Updated 8:27 p.m. ET Wednesday
Prosecutors have announced charges against three individuals, a 17-year-old from Florida and two men, from Florida and Britain, in connection with a hack that hit some of Twitter's most prominent accounts, in the largest and most well-coordinated security breach in the platform's history.
Authorities in Florida say Graham Ivan Clark, 17, of Tampa, Fla., masterminded the attack, allegedly breaking into the accounts of 130 Twitter accounts and duping followers of influential users to transfer more than $100,000 in Bitcoin to accounts associated with Clark. He is charged with 30 felonies in the state, including fraud, identity theft and hacking.
(NPR is naming Clark because he is being charged under Florida state law as an adult.)
In addition, federal prosecutors unsealed wire fraud, money laundering and other charges against Nima Fazeli, 22, of Orlando, Fla. and Mason Sheppard, 19, of Bognor Regis, U.K. They are accused of helping Clark sell access to some of the hacked accounts.
Twitter has said the hackers used a phone "spear phishing attack" to trick Twitter employees to turn over information that gave the attackers access to internal systems.
The Florida prosecutors on Friday added new detail about how exactly the scheme worked: Clark allegedly presented himself as a member of Twitter's IT team to a Twitter employee, and convinced that employee to hand over company credentials, which Clark used to get into the company's customer service portal.
Security protections were overcome and the passwords of some 130 accounts were reset, allowing the hackers to take control of the accounts, officials at Twitter have said.
Clark, who recently graduated from high school, is not an ordinary 17-year-old, said Hillsborough County State Attorney Andrew Warren at a press conference on Friday. "This was a highly sophisticated attack on a magnitude not seen before."
According to the federal charging documents, a user known as Rolex#373, identified by authorities as Fazeli, discussed with another unidentified individual who went by Kirk#5270 on the online messaging platform Discord, plans to break into dozens of Twitter accounts.
They allegedly discussed selling access to the hacked profiles for up to $2,500 for "OG accounts," slang for account names that are highly desirable.
On July 15, the hackers unleashed their havoc.
The accounts of Democratic presidential nominee Joe Biden, Amazon CEO Jeff Bezos, Tesla CEO Elon Musk, former President Barack Obama and others influential users tweeted similar messages that said some version of: in the spirit of generosity, payments of $1,000 sent to an anonymous Bitcoin address will be doubled "for the next 30 minutes."
To many, it was unquestionably a scam. But more than 400 people fell for it, according to federal investigators, who found that 415 transfers were made into the scam account, totaling about $117,000.
"Clark hacked into the Twitter accounts of famous people and celebrities, but they were not the primary victims. This 'Bit-Con' was designed to defraud money from regular Americans from across the country and here in Florida," Warren said.
U.S. Attorney David Anderson for the Northern District of California, said agents with the IRS analyzed the blockchain technology Bitcoin relies on to de-anonymize the transactions in the scheme, leading to the alleged hackers.
"There is a false belief within the criminal hacker community that attacks like the Twitter hack can be perpetrated anonymously and without consequence," Anderson said.
"Criminal conduct over the Internet may feel stealthy to the people who perpetrate it, but there is nothing stealthy about it. In particular, I want to say to would-be offenders, break the law, and we will find you," Anderson said.
Twitter said in a statement: "We appreciate the swift actions of law enforcement in this investigation and will continue to cooperate as the case progresses."
The attack has exposed vulnerabilities on the platform, which is a major communications channel for news outlets, companies, celebrities and politicians, including President Donald Trump.
The attack targeted 130 Twitter accounts, tweeted from 45 of them, accessed the direct messages of 36 and downloaded data from seven accounts, but Twitter officials say none of the private information downloaded involved a current or former U.S. elected official.
Twitter said it has "significantly limited" access to internal tools and is "improving our methods for detecting and preventing inappropriate access to our internal systems."