IRS-CI Announces Charges Against Three Individuals, Including Florida Teen, In Twitter Hack

Internal Revenue Service – Criminal Investigations (IRS-CI) has announced charges against three individuals for their alleged roles in the Twitter hack that occurred on July 15, 2020.

As part of the attack, verified accounts of high-profile individuals, including those belonging to former Vice President Joe Biden, Amazon

AMZN
CEO Jeff Bezos, Tesla

TSLA
CEO Elon Musk, Bill Gates, Mike Bloomberg, Kanye West, and Warren Buffett, were hacked and manipulated. The attack also extended to corporate accounts including Apple

AAPL
, Bitcoin, and Uber

UBER
. The hacked Twitter accounts tweeted messages promising that payments of $1,000 sent to an anonymous Bitcoin address would be doubled “for the next 30 minutes.”  

If you’re not a Twitter user, high-profile individuals have “verified” their accounts by proving to Twitter they are indeed the real person named on the account. The verification is confirmed with a blue check, like this one:

Additionally, as part of the attack, Twitter accounts belonging to cryptocurrency exchanges Kucoin, Coinbase, Gemini, and Binance directed users to follow a link to a website at cryptoforhealth.com. The site hosted at cryptoforhealth.com led to a webpage that, like the Twitter posts, directed individuals to send bitcoin in exchange for twice the amount of bitcoin deposited in return. 

According to Twitter, approximately 130 user accounts were affected in the hack. A statement made by Twitter on July 16, 2020, via Twitter’s communications account @TwitterSupport, noted: Based on what we know right now, we believe approximately 130 accounts were targeted by the attackers in some way as part of the incident. For a small subset of these accounts, the attackers were able to gain control of the accounts and then send Tweets from those accounts.

According to court filings, the scams were initially successful: the bitcoin account received at least 426 incoming transfers of bitcoin worth nearly $120,000. No bitcoin was ever returned, much less doubled.

In addition to the bitcoin doubling scams, the hackers allegedly tried to sell access to verified accounts. Once Twitter realized what was happening, the social media company shut down verified accounts for some time.

Kelly R. Jackson, IRS Criminal Investigation Special Agent in Charge of the Washington D.C. Field Office, said, about the hack, “The public was confused, and everyone wanted answers. We can now start answering those questions thanks to the work of IRS-CI cyber-crime experts and our law enforcement partners. Washington DC Field Office Cyber Crimes Unit analyzed the blockchain and de-anonymized bitcoin transactions allowing for the identification of two different hackers. This case serves as a great example of how following the money, international collaboration, and public-private partnerships can work to successfully take down a perceived anonymous criminal enterprise. Regardless of the illicit scheme, and whether the proceeds are virtual or tangible, IRS-CI will continue to follow the money and unravel complex financial transactions.”

Charged in the case is Mason Sheppard, a/k/a “Chaewon,” of Bognor Regis, United Kingdom. Sheppard is charged with conspiracy to commit wire fraud, conspiracy to commit money laundering, and the intentional access of a protected computer.

Also charged is Nima Fazeli, a/k/a “Rolex,” of Orlando, Florida. Fazelli is charged with aiding and abetting the intentional access of a protected computer. According to the docket, no hearing has been scheduled for Sheppard or Fazeli.

The potential sentence for the charges are:

• computer intrusion (5 years in prison plus a fine up to $250,000), supervised release, restitution and forfeiture;
• wire fraud conspiracy (20 years in prison plus a fine up to $250,000), supervised release, restitution and forfeiture; and
• money laundering conspiracy (20 years in prison plus a fine up to $250,000), supervised release, restitution and forfeiture.

A third defendant was referred to the State Attorney for the 13th Judicial District in Tampa, Florida, because he was a juvenile. IRS-CI did not reveal his identity in their announcement because of his age, but other media outlets subsequently released his information because he is being charged under Florida state law as an adult. Authorities in Florida have named him as recent high school graduate Graham Ivan Clark, 17, also of Tampa, Florida. Clark has been charged with 30 felonies in the state, including fraud, identity theft, and hacking. According to court records, his arraignment is scheduled for August 4, 2020, via Zoom.

“There is a false belief within the criminal hacker community that attacks like the Twitter hack can be perpetrated anonymously and without consequence,” said U.S. Attorney Anderson. “Today’s charging announcement demonstrates that the elation of nefarious hacking into a secure environment for fun or profit will be short-lived. Criminal conduct over the Internet may feel stealthy to the people who perpetrate it, but there is nothing stealthy about it. In particular, I want to say to would-be offenders, break the law, and we will find you.”

As alleged in the complaints, the Twitter attack consisted of a combination of technical breaches and social engineering. The defendants were identified after an IRS-CI special agent analyzed the bitcoin deposits and withdrawals in the blockchain. The analysis allowed IRS-CI to de-anonymize the transactions, a reminder that cryptocurrency transactions aren’t completely anonymous.

“Upon opening an investigation into this attack, our investigators worked quickly to determine who was responsible and to locate those individuals,” said FBI Special Agent in Charge Bennett. “While investigations into cyber breaches can sometimes take years, our investigators were able to bring these hackers into custody in a matter of weeks. Regardless of how long it takes us to identify hackers, we will follow the evidence to where it leads us and ultimately hold those responsible for cyber intrusions accountable for their actions. Cyber criminals will not find sanctuary behind their keyboards.”

This case is being investigated by the IRS-Criminal Investigation Cyber Unit; the FBI’s San Francisco Division; the U.S. Secret Service, San Francisco and Headquarters; the Santa Clara County Sheriff’s Office and their REACT task force; and the Florida Department of Law Enforcement.

The allegations of a criminal complaint are merely allegations, and the defendants are presumed innocent unless or until the allegations against them are proved beyond any reasonable doubt.