
Tampa teen accused of being ‘mastermind’ behind Twitter hack - Firebrand
https://www.wfla.com/news/hillsborough-county/tampa-teen-accused-of-being-mastermind-behind-twitter-hack-that-targeted-high-profile-accounts/
======
dang
See also [https://www.justice.gov/usao-ndca/pr/three-individuals-
charg...](https://www.justice.gov/usao-ndca/pr/three-individuals-charged-
alleged-roles-twitter-hack)

(via
[https://news.ycombinator.com/item?id=24012968](https://news.ycombinator.com/item?id=24012968),
but we merged the threads)

Also: don't miss that this thread has multiple pages of comments. That's what
the "More" link at the bottom of the page points to. Or you can click here for
page 2:

[https://news.ycombinator.com/item?id=24011939&p=2](https://news.ycombinator.com/item?id=24011939&p=2)

------
Taek
Hitting a 17yo with 30 felony charges feels a bit steep to me.

Also should any repercussions be considered against Twitter that a 17yo was
able to gain access to the private messages of potentially some of the most
important individuals in the world?

If a 17yo could do it, I'm sure a nation state could do it.

~~~
slg
The age of the attacker is irrelevant to Twitter's role in this story. However
your underlying point still stands. If we want these types of attacks to stop,
we can't just let all these companies off with a public embarrassment being
the primary punishment. At a certain point we have to start calling it
negligence when companies fall for these attacks and fail to have proper
precautions in place to prevent them.

~~~
nickff
From memory, I recall the FBI did a study, and found that half of their
employees would plug in a USB drive that they found on the ground in the
parking lot. After training, that number was reduced to a quarter. If a
security-focused government police agency is so vulnerable, it is unreasonable
to expect perfection from a (less paranoid) company.

~~~
Veserv
Except this is not expecting perfection, it is expecting a level of security
that can prevent children, literal children, from walking right through it.
Which would not even be a problem except for the fact that this is far, far
less than what Twitter has led their average user and stockholder to believe.
To illustrate my point, if Twitter told the truth in big bold print at the top
of every page so every user knows: "Determined teenagers can take over your
account at any time." do you think this might outrage their users or harm
their stock price? Did Twitter at any point say anything that might indicate
that this is the truth of the matter and that would not be easily misconstrued
by users? The evidence indicates yes, they would be outraged, and no, they at
no point ever said anything that would lead anybody to believe that this was
possible and hilariously easy. So, it hardly matters that maybe they or
anybody else (say the FBI) can not provide a high level of security, what
matters is that they committed material fraud in egregiously misrepresenting
their product security to their users and stockholders.

~~~
davinic
Exactly. At least one of these kids used their personal gmail account on the
hacking forum. These are not advanced hackers.

~~~
ta17711771
They've done more than you, and majority of others, though.

~~~
CydeWeys
And robbers have done more robbing than me too. It's not a competition I'm
interested in entering.

------
montenegrohugo
If this turns out to be true, then we can conclude two things:

1\. It's incredible that the security of Twitter allows for a solitary 17-year
old to gain full access to (any) account.

2\. This also explains why the profit of the hack was 'only' ~$100k. Many
speculated about how incredibly valuable such a hack could be and how much
more a group could have profited from this hack. Using it for two hours of
bitcoin scamming seemed very amateurish. I suppose this explains it.

~~~
imgabe
People did say things like you could have made a fortune shorting stock by
tweeting something insane from Elon Musks account. I don't buy that as
necessarily better than a Bitcoin account. Stock transactions are heavily
regulated and monitored. You'd leave a pretty large paper trail of any stock
manipulation you hoped to profit from.

Of course Bitcoin is highly traceable as well, so maybe the lesson is hacking
into high-profile Twitter accounts just isn't as profitable as you'd hope?

~~~
dkersten
The stock idea is dumb, in my opinion, because there were safer (no SEC) ways
that required less capital and didn't require fancy trade accounts.

For example: buy up a load of super cheap shitcoins. Can be done for under
$100. Then tweet from an exchange like Binance that they will shortly be
listing said shitcoin. Watch the price go up, sell.

Or, with a bit more money, short one of the cryptocurrencies, tweet from a big
exchange that they were hacked, profit on the panic selling.

The nice thing is, they could do one or even multiple of these and _still_ do
the scam.

~~~
DabbyDabberson
if you're someone whose regularly traded 10s of thousands of certain stocks
over the last few years, it would be nearly impossible for them to detect a
$100k profit from stock manipulation. especially a high volume stock like TSLA

~~~
janmo
Especially that Tesla is shorted so much. That said, shorting even with
leverage requires you to have some money to invest. If you are 17 you are most
likely broke.

~~~
DabbyDabberson
But the fact that _I_, could have made a higher return still holds. If I was
17 and broke, yeah the whole stock manipulation thing wouldn't be my first
choice.

------
indigochill
I have an unrealistic idea (more of a thought experiment) that companies
should face equal culpability to criminal hackers in attacks. After all,
technically the way the hackers use systems /is/ authorized in a sense, even
if the method of obtaining authorization is unconventional. Maybe this would
get companies to pay more attention to securing their systems.

From a certain perspective, Twitter is an accomplice to fraud by providing the
platform and the access to the fraudsters (although I'm fuzzy on whether
knowledge of one's aiding of a crime is necessary for an entity to be legally
considered an accomplice - probably is).

And yes, the charge count is insane but the US loves holding a bit of life-
ruining theater when they catch hackers threatening commercial interests. e.g.
Aaron Swartz's conviction:
[https://en.wikipedia.org/wiki/Aaron_Swartz#Arrest_and_prosec...](https://en.wikipedia.org/wiki/Aaron_Swartz#Arrest_and_prosecution)

~~~
ChrisLomont
Should we make homeowners equally criminally liable when burglars break in?
Certainly if the homeowner had been less lax or obtained more security, that
burglary could have been prevented.

~~~
nkrisc
Like most things in life: it depends.

Your home was broken into and your jewelry stolen? No, you're not criminally
liable for anything, you were the only victim.

Your home was broken into and they stole the stack of personal records for
your small business' employees that you left sitting on the dining room table?
Yes, you should be liable for that because you were not the only victim and
those others were victimized due to your own negligence. The documents were
not properly secured, was your home properly secured as well given the
sensitive material you were housing there?

It doesn't have to be a binary thing either, there's nuance to it. A hacker
steals unencrypted personal information off a server you didn't even password
protect? You're more liable than a company that lost personal information that
was strongly encrypted.

