At the end of the last week, three suspects involved in a recent Twitter hack were charged.

The main perpetrator’s name is Graham Ivan Clark, who went by the tag "Kirk" online. He’s just 17 years old, and he resides in Tampa, Florida. A 22-year old “Rolex” identified as Nima Fazeli is from the same state. The trio is completed by a 19-year old Mason Sheppard, aka "Chaewon," who’s from the United Kingdom.

Only Graham Clark was arrested, facing 30 counts of organized communications fraud and fraudulent use of personal information. The FBI, the IRS, the DOJ, and the Secret Service all united together to charge the youngster.

Mass account takeover that happened on July 15 netted the teenage mastermind more than $100,000. Despite his age, Clark will be charged as an adult.

COVID-19 + Social Engineering = They’re In!

Now that Twitter has carried out the internal investigation and the threat actors were identified, we can specify how exactly their scheme worked without speculating.

“The attack on July 15, 2020, targeted a small number of employees through a phone spear-phishing attack. This attack relied on a significant and concerted attempt to mislead certain employees and exploit human vulnerabilities to gain access to our internal systems.”

To elaborate on this message, let’s pull up the uncoverings of Allison Nixon, chief research officer at security firm Unit 221B. Chief research officer informs that the hackers scraped LinkedIn to find Twitter employees with access to internal tools. 

Fraudsters obtained telephone numbers and called them, posing as authorized Twitter workers. The pandemic played its role here, as targeted employees working from home did not follow the usual procedures to verify the callers. Following the phone conversations, targets were sent to a phishing page that resembled an internal Twitter VPN. They bypassed the 2FA protection by inputting the code provided by employees, and from there, they had the access they needed.

Screenshot of Twitter’s internal account tools interface, credit goes to Brian Krebs. 

This research casts a shadow at the New York Times report that wrote about fraudsters breaching employee Slack accounts and obtaining Twitter backend credentials that were pinned inside a Slack channel. 

The theories about the bribing of some Twitter employees and SIM swapping have also been disregarded as a result. Following the compromise, 130 Twitter accounts were targeted, with password resets initiated for 45 profiles. Additionally, Direct Messages were accessed on 36 accounts, and Twitter data from 7 profiles was downloaded through the "Your Twitter Data" feature.

It took the forces two weeks to identify and charge those involved in the compromise. One may wonder if the status of those affected had something to do with the fast progress. While that could be one of the reasons, several intermediaries for this operation decided to come clean and distance themselves from the hack after it blew up in the media.

“Encountering Kirk was the worst mistake I’ve ever made due to the fact it has put me in issues I had nothing to do with,” shared Mason Sheppard. “If I knew Kirk was going to do what he did, or if even from the start if I knew he was a hacker posing as a rep I would not have wanted to be a middleman.”

Plus, Brian Krebs once again provided remarkable coverage of the whole operation, unveiling Mason’s persona just one day after the incident.

Can’t Put an Old Head On Young Shoulders, Only a White Hat

I reckon this is not a classic example of being “young and dumb,” as “Kirk” Graham Clark went all-in in his quest.

This whole hustle did not start because someone online wanted an original and rare username on Twitter. It was much bigger than that. While Graham was quite short-sighted when it came to the “end game,” the reconnaissance part of his operation worked to a tee.

Some of us said that a Twitter hack netted a mastermind “only” $100,000 is a flop, but now that we know how young the brains of the operation were, it all makes sense. 

Episode 62 of the brilliant podcast called “Darknet Diaries” tells a story about a young man who had an unusual hacking motivation.

Teenagers are not as likely to run away with millions. Most of them will not use the power in their hands to drive some political agenda, which is one of the undeniable positives we can carry out from this situation. I strongly recommend you to check out episode 62 of The Darknet Diaries to learn about a guy who DDoSed Sea World for their treatment of whales.

The age should not surprise you one bit, as a report by the National Crime Agency discovered that UK cybercrime suspects are just 17 years old on average, with some as young as 12. The average age of those arrested for drugs and financial crime is 37 and 39, respectively.

The UK is far more lenient to young hackers than the United States, trying to reform adolescent lawbreakers into white hat security professionals, so now Graham Clark might envy the position of Mason Sheppard right now.

The comic image of a slumping figure in the hoodie has little to do with how hackers look in real life. The romanticism of this activity is also blown out of proportion. The means of compromise were not sophisticated, but they were pulled off perfectly. The trio leveraged social engineering to gain access, which reminds me of the Kane Gamble case. 

The teenager who hacked the CIA Chief is now a part of a curious “Project Insecurity” - a computer security organization and an education platform that focuses on vulnerability identification and remediation. Most notably, it employs former criminals in an attempt to give them a second chance.

“Those who have hacked maliciously have a deeper understanding of such concepts, and that their talent should not be put to waste.”

While the guys above are not related at all, you can spot some similarities between them.

Perhaps young lads from the UK will deliberately hack someone big to get a sentence and a nifty security job when they turn into adults. 

Who knew British teenagers had so much in common with Japanese elderly.

I’m curious to learn about the stance of other security people on this matter. Should juvenile criminals be given so much leeway? Is it the only way to turn them away from the slippery slope of cybercrime?Recently I also saw the news about the failed Zoom court hearing involving Graham. Only feels right to link up the article about all the security woes of the viral application...