Three years later one of the most visible hacks in recent history unfolded in real time in front of millions of Twitter users, one of the hackers responsible for the breach will now be serving time in federal prison.
Joseph James O’Connor, 24, was sentenced in federal court in New York on Friday to five years in prison after pleading guilty in May to four counts of computer hacking, wire fraud and cyberstalking. O’Connor also agreed to forfeit at least $794,000 from the victims of his crimes.
O’Connor, a British citizen, was extradited from Spain at the request of US prosecutors earlier this year and has remained in custody ever since.
During the hearing, Judge Jed S. Rakoff said O’Connor would likely serve about half his sentence after spending more than two years in pretrial detention.
O’Connor faced a maximum of 77 years in prison, according to Reuters. Justice Department prosecutors called on O’Connor to serve at least seven years in prison.
In court, O’Connor said his crimes were “stupid and unnecessary”, apologized to his victims and asked for clemency from the judge.
According to prosecutors, O’Connor “used his sophisticated technological capabilities for malicious purposes – carrying out a complex SIM card swapping attack to steal large amounts of cryptocurrency, hacking into Twitter, carrying out computer intrusions to take control of social media accounts and even cyberstalking two victims, including an underage victim.
The government said O’Connor, known by his online username PlugWalkJoe, was part of a group that broke into dozens of high profile Twitter accounts, including Apple, Binance, Bill Gates, Joe Biden and Elon Musk, to spread cryptocurrency. -fast scams in July 2020.
O’Connor used phone-based social engineering techniques to trick Twitter employees into granting the hacker group access to Twitter’s network. One of the other convicted pirates of the Twitter breach, Graham Ivan Clark, also known as Kirk, used access to Twitter’s network to abuse an internal administration tool to hijack and reassign Twitter user accounts.
Twitter temporarily blocked users from posting to the site as it grapples with the intrusion, as millions of users watched in real time as their calendars were inundated with cryptocurrency scams from some of the hottest names. most recognizable on the planet.
A subsequent investigation by New York Department of Financial Serviceswhich accuses Twitter of inadequate cybersecurity protections, found that hackers broke in by “calling Twitter employees and pretending to be from Twitter’s IT department”, then hijacked the Twitter accounts of politicians, celebrities and entrepreneurs to tweet “double your bitcoin” scams. .
The scam grossed around $120,000, according to public blockchain records.
The breach prompted Twitter to improve its cybersecurity controls, introducing hardware security keys for its employees to prevent future phishing attempts.
Two years after the hack, more explosive allegations regarding the breach have come to light.
Peiter “Mudge” Zatko, who was hired as Twitter’s chief security officer months after the breach, later described the hackers’ access as reaching “god mode,” which allowed them to impersonate tweets from from any account of their choice. Zatko called the incident “the biggest hack of a social media platform in history” in a whistleblower complaint filed with federal regulators in 2022, in which Zatko accused his former employer of cybersecurity failures.
Twitter automatically responded with a poo emoji in response to an email request for comment, as it has done since shortly after the company was acquired by Elon Musk.