~~~
nexuist
> Your home was broken into and they stole the stack of personal records for
> your small business' employees that you left sitting on the dining room
> table? Yes, you should be liable for that because you were not the only
> victim and those others were victimized due to your own negligence. The
> documents were not properly secured, was your home properly secured as well
> given the sensitive material you were housing there?

This is one of those ideas that seems to be made in good faith but ultimately
harms the competition far more than it harms the industry leaders. Twitter can
afford cameras and alarm systems for its data centers; I can’t. Twitter can
afford to hire armed guards; I can’t.

The ultimate end result of a policy like this is that people will simply kill
anyone trespassing on their property; after all, who knows what documents they
may have seen or confidential records they may have exfiltrated. It’s way too
heavy handed.

~~~
nkrisc
> The ultimate end result of a policy like this is that people will simply
> kill anyone trespassing on their property;

That will probably get you more jail time than whatever other liabilities you
might have had, which realistically maybe would have just been civil anyway,
were some policy like this to become real.

But put another way, in context of business collecting personal user data: if
you can't secure it, don't collect it. If your business isn't viable then,
well, tough shit.

------
ziddoap
I was under the (apparently false?) assumption that under-18s couldn't be
named. The alleged mastermind here is 17, yet is named and pictured.

Interestingly, when I first checked this out ~8 minutes ago, they stated that
they would not name the alleged mastermind due to the fact he was under 18. In
the update ~4 minutes ago, they have removed that section and named him.

~~~
henryfjordan
Florida has some of the most permissive laws about mugshots and criminal info.

The reason for the "Florida Man" meme is not that people in Florida are more
weird than anywhere else, just that it's easier to find the mugshots online.

~~~
ipsin
The story below the linked one is how a man rammed his way into a gated
community, beat two people to death with a baseball bath, and then the police
found the suspect unconscious after he drank some bleach.

That seems more weird than my local news, by a bit.

~~~
jdmichal
Maybe it's weirder than your local news, because your local news never finds
out about those weird police calls like they do in Florida?

~~~
perl4ever
It's my opinion that Florida is weirder, because driving around, the weird
signs of weird people (roadside, or on their vehicles for instance) are
weirder and more common than up north. Not an airtight proof, but an
independent datum not biased for the same reasons as the news.

------
pojntfx
"Our European visitors are important to us.

This site is currently unavailable to visitors from the European Economic Area
while we work to ensure your data is protected in accordance with applicable
EU laws."

nice

~~~
nightcracker
Why do all these prompts use doublespeak so blatantly? It's actually insane.

"Your privacy matters to us." -> Then why are you asking me to give it up? If
my privacy mattered to you you wouldn't even ask to install tracking cookies
and gather my data.

~~~
_jjkk
It's not doublespeak. What would you have the message say?

It's a legacy site and they haven't finished implementing out-out-only / data-
deletion / etc... I wouldn't assume malicious intent.

~~~
function_seven
It's been quite awhile now since the GDRP protections have been around. If
they haven't finished removing tracking by now, then they're lying when they
say "your privacy matters to us".

No, it doesn't. If it mattered, then you would act like it.

~~~
SpicyLemonZest
This isn't the New York Times. I don't think it's reasonable to expect the
local news for a mid-sized American city to prioritize implementation of the
EU's data rules.

~~~
function_seven
Sure, but it's plenty of time to just remove tracking cookies altogether.
Which would have been easier to implement than what they're doing now
(geolocating visitors, serving custom messages depending on jurisdiction,
etc.)

I mean, if my privacy matters to them.

I know the online news business is difficult to monetize. Only a handful of
major news orgs can put paywalls up and charge subscribers directly. I get
that.

So, what they do instead is use 3rd party ad networks and analytics, and
traffic in my personal data, while telling me that my privacy matters.

That's why this is doublespeak. They're saying one thing (my privacy matters)
while doing another (funding their operations in part on my personal data).

Is it the only viable model for them? Maybe. That's not really relevant,
though.

~~~
rtx
Your privacy matters, only if you pay. I don't click on content site links
where I am not a customer.

------
aerovistae
It's sad to me how the authorities are bragging about how quickly they caught
them and how effective they are at solving this type of crime.

The truth is, the vast majority of these crimes go unpursued. They handled
this quickly because it was so prominent, but if this happened to an everyday
individual, the police wouldn't even bother.

I don't see this as much of a triumph. It never should have happened in the
first place, and the consequences could have been utterly dire if it hadn't
just been teenagers running a Bitcoin scam. This isn't a victory for nation-
state security, it's an utter failure, and no policy changes have been made to
prevent it happening again.

So what we have is a world in which our leadership is vulnerable to hackers,
as are the rest of us, but only attacks against the rich and famous have
actual consequences. It's the worst of all worlds.

~~~
bmitc
It's also just another case where those not in power who attacked those in
power are swiftly and promptly dealt with versus those in power perpetuating
the same attacks go free. I would rather see them gloat over putting people
with real power and influence with their attacks in jail versus bragging about
locking up teenagers and people in their early twenties.

There's a quote in the article, "There is a false belief within the criminal
hacker community that attacks like the Twitter hack can be perpetrated
anonymously and without consequence", which just reiterates this perception of
the justice system being "hard" on crime. Yet it conveniently ignores being
soft on crime if you're rich or in power.

