A U.K. national has pleaded guilty in connection with the July 2020 Twitter attack affecting numerous high-profile accounts and defrauding other users of the platform.
Joseph James O’Connor, who also went by the online alias PlugwalkJoe, admitted to “his role in cyberstalking and multiple schemes that involve computer hacking, including the July 2020 hack of Twitter,” the U.S. Department of Justice (DoJ) said.
The 23-year-old individual was extradited from Spain on April 26 after a Spanish National Court, in February, approved the DoJ request to hand over O’Connor to face 14 criminal charges in the U.S.
The massive hack, which took on July 15, 2020, involved O’Connor and his co-conspirators seizing control of 130 Twitter accounts, including those belonging to Barack Obama, Bill Gates, and Elon Musk, to perpetrate a cryptocurrency scam that netted them $120,000 in a few hours.
The attack was made possible by using social engineering techniques to obtain unauthorized access to backend tools used by Twitter, and subsequently leveraging that entry point to seize control of the accounts and, in some instances, sell the access to others. O’Connor himself is said to have purchased unauthorized access to one Twitter account for $10,000.
O’Connor is one of four individuals who have been charged with carrying out the Twitter hack. Nima Fazeli and Graham Ivan Clark were arrested that same month, while O’Connor was apprehended by Spanish authorities in the town of Estepona a year later in July 2021.
Mason Sheppard, according to BBC’s Joe Tidy, has not been arrested. Clark was awarded a three-year jail term after he pleaded guilty to 30 felony charges in March 2021.
In addition to the Twitter incident, the defendant has been charged with computer intrusions related to takeovers of TikTok and Snapchat user accounts, as well as stalking a juvenile victim online.
This entailed orchestrating SIM swapping attacks against two unnamed victims to gain illicit access to their Snapchat and TikTok accounts, respectively, as well as making false emergency calls to law enforcement about a third victim, claiming that the part was “making threats to shoot people.”
SIM swapping occurs when fraudsters contact a telecom service provider under the guise of a victim to port the target’s mobile number to a SIM card under their control, resulting in the victim’s calls and messages being routed to a malicious unauthorized device controlled by the threat actors.
Learn to Stop Ransomware with Real-Time Protection
Join our webinar and learn how to stop ransomware attacks in their tracks with real-time MFA and service account protection.
The miscreants then typically use control of the victim’s mobile phone number to take over bank accounts and other services held by the victim that are registered to the mobile phone number by taking advantage of call- or SMS-based two-factor authentication.
O’Connor and his co-conspirators have also been accused of employing SIM swapping techniques to siphon cryptocurrency to the tune of $794,000 from a New York City-based crypto company between March and May 2019.
“After stealing and fraudulently diverting the stolen cryptocurrency, O’Connor and his co-conspirators laundered it through dozens of transfers and transactions and exchanged some of it for Bitcoin using cryptocurrency exchange services,” the DoJ said.
“Ultimately, a portion of the stolen cryptocurrency was deposited into a cryptocurrency exchange account controlled by O’Connor.”
O’Connor, who has agreed to forfeit about $794,000 in stolen funds, is scheduled to be sentenced on June 23. The charges carry a total maximum penalty of over 70 years in prison.