By Joe Tidy & Antoinette Radford
BBC News
A British national extradited to the US last month has pleaded guilty in New York to a role in one of the biggest hacks in social media history.
The July 2020 Twitter hack affected over 130 accounts including those of Barack Obama and Joe Biden.
Joseph James O’Connor, 23, known as PlugwalkJoe, pleaded guilty to hacking charges carrying a total maximum sentence of over 70 years in prison.
The hacking was part of a large-scale Bitcoin scam.
O’Connor, who was extradited from Spain, hijacked numerous Twitter accounts and sent out tweets asking followers to send Bitcoin to an account, promising to double their money.
O’Connor, from Liverpool, was charged alongside three other men over the scam.
US teenager Graham Ivan Clark pleaded guilty in 2021. Nima Fazeli of Orlando, Florida, and Mason Sheppard, of Bognor Regis in the UK, were charged with federal crimes.
US Assistant Attorney-General Kenneth Polite Jr described in a statement O’Connor’s actions as “flagrant and malicious”, saying he had “harassed, threatened and extorted his victims, causing substantial emotional harm”.
“Like many criminal actors, O’Connor tried to stay anonymous by using a computer to hide behind stealth accounts and aliases from outside the United States.
“But this plea shows that our investigators and prosecutors will identify, locate, and bring to justice such criminals to ensure they face the consequences for their crimes.”
In 2020, an estimated 350 million Twitter users saw suspicious tweets from official accounts of the platform’s biggest users. Thousands fell for a scam, trusting that a crypto giveaway was real.
Cyber experts agreed that the consequences of the Twitter hack could have been far worse if O’Connor and other hackers had more sophisticated plans than a get-rich-quick scheme.
Disinformation could have been spread to affect political discourse and markets could have been moved by well-worded fake business announcements, for example.
The hack showed how fragile Twitter’s security was at the time. The attackers telephoned a small number of Twitter employees with a believable tale to convince them to hand over their internal login details – which eventually granted the hackers access to Twitter’s powerful administrative tools.
Essentially, the hackers managed to use social engineering tricks more akin to those of conmen than of high-level cyber-criminals to get access to the powerful internal control panel at the site.
It was, and still is, a hugely embarrassing moment in Twitter’s troubled history.
O’Connor’s admission has not come as a shock though as there was a wealth of evidence in the public domain thanks to the hackers making some bad mistakes or being too loud in their celebrations in the aftermath of the hack.
O’Connor also pleaded guilty to other hacking crimes including gaining access to a high-profile TikTok account.
He posted a video to that account where his own voice is recognisable and threatened to release “sensitive, personal material” related to the owner of the account to people who joined a Discord group.
The US justice department said he had also used technology to stalk a minor.