------
bilbopotter
Obviously what they did is wrong but the kid is 17. To me this is a prime
example of where a short sentence or community service should be used. Don't
ruin his life - he could be a useful employee for a tech company.

~~~
Waterluvian
American justice is rarely about rehabilitating the perpetrator. It’s about
ensanguinating the bloodthirsty and making the fearful feel safe.

~~~
TeeMassive
And enriching the private prisons owners, who then lobby both parties for
harsher sentences and this is why the US, a free democracy, has the highest
incarceration rate in the World.

~~~
kingbirdy
Private prisons represent only ~8% of the US state & federal prison
population[0]. Private prisons, while bad, are a distraction from the larger
issues of policing and incarceration in the US and aren't the reason why we
have so many people locked up. Almost half of all federally incarcerated
people in the US are there for drug-related offenses[1] thanks to the "War on
Drugs", that's where you want to be focusing your efforts on change.

[0]: [https://www.sentencingproject.org/publications/private-
priso...](https://www.sentencingproject.org/publications/private-prisons-
united-
states/#:~:text=Private%20prisons%20in%20the%20United%20States%20incarcerated%20121%2C718%20people%20in,in%202012%20with%20137%2C220%20people).

[1]:
[https://www.bop.gov/about/statistics/statistics_inmate_offen...](https://www.bop.gov/about/statistics/statistics_inmate_offenses.jsp)

~~~
bmitc
While that percentage is low, it doesn't tell the whole story. Private prisons
are certainly a major symptom of the problem with our prisons. The U.S. has
the largest private prison population in the world, and you'll note from your
own link that the private prison population from 2000 to 2019 increased by
39%. Also, for federal prisons, the percentage of inmates in private prisons
is 19.1%. These are definitely problems and discussing them also helps discuss
the big issues such as why in the hell we're incarcerating so many people.

[https://www.sentencingproject.org/publications/capitalizing-...](https://www.sentencingproject.org/publications/capitalizing-
on-mass-incarceration-u-s-growth-in-private-prisons/)

~~~
kristofferR
And private prisons create an insane incentive to increase incarceration in
order to increase profits.

------
ggggtez
Imagine a 17 year old robs a bank and steal 100k from the savings accounts of
random people.

Or a 17 year old steals a couple of cars from random people off the street...

The crime is not breaking into Twitter. The crime is theft. Twitter didn't
steal that money, this guy did. Let's not pretend the internet is a magical
land without consequences.

~~~
Taek
> Imagine a 17 year old robs a bank and steal 100k from the savings accounts
> of random people.

I think that's a great comparison. But it's not an armed robbery, it's a
break-and-enter where no property gets destroyed.

How many felonies does the robber get after being caught? I don't actually
know but I'm guessing 1-3? Certainly stealing $100k is a deserving felony. But
30 felonies seems a bit steep.

~~~
user5994461
The guys have a very long history of scams, with $700 000 seized before this
twitter thing it seems.

That money is very much destroyed for the people whom it was stolen from.

------
dshep
Trying to paint this 17-year old kid as a criminal mastermind strikes me as
rather gross. I can see it as a kid doing it to see if he could, and using an
obviously meme-worthy fake post that got out of hand. I think everyone has
done some dumb things at this age without thinking about the consequences. If
that is the case here, I hope this doesn't ruin the guys life.

~~~
justchilly
Would that apply to criminals of all ages, based on their intelligence /
mental maturity? Plenty of incarcerated 18+ adults with less brainpower than
this guy were deemed responsible for their actions.

~~~
webkike
I think there are some arguments here to be made about the development of the
prefrontal cortex. You may not be as “intelligent” as someone who is 17, but
if you’re over the age of 25 your decision making capabilities are likely much
much better.

There’s a lot of evidence to support this. I will present my own anecdotal
evidence because hacker news loves that stuff. I acutely felt my decision
making improve a few months before I turned twenty five. It hit me like a
wave, and reflecting on my past decisions felt like looking at the actions of
a completely different person. If I were in different, more difficult
positions when I was younger, it is unlikely that my decisions would be as
rationally thought out as they would be now.

~~~
chrononaut
> I acutely felt my decision making improve a few months before I turned
> twenty five. It hit me like a wave, and reflecting on my past decisions felt
> like looking at the actions of a completely different person.

I don't know if this actually exists, but I experienced something similar:
Starting at around 17 I decided to ask myself at every birthday whether I
thought I was more mature as a person than the year before, which I think
relates to proper and holistic decision making. I kept saying "yes" to this
question until I was 24.

------
donarb
The story has been updated, three people have now been charged, the teen, a
man from Orlando and a man from the UK.

[https://www.theverge.com/2020/7/31/21349920/twitter-hack-
arr...](https://www.theverge.com/2020/7/31/21349920/twitter-hack-arrest-
florida-teen-fbi-irs-secret-service)

~~~
pier25
> _Originally, “Kirk” claimed to be a Twitter employee, according to a Discord
> chat log_

So these guys were able to get into Twitter but they chatted freely on Discord
without considering everything would be recorded?

And then they make one of the most public hacks in recent history without
considering _someone_ would go through all the logs with all the noise they
made?

~~~
lomoeffect
> Sheppard had used a personal driver’s license to verify himself with the
> Binance and Coinbase cryptocurrency exchanges, and his accounts were found
> to have sent and received some of the scammed bitcoin.

Didn't even layer the Bitcoin through an anonymiser like Monero and extra
Bitcoin wallets. Just sent and received BTC directly to an account linked with
photo ID on multiple exchanges. Incredible really!

~~~
manjalyc
If anything I'm amazed at this level of technical incompetence (or is
ignorance a better word) from a group of people that hacked twitter...

------
bawolff
I'm not really surprised.

* the attacker (allegedly) bragged to the press * the attack only involved phising and social engineering. (Its a bit unclear, but that's what it looks like)

Bragging to the press is a definite sign of someone doing it for the lulz.
Criminals know better than to brag about their crimes publicly, that is how
you get caught. Bragging definitely fits into the sterotypical motivation for
most teenage hackers.

Social engineering is a skill, but its also a skill that a smart teenager is
likely to have. Its not a super high sophistication attack. Its not a spy
movie attack where people are breaking into offices, coercing employees,
finding 0-days in the webserver etc. Its an attack that a dedicated teen could
teach themselves and pull off themselves, no special resources needed.

