A 23-year-old British citizen has confessed to “multiple schemes” involving computer crimes, including playing a part in the July 2020 Twitter attack that saw the accounts of Amazon CEO Jeff Bezos, Kanye West, and former President Barack Obama hijacked by an unidentified crew.
Joseph James O’Connor, known by the online alias PlugwalkJoe, was extradited from Spain last month and pleaded guilty to multiple charges, including computer crimes, cyberstalking, and conspiracy to commit wire fraud when he appeared in a New York court yesterday, the Feds say.
He was first arrested by Spanish police in 2021.
The 2020 Twitter attack happened when blue ticks still meant “verified account” and was accomplished using social engineering just as the COVID-19 pandemic was starting to gain traction. The social media org admitted at the time that miscreants had gained access to its internal control panels by tricking staff.
Infosec Twitterati took to the platform this morning to note that the case exposed Twitter’s poor security profile at the time. The company has since tightened its protocols, which among other things now includes having way fewer people that an attacker can socially engineer.
“Everyone is asking me to give back, and now is the time,” read a message posted to Bill Gates’s Twitter account at the time – although it is not known if O’Connor was connected to this specific message. “I am doubling all payments sent to my BTC address for the next 30 minutes. You send $1,000, I send you back $2,000.” Elon Musk was also purported by the attackers to tweet that he was “feeling greatful” [sic] and would also give a nifty $2k to anyone who sent $1k in BTC, making everyone pity the suckers that fell for the misspelled scam.
The Reg noted at the time that the BTC address in question had received over $110,000 worth of BTC in just a few hours from those who believed the powerful celebs for some reason needed large donations of cash before showing generosity to those… who had a grand to lose?
According to the court documents, O’Connor and his co-conspirators used social engineering techniques to transfer control of highly desirable Twitter accounts from their rightful owners to “various unauthorized users.” Feds explained that sometimes the co-conspirators took control themselves and used the accounts to defraud other Twitter users and in “other instances, the co-conspirators sold access to Twitter accounts to others.”
US authorities also charged three others with cybercrime and fraud, one not named as they were only 17 at the time. Graham Clark has already received a three-year prison sentence for his part in the crimes.
Two criminal cases against O’Connor, one in the Northern District of California and the other in the Southern District of New York (SDNY), were consolidated and transferred to NY. In the New York case, prosecutors alleged that in a May 1, 2019, attack, O’Connor and his co-conspirators stole and fraudulently diverted cryptocurrency from wallets maintained by an org they name only as “Company-1.” The attack on a Manhattan-based cryptocurrency company used a SIM-swap technique where miscreants get control of the victim’s mobile phone number by linking it to a SIM under their own control, typically by fooling the mobile provider.
This then results in the target’s calls and messages being routed to a device controlled by the attacker, leaving them free to break into a victim’s account that is registered to the mobile phone number. As Reg readers know, it is ill-advised to use your mobile number for 2FA – it’s better to use a security key or an authenticator app.
The California case charged O’Connor with computer intrusion counts tied to the commandeering of TikTok and Snapchat user accounts. He was also accused of cyberstalking a juvenile.
Of the charges for which the Briton has pleaded guilty, two carry a 20-year potential penalty – conspiracy to commit wire fraud and conspiracy to commit money laundering. He also pleaded guilty to conspiracy to commit computer intrusions; two counts of committing computer intrusions (five years max each); making extortive communications (maximum penalty of two years in prison); two counts of stalking (max five years each); and making threatening communications (max five years). As part of the SDNY case, O’Connor also pleaded guilty to conspiracy to commit computer intrusions. Feds say he also agreed to forfeit $794,012.64 and to make restitution to victims of his crimes. Sentencing is on June 23.
“O’Connor used his sophisticated technological abilities for malicious purposes – conducting a complex SIM swap attack to steal large amounts of cryptocurrency, hacking Twitter, conducting computer intrusions to take over social media accounts, and even cyberstalking two victims, including a minor victim,” said US attorney Damian Williams for the Southern District of New York. “O’Connor’s guilty plea today is a testament to the importance of law enforcement cooperation, and I thank our law enforcement partners for helping to bring to justice those who victimize others through cyber-attacks.” ®