Early this morning, the FBI, IRS, US Secret Service, and Florida law enforcement placed a 17-year-old in Tampa, Florida, under arrest — accusing him of being the “mastermind” behind the biggest security and privacy breach in Twitter’s history, one that took over the accounts of President Barack Obama, Democratic presidential candidate Joe Biden, Bill Gates, Elon Musk, Kanye and more to perpetrate a huge bitcoin scam on July 15th.
The teen is currently in jail, being charged with over 30 felony counts, including organized fraud, communications fraud, identity theft, and hacking, according to Hillsborough State Attorney Andrew Warren in a just-broadcast news conference describing the arrest. Local NBC affiliate WFLA alerted us to the news.
It’s not clear whether the 17-year-old is the only suspect in the case. “I can’t comment on whether he worked alone,” said Warren. He was arrested at his apartment where he lives by himself, authorities stated.
He’s being charged as an adult — “This was not an ordinary 17-year old,” said the state attorney — and the press conference made clear that law enforcement is considering how bad consequences of the hack could have been, beyond the $100,000-plus in bitcoin that the teen is alleged to have scammed out of unsuspecting Twitter users.
“This could have had a massive, massive amount of money stolen from people, it could have destabilized financial markets within America and across the globe; because he had access to powerful politicians’ Twitter accounts, he could have undermined politics as well as international diplomacy,” said Warren.
“This is not a game… these are serious crimes with serious consequences, and if you think you can rip people off online and get away with it, you’ll be in for a rude awakening, a rude awakening that comes in the form of a 6 AM knock on your door from federal agents,” he added later.
The teen was “taken into custody without any incident;” his first appearance may be as soon as tomorrow morning, Warren said. He’s being prosecuted in Florida so he can be charged as an adult, suggesting that there may not currently be any federal charges against him. While the FBI had initially opened its own investigation, it’s not clear whether that’s still ongoing: “The FBI and Department of Justice will continue to partner with the office throughout the prosecution,” reads part of the press release.
Twitter provided the following tweet as its statement:
We appreciate the swift actions of law enforcement in this investigation and will continue to cooperate as the case progresses. For our part, we are focused on being transparent and providing updates regularly.
For the latest, see here https://t.co/kHty8TXaly
— Twitter Comms (@TwitterComms) July 31, 2020
Yesterday, Twitter took its first full stab at explaining how attackers managed to penetrate its security and access the company’s own internal tools, which they used to take over some of the highest-profile accounts on the service. The company said several Twitter employees were targeted in a “phone spear phishing attack,” which presumably means that hackers called up Twitter employees while posing as colleagues or members of Twitter’s own security team, and got them to reveal their credentials.
In addition to scamming users out of Bitcoin, the attackers accessed the private direct messages of 36 Twitter users, including one elected official, and may have downloaded even larger caches of data for 7 other users. Twitter claims that no verified users had their private messages or data caches compromised, though, suggesting that Biden, Obama and others’ DMs could have been safe. President Trump’s Twitter account has long had extra protections, which could explain why it wasn’t hacked.
Here’s the whole press release from the Hillsborough State Attorney’s Office with additional info about the arrest. We’re withholding the teen’s name for now and removing mentions from the PR, since it’s been a remarkably short time since the hack and it’s not clear if he’s the sole culprit.
Hillsborough State Attorney’s Office tapped to prosecute worldwide “Bit-Con” hack of prominent Twitter users
Tampa, FL (July 31, 2020) — Hillsborough State Attorney Andrew Warren has filed 30 felony charges against a Tampa resident for scamming people across America, perpetrating the “Bit-Con” hack of prominent Twitter accounts including Bill Gates, Barack Obama, and Elon Musk on July 15, 2020.
The Federal Bureau of Investigation and the U.S. Department of Justice conducted a complex nationwide investigation, locating and apprehending the suspect in Hillsborough County.
“These crimes were perpetrated using the names of famous people and celebrities, but they’re not the primary victims here. This ‘Bit-Con’ was designed to steal money from regular Americans from all over the country, including here in Florida. This massive fraud was orchestrated right here in our backyard, and we will not stand for that,” State Attorney Warren said.
The investigation revealed REDACTED, 17, was the mastermind of the recent hack of Twitter. He was arrested in Tampa early on July 31. REDACTED’s scheme to defraud stole the identities of prominent people, posted messages in their names directing victims to send Bitcoin to accounts associated with REDACTED, and reaped more than $100,000 in Bitcoin in just one day. As a cryptocurrency, Bitcoin is difficult to track and recover if stolen in a scam.
“I want to congratulate our federal law enforcement partners—the US Attorney’s Office for the Northern District of California, the FBI, the IRS, and the Secret Service—as well as the Florida Department of Law enforcement. They worked quickly to investigate and identify the perpetrator of a sophisticated and extensive fraud,” State Attorney Warren said.
“This defendant lives here in Tampa, he committed the crime here, and he’ll be prosecuted here,” Warren added. The Hillsborough State Attorney’s Office is prosecuting REDACTED because Florida law allows minors to be charged as adults in financial fraud cases such as this when appropriate. The FBI and Department of Justice will continue to partner with the office throughout the prosecution.
The specific charges REDACTED faces are:
ORGANIZED FRAUD (OVER $50,000) – 1 count
COMMUNICATIONS FRAUD (OVER $300) – 17 counts
FRAUDULENT USE OF PERSONAL INFORMATION (OVER $100,000 OR 30 OR MORE VICTIMS) – 1 count
FRAUDULENT USE OF PERSONAL INFORMATION – 10 counts
ACCESS COMPUTER OR ELECTRONIC DEVICE WITHOUT AUTHORITY (SCHEME TO DEFRAUD) – 1 count
“Working together, we will hold this defendant accountable,” Warren said. “Scamming people out of their hard-earned money is always wrong. Whether you’re taking advantage of someone in person or on the internet, trying to steal their cash or their cryptocurrency—it’s fraud, it’s illegal, and you won’t get away with it.”