~~~
tantalor
> Its not... coercing employees

How do you know? Coercion is a type of social engineering.

~~~
bawolff
All i know is that nobody has yet to claim that. I suspect he would be charged
with something related to that if he did, but you're right we dont know the
details of what he did precisely.

------
par
> Today’s announcement proves that cybercriminals can no longer hide behind
> perceived global anonymity

Anyone know what the loose end was that got these guys busted?

~~~
koolba
If they were dumb enough to waste such a high value target on a small scale
bitcoin scam then I wouldn’t be surprised if they were dumb enough to perform
the malicious actions from their home IP address.

~~~
SV_BubbleTime
Didn’t the hack need internal access? VPN maybe?

~~~
function_seven
Sure, but if they connected to the VPN from their own IP, then that's not
going to hide anything.

~~~
thinkloop
Is connecting to a VPN through another secure VPN doable/benefit?

~~~
Nacraile
Doable, although annoying to configure correctly. Beneficial if you want to
obscure your identity from the second VPN server (i.e. Twitter's, in this
case, which ought to be logging connections)

------
qppo
They should have just scammed old people with spoofed phone numbers, then the
government would never have caught them.

~~~
throw_m239339
Well their biggest mistake was to live in US and be US citizens. Most of the
people operating high scale phone scams live abroad, India, Africa, South East
Asia...

Don't do that though, don't scam people.

------
jermier
Probably could have earned a lot more from his exploits if he went the formal
route and directly confronted Twitter. But then who even knows if Twitter are
a good 'first responder' when it comes to high-profile exploits of their
system.

There was a recent post about some researcher who exposed flaws in Tor's
architecture (which allowed third parties to detect Tor traffic easily) and
Tor's staff didn't respond; so she published the finding without going through
the proper channels, both embarrassing Tor staff, and simultaneously
strengthening the Tor network.

The 'I'm going to publish this sploit because you didn't respond' is a good
tactic and I want to see more people do it. It's just unfortunate that the
various channels like HackerOne[0] or wherever the skiddies flock to these
days are not utilized thoroughly.

[0] [https://www.hackerone.com/](https://www.hackerone.com/)

~~~
gruez
does hackerone cover social engineering exploits? I doubt it.

~~~
MattGaiser
They should. You should get $200 if you can get an employee's password.

~~~
dane-pgp
I'm wondering what the objection is against this. There might be a conflict of
interest in allowing an employee to share a bounty with a friend by giving the
friend their password, but the rules of the bounty (and the employment
contract) should be able to prevent that scenario.

In theory, any sensitive operation (such as changing the email address of a
verified account) could be made to require approval from a second (randomly
chosen) employee, and that second employee should see a log of recent actions
taken by the first employee. An attacker may still manage to avoid raising
suspicion for the first few targets, though.

------
dig1
"Someone has to go to prison, Ben" \- quoting Harvey Keitel from National
Treasure movie (1:50) [1]

[1]
[https://www.youtube.com/watch?v=co4EsnwAM1Q](https://www.youtube.com/watch?v=co4EsnwAM1Q)

~~~
cryptoz
For all its flaws, I love that movie.

Based (loosely) on the Beale ciphers, a real-life combination of cryptography,
myth, and scams (probably)

[https://en.wikipedia.org/wiki/Beale_ciphers](https://en.wikipedia.org/wiki/Beale_ciphers)

------
bluedevil2k
> the scheme reaped more than $100,000 in Bitcoin in just one day

That's actually...pretty disappointing. I would have guessed into the 7 digits
just based on how many Americans, and people in general, love a get-rich-
quick-scheme.

~~~
ideals
All of the popular crypto currency exchanges blocked the btc address. The same
one was used on all accounts. They acted faster than Twitter in mitigating
this issue.

------
js2
When I was a teen I made long distance phone calls using calling card numbers
that were not my own, obtained through a war dialer. I'm pretty sure I never
would've gone as far as this kid did, but who knows. I hope this doesn't ruin
his life.

~~~
psanford
Kevin Mitnick seems to be doing just fine now.

------
stevievee
The announcement video is quite intense and feels odd for some reason. Maybe
it's the aspect ratio or cold intro - not sure.
[https://youtu.be/z80K3-q3Kqg](https://youtu.be/z80K3-q3Kqg)

~~~
ehsankia
Not sure anyone else watches this show, but this video gives me strong
Homecoming[0] vibes.

[0]
[https://en.wikipedia.org/wiki/Homecoming_(TV_series)](https://en.wikipedia.org/wiki/Homecoming_\(TV_series\))

------
korethr
Interesting to see that he's being charged in Florida, instead of federally. I
mean yes, normally, when one commits a crime in a particular area, they're
charged in that area. But my understanding is that once stuff crosses state
lines, it becomes a federal issue, and this is part of why its usually the FBI
that comes knocking.

~~~
ja27
Anything involving a computer connected to the internet (even firewalled or
rarely connected) is considered to be a "protected computer" since it is
involved in interstate commerce or communication and thus open to federal
charges under 1030 (a).

~~~
korethr
Exactly. Thus why I am somewhat surprised to see that he's being charged in
Florida. By the letter of the law, this is an issue for the feds to handle.

Edit: Another post on HN[1] covers the federal charges. So, it sounds like
this kid is being charged by both the state and the feds. I don't envy him.

