieved a measure of world-wide fame it could have done without, having been Zoombombed by numerous online interlopers who blasted the courtroom with music, profanities, rants against the judiciary and, perhaps unsurprisingly, porn.

https://nakedsecurity.sophos.com/2020/08/06/porn-blast-disrupts-bail-hearing-of-alleged-twitter-hacker/

The accused, Graham Ivan Clark, was said in August 2020 to have escaped prosecution as a 16-year-old in a 2019 case in which he voluntarily paid back BTC 100 (about $1 million at the time, which is not an amount that you’d expect many 16-year-olds would have in their possession) to investigators.

According to a New York Times story published around the time of Clark’s bail hearing, those 100 bictoins were part of a larger haul of BTC 164 taken from a Seattle technology investor, who was the victim of a SIM swap.

Interestingly, that would have left BTC 64 unaccounted for – an amount that was, at the time, very close to the $725,000 bail fee set by the court.

https://nakedsecurity.sophos.com/2017/05/02/fraudsters-draining-accounts-with-sim-swaps-what-to-do/

Plea deal done

Clark has now made what is known in America as a plea agreement with prosecutors, whereby he will accept a sentence of three years in prison followed by three years on probation in return for pleading guilty to and accepting responsibility for the crime.

Clark has apparently been in custody since his arrest at the end of July 2020 – it seems he didn’t come up with the money needed to make bail, after all – and that time will be counted towards his three-year stretch.

According to the Florida judiciary, Clark will serve his sentence as a youngster, given that he was under 18 at the time he committed the crime, but will get at least 10 years in an adult prison if he violates the terms of his juvenile probation following his release from custody.

If there’s any good news in all of this, it’s that the court’s reports says that “Law enforcement officials seized all the Bitcoin received by Clark through this ‘Bit-Con’ scam and it is expected to be returned to its rightful owners.

With BTC 1 now worth about five times as many dollars as it was at the time of the scam, the victims may come out ahead after all, but not through any effort on Clark’s part – and not to the tune of two-times-five-times better off, of coure, which is where they’d be if Clark had been telling the truth.

What to do?

To help you protect yourself from ‘Bit-Con’ scams of this sort, we’ll repeat the advice we gave last year when news of this crime hit:

  • If a message sounds too good to be true, it IS too good to be true. If Musk, Gates, Apple, Biden or any well-known person or company wanted to hand out huge amounts of money on a whim, they wouldn’t demand that you hand them money first. That’s not a gift, it’s a trick, and it’s an obvious sign that the person’s account has been hacked. If in doubt, leave it out!
  • Cryptocurrency transactions don’t have the legal protections that you get with banks or payment card companies. There is no fraud reporting service or transaction cancellation in the world of cryptocurrency. Sending someone cryptocoins is like handing over banknotes in an envelope – if they go to a crook, you are unlikely ever to see them again. The fact that the stolen bitcoins were apparently recovered in this case can be considered a lucky exception, not the rule. If in doubt, don’t send it out!
  • Look out for any and all signs that a message might not be real. Crooks don’t have to make spelling mistakes or get important details wrong, but often they do, like the word greatful (should be grateful) in the example above. If the crooks do make a blunder, such as writing 50$ when in your country the currency sign comes first, or making a mess of their own phone number, or using clumsy or unnatural language, don’t let them get away with it. Treat it with doubt unless everything checks out!

LEARN MORE ABOUT SOCIAL ENGINEERING

We talk to world-renowned social engineering expert Rachel Tobac.
No audio player visible? Listen directly on Soundcloud.

3 Comments

Throwback Thurs…er, Wednesday:
Legend has it that Kevin Mitnick is able to whistle nuclear launch codes into an ordinary telephone. He has owned the phone company and NORAD. We must bar him from ever touching a computer again.
That hyperbolic sentence (I believe it was ten years, but I’m probably wrong) was based in paranoia and bolstered by ignorance of technical limitations of the system–let alone Mitnick’s abilities.
It was as if one of the X-Men had suddenly been incarcerated, and we mere humans had to protect ourselves from ever allowing Magneto within 500 yards of anything iron.

However, for a repeat (millionaire) offender post-slap-on-the-wrist, it seems that banning someone from all electronic access is actually an appropriate response this time.
I guarantee this guy has had a conversation with friends that included
“Yeah I learned my lesson: don’t get caught.”
Flip phone and land line, dude–that’s all you get until 2031.

PS: Strange way to get a ROI–first time I ever wished I’d been ripped off.
:,/

It wasn’t 10 years. I think he served 5. (And it was a second offence committed while he was still on probation after the first.)

Five years–you were right, of course.
:,)
I’m likely hypersensitive to stealing people’s savings because I don’t have as much saved as I should by now. But wrong is still wrong.
I should note that I’m not firmly in the “Free Kevin” crowd, touting what an angel he is. He absolutely was inviting trouble in violating his supervised release.
But the mystique surrounding Mitnick was magnified by a wider ignorance of his potential in a burgeoning crime genre. Not that cloned cellphones and forged bus passes are less wrong…yet less likely to ruin someone’s life.
OTOH, Clark seems comfortable with wide-reaching theft twice before 18–far more serious than liberating a Snickers bar from the local market. I’m all for second chances when someone makes a dumb mistake, but malevolence and sociopathic mass fraud is different. While orders of magnitude discern Graham Clark from Bernie Madoff, the sentiment is identical.
This guy needs some extended offline time.
Or at least the rest of us need him to have it.
As always Duck, I appreciate your advice and the effort you expend on Naked Security to help keep people safe. Please allow me to now slink back into my hole to de-ruffle my feathers…

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?