In July 2020, big corporations and individuals’ Twitter accounts faced a significant hack in one of the most extensive and baffling cyberattacks in the name of promoting a bitcoin scam that earned the creators about $120,000. The attack compromised the accounts of Barack Obama, Elon Musk, and other high-profile Twitter users.
Multiple law enforcement investigations, including one by the Federal Bureau of Investigation, have been actively investigating the situation over a much more severe concern: the exploited vulnerability in Twitter’s systems.
Now, in significant developments in the case, an arrest warrant was issued for a 22-year-old British man in Spain on May 2021. The Department of Justice (DOJ) announced that Joseph O’Connor, who also goes by the handle “PlugWalkJoe,” was arrested for the hack. He’s facing accusations of being part of a group that took over high-profile Twitter accounts and used them to perpetuate a cryptocurrency scam.
O’Connor is being charged with more than three counts of conspiracy to intentionally access computers without authorization, one count of conspiracy to commit wire fraud, one count of conspiracy to commit money laundering, and two counts of aggravated identity theft. He faces charges of one count of making threatening communications; and two counts of cyberstalking a juvenile victim.
According to Krebs on Security, O’Connor was a well-known sim-swapper, a way of hijacking valuable social media accounts by duplicating phone numbers so hackers could intercept two-factor authorization requests by manipulating cellular network personnel.
The DOJ’s press release also alleges that O’Connor was involved in other computer intrusions, including takeovers of TikTok and Snapchat user accounts.
How PlugWalkJoe Managed to Hack Twitter Pocketing $118,000
Here’s a fascinating look at Joseph O’Conor, “PaulWalkJoe”s Twitter hack.
O’Connor freely identified himself as “PlugWalkJoe” in an interview with several of the hackers involved in the Twitter breach for The New York Times and stated that the hackers received Twitter credentials to take over the accounts using an internal business Slack.
The scam began when Elon Musk’s account sent a cryptic tweet at 4:17 p.m. E.T. on July 15, 2020, that said, “I’m feeling generous because of Covid-19.” I will double any BTC payment submitted to my BTC address for the next hour. Best wishes, and be safe out there! The tweet also included a bitcoin address, most likely linked to the hacker’s cryptocurrency wallet.?
Later, the tweet was deleted and replaced with another that clearly stated the phony promotion. “Feeling grateful doubling all funds sent to my BTC address! You send 1,000USD, I send back 2,000USD! Only doing this for 30 minutes,” it read before the scammer deleted it.
Gates’s tweet was similar to Musk’s, with the same BTC address attached. It was likewise erased immediately after being posted, only to be replaced with an identical message a few minutes later.
Because of the nature of the blockchain-based cryptocurrency records of public transactions, some people fell for the fraudulent tweets and deposited money to the related BTC address.
While it may seem absurd that anyone could fall into the trap of sending bitcoin in response to these fraudulent tweets, O’Connor received almost $120,000. An evaluation of the BTC wallet promoted by many of the hacked Twitter profiles reveals that the account processed 383 transactions and received nearly 12.8 bitcoin — equivalent to about $118,000 in less than 24 hours.
Twitter officials released a statement saying, “We are confident that we have identified all of the accounts associated with this incident and taken action to secure them. It was a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.”
A group of hackers who were in the business of purchasing and selling desirable social network screen identities carried out the attacks,” the criminal complaint filed in the Northern District of California stated.
A strong indication shows that the hackers have a history of stealing social media accounts through “SIM swapping .” It is a growing form of a crime involving bribing, hacking, or coercing employees at mobile phone and social media companies to access a target’s account.
How PlugWalkJoe Stole $784K in crypto via SIM swaps
In November 2021, The U.S. Department of Justice indicted ‘PlugWalkJoe,’ stealing $784,000 in cryptocurrencies through SIM swap assaults.
SIM swap attacks are when criminals gain access to someone’s phone number and, with that, access their social media and other online accounts. These attacks are typically made by performing social engineering and pretending to be the target, hacking into mobile carriers’ systems, or bribing phone service providers.
Once the attacker gets the target’s phone number on their SIM card, they can read the target’s SMS messages or voice mails without the target’s knowledge. The victims face a substantial risk because the attacker can utilize the target’s phone number to complete sensitive tasks like changing passwords and authorizing financial transactions.