1\.
[https://news.ycombinator.com/item?id=24012968](https://news.ycombinator.com/item?id=24012968)

------
amrrs
No where in the article it mentions how did they nail him or how did he do.
With Twitter saying that this entire process was done by social engineering
some employee and then gaining system access of others by monitoring the
process - this seems to have been done by someone with Corporate process
understanding and hard to believe it could be a 18 yold.

~~~
tptacek
Teenagers broke into phone switches through social engineering for sport in
the 1990s.

~~~
quesera
1980s, yo.

~~~
idlewords
They were preteens in the 1980s

------
dredmorbius
Numerous sources covering this:

At NYTimes, from another submission:

[https://www.nytimes.com/2020/07/31/technology/twitter-
hack-a...](https://www.nytimes.com/2020/07/31/technology/twitter-hack-
arrest.html)

Reuters: [https://www.reuters.com/article/us-twitter-cyber/florida-
tee...](https://www.reuters.com/article/us-twitter-cyber/florida-teenager-
charged-with-hacking-twitter-accounts-of-obama-musk-among-others-
idUSKCN24W2W3)

~~~
mzs
also the DOJ release and complaints:
[https://news.ycombinator.com/item?id=24012968](https://news.ycombinator.com/item?id=24012968)

------
syspec
> According to federal agents, Sheppard was found out partly because he used a
> personal driver’s license to verify himself with the Binance and Coinbase
> cryptocurrency exchanges, and his accounts were found to have sent and
> received some of the scammed bitcoin. Fazeli also used a driver’s license to
> verify with Coinbase, where accounts controlled by “Rolex” allegedly
> received payments in exchange for stolen Twitter usernames.

That is such a simple mistake to make, wow.

------
MattGaiser
Given how many of these attacks have been social engineering ones, companies
might benefit from having bug bounties for employees who get fooled.

Yes, this will initially be very expensive as there will be thousands of
payouts, but eventually the employees will learn.

Offer $200 if you can get an employee's password.

------
cellis
I actually think this kid has a bright future. My prediction: 1 year jail
time, 5-10years probation. Will get hired as a security consultant.

~~~
fortran77
I wouldn't hire him. It's not like he _programmed_ his way in. And he didn't
just post tweets saying "Twitter's security is bad." He actively tried to scam
people. So he wasn't trying to accomplish anything good.

~~~
almost_usual
Programming is a waste of time if you don’t need a program.

~~~
Biganon
True, but what tech company would benefit from the social engineering skills
of a young man with dubious morality? If at least he had proven to be the new
Mitnick, but he hasn't.

------
nicyl
I’m very uncomfortable about the fact a very young person (only 17 years old)
has had his identity released like this... where was his fair trial first?

Regardless if he was behind the hack or not, this is not the way forward to a
decent society.

------
hentrep
Off topic, but the linked WFLA video highlights how factual reporting takes a
backseat to an insidious "breaking news", headlines-first approach. Twice we
hear Mr. Buinno misstate the Twitter attack as occurring "a few months ago"
before being corrected by his colleague after the second instance. I realize
this is a trivial criticism, but it makes one question their general
preparation and fact-checking processes. Is it too much to expect alignment on
the basic details of a story before broadcasting it to hundreds of thousands
of people?

------
amrrs
> Washington DC Field Office Cyber Crimes Unit analyzed the blockchain and de-
> anonymized bitcoin transactions allowing for the identification of two
> different hackers.

Anyone with Bitcoin Transaction knowledge, what's this de-anonymization of
Bitcoins transaction?

>Today’s announcement proves that cybercriminals can no longer hide behind
perceived global anonymity,” said Thomas Edwards, Special Agent in Charge,
U.S. Secret Service, San Francisco Field Office.

This reads like an Ad copy of a company that's against _perceived_ anonymity.

~~~
tibbar
Bitcoin transactions take place between addresses, which are hashes of public
keys. It's actually better to call bitcoin "pseudonymous", since the addresses
are pseudonyms that may or may not be tied to an irl identity.

So if you, a hacker, tell someone to submit Bitcoin to an address, that
address is only really "anonymous" until you use your private keys to reroute
the money to other addresses. As soon as the graph of transactions touches
some known node (perhaps at the edges of the Bitcoin network that interact
with the monetary system), you can trace back to figure out who might have
controlled the original address.

It's very silly to try to cash in on ill-gotten bitcoin...

~~~
catacombs
> It's very silly to try to cash in on ill-gotten bitcoin...

What's the alternative? Sit on the coins or use them for purchases?

~~~
rocqua
Launder them.

Possibilities are endless. Coolest thing I heard was use the bitcoin to rent
bitcoin miners. Then spend the resultant cleanly mined coins.

------
varenc
> "Washington DC Field Office Cyber Crimes Unit analyzed the blockchain and
> de-anonymized bitcoin transactions allowing for the identification of two
> different hackers"

~~~
Shared404
Got to love government knowledge of tech.

This is the set of people that legislators listen to. I think we may be
screwed.

~~~
shadowgovt
I'm not sure what your criticism of the quote means here. The biggest weakness
of BTC for criminal enterprise is the fact that every transaction must be
logged to a global public ledger. The hard part is aligning the public keys
with private keys, but if you have enough additional information (such as,
say, the private keys' owners sitting in a prison cell and the private keys
themselves flayed out of their unencrypted hard drives), it's trivial to prove
the money flowed from one user to another.

The quote seems accurate.

~~~
Shared404
I know the quote was accurate. I thought it was common knowledge that bitcoin
is not anonymous, therefore making "de-anonymized the bitcoin transactions" a
bit of an overstatement.

~~~
shadowgovt
Ah, now I follow. I assume they intended "de-anonymized" to mean "tied the
public keys to identifiable human beings IRL."

~~~
Shared404
No hard feelings.

That's certainly an understandable take, and I'm probably just overly
pessimistic.

------
totetsu
Florida Man masterminds twitter attack.

