Something seemed amiss in the summer of 2020—beyond everything that actually was amiss, I mean—when luminaries including Elon Musk, Bill Gates, and Barack Obama promised their followers on Twitter that they would pay back double any amount that was sent to their Bitcoin accounts. If you gave $1,000 in Bitcoin to Musk, for instance, he would immediately give you back $2,000. Similar tweets surfaced from corporations like Uber and Apple, all of them promoted as a way to support people during the Covid-19 crisis.
Of course, the whole thing was all a big, dumb scam. It was kind of funny, in a nihilistic sort of way, but it was also incredibly disruptive: It took most of a day to sort out the mess, during which time all verified accounts were unable to tweet, and new scam tweets continued to surface. The attack also raised broader concerns about the failure of Twitter's account security, since at least some of the hacked accounts had two-factor authentication enabled.
The "mastermind" of the hack was eventually determined to be a Florida teenager, who was arrested and hit with 30 felony charges including Communications Fraud (over $300), Fraudulent Use of Personal Information (Over $100,000 or 30 or more victims), and Access Computer or Electronic Device Without Authority (Scheme to Defraud). As reported by the Tampa Bay Times, the hacker, Graham Ivan Clark, has now pleaded guilty to state-level charges, and will serve three years in prison followed by three more years of probation.
That sentence is actually the maximum allowed under Florida's Youthful Offender Act, which Clark was eligible to be sentenced under because he was 17 when he pulled off theTwitter hack. It also means that he'll serve his sentence in a juvenile facility, and will be given education and "transition services" to prepare him for adult life once he's served his sentence. If he violates his probation after release, however, he'll face a minimum ten year sentence in an adult prison.
"He took over the accounts of famous people, but the money he stole came from regular, hard-working people. Graham Clark needs to be held accountable for that crime, and other potential scammers out there need to see the consequences," Hillsborough State Attorney Andrew Warren said in a statement.
"In this case, we’ve been able to deliver those consequences while recognizing that our goal with any child, whenever possible, is to have them learn their lesson without destroying their future."
A couple of weeks after the scam took place, Twitter revealed that he pulled it off through a "phone spear phishing attack" aimed at its employees: Essentially, Clark was able to convince employees that he was a member of Twitter's IT department, which ultimately enabled him to access the company's internal account tools. Twitter described the attack as "a significant and concerted attempt to mislead certain employees and exploit human vulnerabilities."
Despite the apparent obviousness of the scam, I'm sad to say that it was also quite successful—at least temporarily. Clark's scam netted him 12.86 Bitcoin, worth more than $117,000 on the day the hack took place. Law enforcement officials seized all of the Bitcoin he received, however, and it is "expected to be returned to its rightful owners." Two other individuals, 19-year-old Mason "Chaewon" Sheppard of Bognor Regis in the UK and 22-year-old Nima "Rolex" Fazeli of Orlando, Florida, are still facing charges relating to the hack.