The DOJ says that Joseph O’Connor, a/k/a “PlugwalkJoe,” and co-conspirators used SIM swaps to acquire access to accounts for a Manhattan-based cryptocurrency corporation as well as the personal accounts of celebrities and other public figures.
The claimed hackers used this access to steal $784,000 in Bitcoin Cash, Litecoin, Ethereum, and Bitcoin from the company’s client wallets. The indictment also claims that the group tried to steal more than $100 million from a cryptocurrency exchange.
“Between March and May 2019, “PlugwalkJoe,” and his co-conspirators perpetrated a scheme to use SIM swaps to conduct cyber intrusions to steal approximately $784,000 from a Manhattan-based cryptocurrency company. The at all times, provided wallet infrastructure and related software to cryptocurrency exchanges around the world,” states the unsealed indictment.
The seized cryptocurrency includes 770.784869 Bitcoin cash, approximately 407.396074 Ethereum, approximately 6,363.490509 Litecoin, and about 7.456728 Bitcoin.
The DOJ says that the group’s “primary targets” were members of the entertainment industry, including but not limited to actors, actresses, managers, and producers.
“JOSEPH JAMES O’CONNOR and his co-conspirators also attempted to SIM swap at least two other victims to gain access to their cryptocurrency accounts. These two individuals were unrelated to the Manhattan-based cryptocurrency company but had been targeted because they were public figures with large social media followings,” continued the indictment.
In this latest indictment, the suspect faces conspiracy charges to commit computer hacking, aggravated identity theft, conspiracy to commit wire fraud, and conspiracy to launder money.
Joseph O’Connor’s (PlugWalkJoe) Arrest
“PlugWalkJoe” formerly denied responsibility for the hack, telling The New York Times: “I don’t care. They can come to arrest me. I would laugh at them. I haven’t done anything.” O’Connor told the newspaper that he had corresponded with the other alleged perpetrators, but he was receiving a massage near his home in Spain during the hack.
According to the petition, FBI agents identified O’Connor using a combination of messages he made over the gamer chat platform Discord, as well as unnamed informants, including one who verified a recording of his voice.
An arrest warrant was granted in the United States District Court for the Southern District on June 12, and the Spanish National Police arrested him.
The FBI also searched O’Connor’s home in Málaga, Spain, on June 11 and found evidence including a phone with the same I.P. address used to control some of the Twitter accounts involved in the hack.
O’Connor is the fourth suspect to be charged in connection with the hack. A few weeks after the July 2020 attack, U.S. authorities named the then 17-year-old Graham Ivan Clark of Tampa as the attack’s mastermind. The federal judge sentenced him to the maximum allowed under Florida’s Youthful Offender Act.
Graham was 17 during the charges, and his case is now in the Florida state court because of his juvenile status.
Mason Sheppard, then 19, of Bognor Regis in the U.K., and Nima Fazeli, then 22, of Orlando, Florida, were also charged for their roles in the hack. If convicted on all charges, both defendants face more than 25 years in prison.
If O’Connor gets convicted on all charges, a federal district court judge will decide his fate, but the charges against him could lead to a sentence of up to 90 years in prison.
His latest charges come on top of an already impressive rap sheet. In 2019, a federal district court sentenced judge O’Connor to two years in a U.K. prison for his role in a SIM-swapping scheme that targeted high-profile figures like YouTube personality PewDiePie and Twitter CEO Jack Dorsey.
“PlugWalkJoe” participated in the 2020’s high profile attack impacting the accounts of then-Democratic presidential nominee Joe Biden, former President Barack Obama, Telsa CEO Elon Musk, Amazon CEO Jeff Bezos, and Tesla CEO Elon Musk.
O’Connor and his colleagues breached other billionaires’ accounts, including Michael Bloomberg and Bill Gates. Celebrities Kanye West and his ex-wife Kim Kardashian West were also victims of the attack.
According to court documents, O’Connor faces charges of computer intrusions related to takeovers of TikTok and Snapchat user accounts, in addition to the Twitter attack on July 15, 2020.
PlugWalkJoe, a citizen of the United Kingdom, is currently detained in Spain and awaiting extradition to the United States. The justice department will then have 60 days to submit a formal extradition request. This is where the real battle begins for O’Connor.
It is still unclear how O’Connor will plead to the charges against him, but what is certain is that he faces a long battle ahead.