~~~
bluedevil2k
Man = kid. He's only 17. I'm not a lawyer, but I thought it was illegal to put
the names of minors in public for committing crimes.

~~~
fernandotakai
the verge is reporting that he's being tried as an adult, so maybe that's the
reasoning.

[https://www.theverge.com/2020/7/31/21349920/twitter-hack-
arr...](https://www.theverge.com/2020/7/31/21349920/twitter-hack-arrest-
florida-teen-fbi-irs-secret-service)

>He’s being charged as an adult, and the press conference made clear that law
enforcement is considering how bad consequences of the hack could have been —
not just the $100,000-plus in bitcoin that the teen is alleged to have scammed
out of unsuspecting Twitter users.

~~~
pageandrew
What's the point of having different sentencing for minors if you can just try
them as an adult if they're "bad enough"?

~~~
cowboysauce
I always thought that was exactly the point, an acknowledgment that children
and teenagers sometimes do stupid things, but there’s a big difference between
doing some graffiti vs raping and murdering someone when you’re 15.

~~~
pageandrew
Yeah I could agree with that for violent/depraved crimes, but for hacking? I
don't see why they're charging him as an adult.

Hacking into Twitter accounts isn't a depraved, violent crime. I could see
that as the immaturity or lack of foresight of a smart teenager. Yes, they're
prominent people. Doesn't really change it IMO.

------
nathan_f77
I hope they will provide some more details about how they got caught. If this
person can hack Twitter and they know about Bitcoin, then I'd be very
surprised if they didn't take some basic steps to hide their tracks. E.g. Tor,
VPN, cafe wifi, etc. I heard that some social engineering was involved, so
maybe they called someone and their phone number was traced.

I would be interested to know if they forgot about one small detail. I think
the FBI / NSA probably has full visibility into the Tor network and can easily
deanonymise any users. Or it could be like the Harvard bomb hoax in 2013 [1].
(They used Tor, but they were also the _only_ person using Tor at the time.)

[1] [https://www.theverge.com/2013/12/18/5224130/fbi-agents-
track...](https://www.theverge.com/2013/12/18/5224130/fbi-agents-tracked-
harvard-bomb-threats-across-tor)

------
sna1l
From the Verge[1] article it seems like there was someone else providing
access to the accounts? So was it social engineering or not?

> Intriguingly, Sheppard and Fazeli may just be middlemen for the scam — “an
> unknown individual” with the handle “Kirk#5270” is believed to be the one
> who got access to Twitter’s internal systems. It’s not clear if the Tampa
> teen is Kirk#5270, though it sounds like that’s possible. The Sheppard
> complaint is dated July 22nd, and the Tampa teen wasn’t arrested until
> today. Originally, “Kirk” claimed to be a Twitter employee, according to a
> Discord chat log:

[1]: [https://www.theverge.com/2020/7/31/21349920/twitter-hack-
arr...](https://www.theverge.com/2020/7/31/21349920/twitter-hack-arrest-
florida-teen-fbi-irs-secret-service)

~~~
junar
It seems like "Kirk" is believed to be some other individual. From the
complaint against Sheppard:

> On July 21, 2020, federal agents executed a search warrant authorized by
> U.S. Magistrate Judge Alex G. Tse at a residence in the Northern District of
> California. Among the occupants of the home was a juvenile (“Juvenile 1”).
> ““Juvenile 1” was believed to be a Discord user identified in chats as an
> individual who assisted “Kirk#5270” and “Chaewon” in selling access to
> Twitter accounts. Upon execution of the search warrant, “Juvenile 1” agreed
> to be interviewed. “Juvenile 1” admitted to law enforcement agents that
> he/she was the Discord user who was identified in chats as assisting
> “Kirk#5270” and that he/she participated in the sale of illegal Twitter
> access. “Juvenile 1” admitted that he/she worked with “Chaewon” to sell
> Twitter account access. According to “Juvenile 1,” his/her knowledge of
> “Chaewon” was that “Chaewon” lived in the United Kingdom and “Juvenile 1”
> knew “Chaewon” by the name “Mason.” According to “Juvenile 1,” he/she and
> “Chaewon” had discussed turning themselves in to law enforcement after the
> Twitter hack became publicly known.

[https://www.justice.gov/usao-ndca/press-
release/file/1300126...](https://www.justice.gov/usao-ndca/press-
release/file/1300126/download)

------
quarteredgallon
Yeah no surprise there. The second Discord logs of the scam being planned
started circulating around Twitter I knew it'd be a matter of weeks before
these guys were caught. Absolutely unreal that one of them was dumb enough to
not only post chatlog screenshots on Twitter with their usernames uncensored,
but to use something like Discord to plan this in the first place.

Since the crimes were financially-motivated all of them get upgraded to
felonies. I have sympathy for people who get fucked by the US' dumb CJ system,
but uh... touching a Presidential candidate's Twitter account was whose idea,
exactly? What did they expect would happen? I have a hard time believing the
"for the lulz" defense some people are making for these people when the whole
thing was clearly financially motivated.

------
Kaveren
i was assured by the cybersecurity experts of hacker news that REALLY this was
all a mastermind ploy to steal and sell twitter DMs. who would they sell them
to? doesn't matter! what information of actual value is sent through twitter
DMs? doesn't matter! we did it, hacker news.

------
alexander1100
I personally lost $6000 dollars, is there any way I could prove that I was a
victim and get my crypto back?

