Florida teen arrested for orchestrating Twitter hack

Main suspect identified as a 17-year-old teen from Tampa, Florida. Two other suspects were also charged -- one from Florida and the second from the UK.
Written by Catalin Cimpanu, Contributor

In a press conference on Friday, US authorities announced they arrested the main suspect behind this month's major Twitter hack, and charged two other accomplices.

The suspected main hacker was identified as Graham Ivan Clark, a 17-year-old teen from Tampa, Hillsborough County, Florida.

According to Florida news outlet WFLA-TV, which first reported on the arrest, Clark was arrested earlier this morning in Tampa, following a nationwide collaboration between the FBI, the IRS, the DOJ, and the Secret Service.

Hillsborough State Attorney Andrew Warren filed charges against Clark for being the "mastermind" behind the July 15 Twitter incident, when the teen is believed to have gained access to Twitter's backend, took over several high-profile accounts, and tweeted on their behalf to promote a cryptocurrency scam. The list of hacked accounts includes big names like Barrack Obama, Joe Biden, Bill Gates, Elon Musk, Jeff Bezos, Apple, Uber, Kanye West, Kim Kardashian, Michael Bloomberg, and others.


Officials said the hack resulted in more than $100,000 being sent to Bitcoin "accounts associated with Clark" in one single day.

According to a press release from Warren's office, the teen now faces 30 felony charges, including:

  • ORGANIZED FRAUD (OVER $50,000) - 1 count
  • COMMUNICATIONS FRAUD (OVER $300) - 17 counts

The charges were announced in a live stream today by the Hillsborough State Attorney.

While initially Warren didn't specify if Clark had partners, hours after the press conference, in a separate announcement after this article went live, the US Department of Justice announced additional charges against two other suspects believed to have helped Clark in the hack.

The second suspect was identified as Mason Sheppard, aka "Chaewon," 19, of Bognor Regis, in the UK, while the third was identified as Nima Fazeli, aka "Rolex," 22, of Orlando, Florida. The DOJ didn't specify if the two have been apprehended.

Clark's arrest comes just hours after Twitter published its latest update on its investigation into the July 15 hack. Below is Twitter's entire investigation, summarized, for easier reading:

  • The incident took place on Wednesday, July 15, 2020.
  • Twitter said hackers used phone-based social-engineering to gain access to Twitter employee accounts.
  • A New York Times report that has yet to be confirmed by Twitter said that hackers breached employee Slack accounts and found credentials for the Twitter backend pinned inside a Slack channel.
  • Twitter said hackers got "through" their two-factor protections but did not specify if it referred to the backend accounts or the Slack accounts.
  • Once hackers accessed the Twitter backend, they Twitter's own internal tech support tools to interact with accounts.
  • Hackers interacted with 130 accounts, according to Twitter.
  • For 45 accounts, hackers initiated a password reset, logged into the account, and sent new tweets to promote their cryptocurrency scam.
  • Twitter said it believes hackers also tried to sell access to some hijacked Twitter accounts, due to highly-coveted usernames.
  • For eight accounts, hackers downloaded account data through the "Your Twitter Data" feature.
  • Twitter said hackers accessed direct messages (DMs) for 36 accounts, including 1 elected official in the Netherlands.
  • None of these eight accounts were verified.
  • Twitter is now reaching out to the eight account owners.
  • Once the hack came to light on Wednesday, Twitter said it blocked all verified accounts from tweeting as it investigated.
  • It then also blocked some users from resetting their password to hackers from taking over new accounts.
  • These limitations lasted for a few hours, and functionality was eventually returned.
  • Twitter said it had no reason to believe the hackers had access to cleartext passwords and will not be resetting user passwords going forward.
  • However, attackers did view information such as email addresses and phone numbers for the targeted accounts.
  • A law enforcement investigation is already underway.
  • Twitter said it restricted the number of employees who can access to its internal tools following the attacks.

Article updated 20 minutes after publication with the DOJ's announcement of additional charges against two other suspects.

The FBI's most wanted cybercriminals

Editorial standards