Twitter hacker pleads guilty in US court

Graham Ivan Clark's plea agreement brings some closure to one of the oddest and most alarming episodes in Twitter's history. PHOTO: NYTIMES

TAMPA, Florida (NYTIMES) - The young hacker accused of being the mastermind behind a breach last year of high-profile Twitter accounts pleaded guilty Tuesday (March 16) in a Florida court, agreeing to serve three years in juvenile prison.

Graham Ivan Clark, 18, faced fraud charges after a hack that compromised Twitter accounts belonging to Elon Musk, Jeff Bezos and former President Barack Obama, among other celebrities.

Under Clark's control, the accounts tweeted fraudulent messages soliciting bitcoins, promising to double the money of anyone who sent cryptocurrency. The scheme netted more than US$100,000 (S$134,533) worth of bitcoins before it was shut down.

Clark's plea agreement brings some closure to one of the oddest and most alarming episodes in Twitter's history. In an election year that had already pulled the company into the centre of American politics, the breach raised questions about Twitter's corporate security and generated speculation that state-sponsored hackers could be responsible, rather than teenagers.

The arrest of Clark also raised questions about how someone so young could penetrate the defences of what was supposedly one of the tech industry's most sophisticated companies. The attack took control of Twitter's internal systems that are used to manage accounts, and forced Twitter to temporarily block verified accounts from tweeting as the company scrambled to push the hackers out of its systems.

In the aftermath, security experts said Twitter was lucky that its security weaknesses were exposed by a group engaged in a moneymaking scheme, rather than government-affiliated agents looking to steal credentials or gain access to private conversations.

Twitter declined to comment on Clark's plea deal.

Clark grew up in Tampa and, as a child, found ways to trick players of the video game Minecraft, people who knew him at the time told The New York Times. He moved on to selling and swapping rare social media user names on the forum OGUsers, where he connected with other hackers who said they participated in the Twitter breach.

The hackers, who prosecutors said were led by Clark, initially used their access to Twitter's internal systems to take over accounts with unusual user names like @dark and @vague, which they sold on OGUsers for thousands of dollars. But as the day of the attack wore on, the hackers changed tactics. Accounts belonging to celebrities and cryptocurrency companies tweeted messages that promised to double the money of anyone who sent bitcoins.

But the offer was a scam. "No Bitcoin currency was returned as promised to these victims," Darrell Dirks, a prosecutor with the State Attorney's office, said during a court hearing Tuesday.

Two other young men, Nima Fazeli and Mason Sheppard, were also arrested and faced charges related to the hack.

Clark, who appeared in court Tuesday via videoconference, pleaded guilty to the 30 charges against him. In a deal with prosecutors, Clark agreed to three years in juvenile prison followed by three years of probation. He also agreed not to use computers without permission or supervision from law enforcement. If he violates the terms of the deal, he could face 10 years in adult prison.

Because Clark is classified as a youthful offender, under a Florida law that offers more lenient sentencing terms to young people, he may be eligible to serve some of his sentence in a boot camp. He turned over the cryptocurrency he owned at the time of his arrest, prosecutors said, and it will be used to pay restitution to the victims of the hack. He will receive 229 days credit for time served since his arrest last year.

"He took over the accounts of famous people, but the money he stole came from regular, hardworking people. Graham Clark needs to be held accountable for that crime, and other potential scammers out there need to see the consequences," the state attorney, Andrew Warren, said in a statement.

"In this case, we've been able to deliver those consequences while recognising that our goal with any child, whenever possible, is to have them learn their lesson without destroying their future."

David Weisbrod, a lawyer for Clark, declined to comment on the plea deal.

Join ST's Telegram channel and get the latest breaking news delivered to you.