~~~
daseiner1
I don’t mean to be rude, but I have to ask - what were you thinking?

~~~
rocqua
In EVE online, many doubling scams would actually pay out the first few times.
This to encourage others to commit bigger sums. Hence, if you 'get in early'
it might be worth it to try and get your money doubled.

------
spir
If the "mastermind" is a 17 year old, Jack should intervene to save his life
from being ruined.

------
forgotmypw17

                          \/\The Conscience of a Hacker/\/
    
                                          by
    
                                   +++The Mentor+++
    
                              Written on January 8, 1986

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

    
    
            Another one got caught today, it's all over the papers.  "Teenager

Arrested in Computer Crime Scandal", "Hacker Arrested after Bank Tampering"...
Damn kids. They're all alike.

------
StandardFuture
The only reason he got caught was because he used his access to attempt a BTC
scam.

The likelihood that more sophisticated individuals and organizations have
access to Twitter (and probably various other tech companies), and understand
the importance of not letting your access be discovered, is probably far far
higher than we realize.

Should we just assume all data held by Twitter and various other tech
companies is compromised (by multiple different actors)?

Twitter seems to be wording things to make the attack seem out-of-this-world
sophisticated, but I just have serious doubts about that.

------
perl4ever
Anybody ever seen one of these?

[http://www.vintagecalculators.com/html/invicta.html](http://www.vintagecalculators.com/html/invicta.html)

------
luord
Whenever I read news like these, I just think that this is such a waste of
talent (assuming Twitter's security isn't analogous to Swiss cheese). This kid
could have gone into ethical hacking and general security.

Now not only he's getting thrown in prison (over something he probably wasn't
even convinced he could do, if the subpart attempt at capitalizing on it is
any indication) for years, he's lost any potential career on the field.

------
kgermino
> Although the case against the teen was also investigated by the FBI and the
> U.S. Department of Justice, the Hillsborough State Attorney’s Office is
> prosecuting Clark because Florida law allows minors to be charged as adults
> in financial fraud cases such as this when appropriate. The FBI and the
> Department of Justice will continue to partner with the office throughout
> the prosecution.

Wow. It isn’t news, but what a terrible reflection of the US approach to
criminal justice.

~~~
TwoBit
What do you believe is terrible?

------
foobaw
Wonder when we'll get details on how he was actually able to do this - like
how he got access to the internal tools, how did he succeed in social
engineering, etc

~~~
_jjkk
They did provide a little detail so far [1].

> Hackers called a “small number” of employees in a phone spearphishing
> scheme, Twitter tweeted from its support account... The hackers were able to
> access some internal tools from the initial targeted employees and then
> learned specifically who had access to account support controls and targeted
> them next.

One likely scenario is they got access to the lower level employee's Slack
account or similar and used it to impersonate and successfully find/phish the
employee with the access.

[1]:
[https://www.washingtonpost.com/technology/2020/07/30/twitter...](https://www.washingtonpost.com/technology/2020/07/30/twitter-
hack-phone-attack/)

------
m90
Meta: this link is not accessible from within the EU.

~~~
maxton
You can probably read the article via the outline version:
[https://outline.com/https://www.wfla.com/news/hillsborough-c...](https://outline.com/https://www.wfla.com/news/hillsborough-
county/tampa-teen-accused-of-being-mastermind-behind-twitter-hack-that-
targeted-high-profile-accounts/)

~~~
m90
Thanks, didn't know outline worked around such issues.

------
jacquesm
That didn't require a mastermind. Twitter crew were lucky this ended the way
that it did. It could have been _much_ worse.

------
asutekku
The third person has been identified in an Ars Technica article [1].

1\. [https://arstechnica.com/tech-policy/2020/07/florida-teen-
arr...](https://arstechnica.com/tech-policy/2020/07/florida-teen-arrested-
charged-with-being-mastermind-of-twitter-hack/)

~~~
Pfhreak
We protect juveniles for a reason. It seems reasonable to make an effort not
to spread their identities around on social media (even if they are reported
by press sites.)

~~~
latchkey
Except for the part that it is Florida and they release all this stuff...
which is what brought on the whole Florida Man meme.

[https://www.wfla.com/news/hillsborough-county/tampa-teen-
acc...](https://www.wfla.com/news/hillsborough-county/tampa-teen-accused-of-
being-mastermind-behind-twitter-hack-that-targeted-high-profile-accounts/)

~~~
boogies
Legal ≠ ethical

------
jmount
I don't have examples, but it seems to me you really hear a lot of teens
pulling off successful social engineering attacks, even back to the days of
phone-hacking. I guess that is evidence that some teens develop a fairly
comprehensive understanding of social interaction.

~~~
StandardFuture
A kid who spends this much time at a computer thinking about how to break into
Twitter has a good grasp of social interactions?

Or, maybe Twitter just had some obvious loopholes that even a not super
social-aware hacker could find and use?

I think it is better to assume that in these situations it is more
incompetence from the platform than "super-genius" from the hacker that allows
for things like this to happen (regardless of what Twitter needs to say for PR
or the media needs to imply for clicks).

------
nicyl
I’m very uncomfortable about the fact a very young person (only 17 years old)
has had his identity released like this... where was this boys fair trial
first? Regardless if he was behind the hack or not, this is not the way
forward to a decent society.

------
tazedsoul
I’d imagine the FBI has more than just the link to these individuals via their
drivers licenses being used for verification. Surely, these drivers licenses
may have been used fraudulently by a hacker who wishes not to be found out so
embarrassingly?

------
robotcookies
Wasn't there inside help? I read several articles saying that there was. Any
of those insiders charged?

Twitter is in a bind. If there was no inside help, that says their security is
pretty lax. If there was inside help, why have they not identified or named
them.

~~~
shadowgovt
Unless there's additional info I didn't see, the "inside help" theory came
from the fact that they had images of the internal dashboards. That doesn't
necessarily indicate voluntary inside help (they may have found a hole in
Twitter's internet / intranet firewall, or they may have spear-phished a
service team member's credentials).

------
ChicagoDave
We really need to focus on rehabilitation instead of incarceration across the
board.

------
antihero
Right, how are we going to try and prevent the British dude extradited?

~~~
nicyl
Not even a fair trial before his name is released like he is guilty. Just a
young 17yo boy as well.

------
GlTChWhISKY
My thoughts go to the fact they were able to hunt someone down based on their
bitcoin address.

Either they got help, this kid was already being watched or it just speaks to
the DOJs data collection to all citizens.

