Bitcoin scammer who hacked celeb Twitter accounts gets 3 years

Remember when a whole bunch of celebs and top brands apparently went crazy tweeting about Bitcoin?

It happened in July 2020, when many prominent blue-badged Twitter accounts suddenly starting sending out scammy cryptocoin messages.

Fake tweets were blasted out from compromised accounts belonging to an eclectic range of high-profile people and companies, including Joe Biden, Elon Musk, Barack Obama, Bill Gates, Apple and many others.

The scam was based on a catchy, if unlikely, proposition: pay $X in bitcoins to the the happy-go-lucky celeb, and they’d later pay you back $2X, presumably because you’d have helped to stimulate trading in Bitcoin by doing your $X transaction in the first place.

Feeling greatful [note spelling blunder], doubling all payments made to my Bitcoin address,” said one message, urging people to pay out $1000 now, with a $2000 payback to follow later.

(Cynical recipients of these messages no doubt stopped to think that the world’s richest people generally didn’t achieve their wealth by selling products and services at a 50% loss, given that making a profit depends, by definition, on taking in more money than you pay out.)

Social engineering

It soon transpired that Twitter had lost control of numerous high-profile accounts to gift-of-the-gab cybercriminals – social engineers, in popular parlance – who had tricked Twitter staff into handing over internal account passwords for Twitter systems.

Those passwords ultimately allowed the crooks to login to internal Twitter servers that would usually only be used by Twitter support staff.

Apparently there was (at the time, anyway) no secondary protection such as two-factor authentication or managerial approval to guard against unauthorised updates to critical data such as the email address associated with a Twitter account, even a blue-flagged “verified” account.

The crooks were therefore allegedly able to set themselves up to receive password reset notifications for 45 accounts, out of the 130 that they tried to take over, and thereby to get direct control of the Twitter feeds of Musk, Gates, Apple et al.

But what was embarrasssing for Twitter and 45 of its blue-flag users was much worse for hopeful victims who “invested” a total of BTC 12.86 (about $120,000 at the time) in the scam.

As one of the law enforcement agents who investigated the attack noted wrly in his affidavit, “No bitcoin was ever returned, much less doubled.

Charges brought

The investigation quickly led to arrests, with one of the suspects charged for this attack being just 17 years old at the time.

Despite his youth, he nevertheless had his bail set at a whopping $725,000.

That bail hearing achieved a measure of world-wide fame it could have done without, having been Zoombombed by numerous online interlopers who blasted the courtroom with music, profanities, rants against the judiciary and, perhaps unsurprisingly, porn.

The accused, Graham Ivan Clark, was said in August 2020 to have escaped prosecution as a 16-year-old in a 2019 case in which he voluntarily paid back BTC 100 (about $1 million at the time, which is not an amount that you’d expect many 16-year-olds would have in their possession) to investigators.

According to a New York Times story published around the time of Clark’s bail hearing, those 100 bictoins were part of a larger haul of BTC 164 taken from a Seattle technology investor, who was the victim of a SIM swap.

Interestingly, that would have left BTC 64 unaccounted for – an amount that was, at the time, very close to the $725,000 bail fee set by the court.

Plea deal done

Clark has now made what is known in America as a plea agreement with prosecutors, whereby he will accept a sentence of three years in prison followed by three years on probation in return for pleading guilty to and accepting responsibility for the crime.

Clark has apparently been in custody since his arrest at the end of July 2020 – it seems he didn’t come up with the money needed to make bail, after all – and that time will be counted towards his three-year stretch.

According to the Florida judiciary, Clark will serve his sentence as a youngster, given that he was under 18 at the time he committed the crime, but will get at least 10 years in an adult prison if he violates the terms of his juvenile probation following his release from custody.

If there’s any good news in all of this, it’s that the court’s reports says that “Law enforcement officials seized all the Bitcoin received by Clark through this ‘Bit-Con’ scam and it is expected to be returned to its rightful owners.

With BTC 1 now worth about five times as many dollars as it was at the time of the scam, the victims may come out ahead after all, but not through any effort on Clark’s part – and not to the tune of two-times-five-times better off, of coure, which is where they’d be if Clark had been telling the truth.

What to do?

To help you protect yourself from ‘Bit-Con’ scams of this sort, we’ll repeat the advice we gave last year when news of this crime hit:

  • If a message sounds too good to be true, it IS too good to be true. If Musk, Gates, Apple, Biden or any well-known person or company wanted to hand out huge amounts of money on a whim, they wouldn’t demand that you hand them money first. That’s not a gift, it’s a trick, and it’s an obvious sign that the person’s account has been hacked. If in doubt, leave it out!
  • Cryptocurrency transactions don’t have the legal protections that you get with banks or payment card companies. There is no fraud reporting service or transaction cancellation in the world of cryptocurrency. Sending someone cryptocoins is like handing over banknotes in an envelope – if they go to a crook, you are unlikely ever to see them again. The fact that the stolen bitcoins were apparently recovered in this case can be considered a lucky exception, not the rule. If in doubt, don’t send it out!
  • Look out for any and all signs that a message might not be real. Crooks don’t have to make spelling mistakes or get important details wrong, but often they do, like the word greatful (should be grateful) in the example above. If the crooks do make a blunder, such as writing 50$ when in your country the currency sign comes first, or making a mess of their own phone number, or using clumsy or unnatural language, don’t let them get away with it. Treat it with doubt unless everything checks out!


We talk to world-renowned social engineering expert Rachel Tobac.
No audio player visible? Listen directly on Soundcloud.