~~~
stimpson_j_cat
They don't say they were able to hunt someone down based on their bitcoin
address

------
dariusj18
> The two other suspects were identified as 22-year-old Nima Fazeli, a.k.a.
> “Rolex,” of Orlando and 19-year-old Mason Sheppard, a.k.a. “Chaewon,” of the
> United Kingdom.

------
hourislate
What's the big deal, he stole some bit coin and embarrassed Jack.

Wall Street Insiders steal billions everyday from Joe6pack with the
Governments help and they get to laugh about over a drink after work.

Now we can spend millions in tax payer money incarcerating him....

He should get a reward for exposing how shitty Twatter is. Besides the NSA is
reading every txt you send and listening to every call you make. They know
where you are 24/7 and what you bought for lunch. No one is punishing
them.....

It's all theater for the masses I suppose....we caught the bad guys.....LOL...

~~~
dumbfoundded
[https://www.youtube.com/watch?v=NtUfNtgawNY](https://www.youtube.com/watch?v=NtUfNtgawNY)

------
amiga_500
2 more convictions than the great financial crash!

------
gkoberger
Summary for Europeans who are blocked from this site:

A Tampa teenager, 17-year-old Graham Clark, is in jail, accused of being the
“mastermind” behind a hack on the social media website Twitter that caused
limited access to the site and high-profile accounts.

The state attorney's office says the scheme to defraud “stole the identities
of prominent people” and “posted messages in their names directing victims to
send Bitcoin” to accounts that were associated with the Tampa teen. According
to the state attorney, the scheme reaped more than $100,000 in Bitcoin in just
one day.

(The rest of the article just rehashes the attack.)

------
sergiotapia
If only he would have done it for the lulz he would be badass. By asking for
bitcoin he became a tool scammer.

------
aquarin
"This site is currently unavailable to visitors from the European Economic
Area ..."

------
svartkanin
So what will happen to the guy in the United Kingdom? Will he be extradited to
the US?

------
ipunchghosts
I find this hard to believe.

~~~
almost_usual
It doesn’t fit the narrative a lot of people expect or want to believe but
it’s probably true.

------
m3kw9
Hope he’s not charged as an adult. I’m not getting the reasoning behind it.

------
supergirl
many years in prison for what this kid probably thought is a prank. while
twitter will likely get no punishment for having so little security that even
a child can hack them.

------
dkersten
> Our European visitors are important to us.

> This site is currently unavailable to visitors from the European Economic
> Area

So we're not important to them then? Gotcha!

Block us, fine, whatever, but don't give us this BS about being important to
you then.

------
unionpivo
I wonder if Kerbs will apologize for doxing the wrong guy

------
fataliss
"Florida (young) man" \- the saga continues!

------
nicyl
The moderation of my comment has completely stumped me. Is HN some sort of
cliquey community or something?!

------
ggggtez
>White House officials were concerned about President Donald Trump’s Twitter
account, which he uses daily to push out news and other information. They
assured the public that his account has extra protections.

I had suspected that they had added special protections on his account after
the (2017?) incident where an employee temporarily deactivated his account
(and got fired for it). I guess this confirms it.

------
catsarebetter
What a waste of talent

------
rglover
If this is true let this kid go and fire the people at Twitter who he duped.

------
mmmmmk
Where's Kirk?

------
alexander1100
Is there any way I could prove that I was a victim of this crime?

~~~
shadowgovt
I'd start your legwork here with a phone call to your nearest FBI field
office. Make sure you have the paper trail showing from your end you sent
crypto to the perpetrators, and ask what the next step would be for claiming
your defrauded property. It may also be worth consulting with a lawyer to see
what your legal recourse might be here.

Fair warning: there may be no next step. I have no idea if the US government
even considers cryptocurrency "property" in any legally-meaningful sense.

------
slackwill
Zero Cool man.

------
rapnie
Blocked with "Our European visitors are important to us"

Edit: [http://archive.is/caOFK](http://archive.is/caOFK)

------
Rebelgecko
It will be interesting to learn more as the case proceeds. Was he not using
tor?

I'm actually not super surprised that they've arrested a teenager. Considering
the thoroughness of the hack, just using it to scam a few bitcoins seemed a
bit blasé. Imagine the shitshow he could've started by tweeting as Trump

~~~
grezql
Trump is a "protected" account in twitters internal system. Even Twitter
employees cant access such protected accounts.

~~~
eunos
But Biden's account wasn't? Quite peculiar considering the upcoming election.

~~~
detaro
Trumps account got attacked by an employee in the past, presumably it got a
special case added then, but they didn't get to an overall policy on heads of
state and candidates.

~~~
eunos
Maybe after "verified" account, there will be a "guarded/critical" account.

------
HumblyTossed
> The day after the hack, White House officials were concerned about President
> Donald Trump’s Twitter account, which he uses daily to push out news and
> other information. They assured the public that his account has extra
> protections.

Really? Like what? And why? Are they afraid someone will start posting stuff
that is actually TRUE?

------
slackwill
Zero_Cool man

------
VonBlue
Hold on... how could they have de-anonymized the blockchain transactions? That
seems.. false

~~~
Rebelgecko
All transactions are public on the Bitcoin blockchain. I haven't followed the
wallets, but it's possible that they tried to cash out on an exchange and got
caught. Or they were initially found via other means and a search of their
computers found the corresponding wallet.dat files.

~~~
banana_giraffe
Yeah, they used Coinbase, and Coinbase is of course willing to respond to
warrants.

------
ideals
(If this is actually the person behind the attacks) Yes he may serve jail time
for this, but he did get to read DMs of some of these people, and has had
enough time to copy those contents to be read later. That's still valuable
knowledge, he should leverage this to get people interested in those details
to fund his legal defense in return for providing the contents of the DMs. Or
is that illegal?

~~~
tptacek
Yes, that would be pretty illegal.

~~~
idlewords
But then he can do it again to pay for the second legal defense

