An image of new Twitter owner Elon Musk is seen surrounded by Twitter logos in this photo illustration in Warsaw, Poland on 08 November, 2022.Â
STR | Nurphoto | Getty Images
LONDON — A U.K. man pleaded guilty to helping orchestrate a high-profile hack on the Twitter accounts of numerous celebrities and politicians including Elon Musk, Joe Biden and Kanye West.
Joseph O’Connor, 23, who is known under an online alias as “PlugwalkJoe,” submitted his guilty plea in a New York court on Tuesday, according to a Department of Justice press release. He was extradited from Spain last month.
O’Connor pleaded guilty to conspiracy to commit computer intrusion, committing computer intrusions, making extortive and threatening communications, cyberstalking, and conspiracy to commit wire fraud and money laundering. Combined, the charges carry a maximum sentence of 77 years, the Justice Department said.
Assistant Attorney General Kenneth Polite of the Justice Department’s criminal division said that O’Connor’s activities were “flagrant and malicious.”
“He harassed, threatened, and extorted his victims, causing substantial emotional harm,” Polite, Jr. said in a statement Tuesday.
“Like many criminal actors, O’Connor tried to stay anonymous by using a computer to hide behind stealth accounts and aliases from outside the United States. But this plea shows that our investigators and prosecutors will identify, locate, and bring to justice such criminals to ensure they face the consequences for their crimes.”
The attack, which took place in 2020, targeted about 130 people, Twitter said at the time. Hackers took control of the accounts to promote a bitcoin scam, directing users to send the funds to several bitcoin addresses.
Twitter said in 2020, shortly after the cyberattack took place, that it believes the hack was a “coordinated social engineering attack” on its employees — in other words, insiders at the company were tricked into handing over access to internal systems and tools.
The attackers were able to gain access to Twitter’s internal controls by compromising a small number of employees, according to a July 2020 Twitter blog post.
“O’Connor communicated with others regarding purchasing unauthorized access to a variety of Twitter accounts, including accounts associated with public figures around the world,” the Justice Department said Wednesday.
“A number of Twitter accounts targeted by O’Connor were subsequently transferred away from their rightful owners. O’Connor agreed to purchase unauthorized access to one Twitter account for $10,000.”
‘Impressive trail of destruction’
O’Connor was also charged and pled guilty for his role in a SIM-swapping attack, which is when an attacker convinces a mobile phone carrier to transfer a person’s phone number to their device to bypass multi-factor authentication on online accounts.
The attack targeted several high-profile companies and executives in the cryptocurrency industry including Binance, Tron founder Justin Sun, and Litecoin founder Charlie Lee, and resulted in the theft of $794,000 in digital assets, according to the Justice Department. O’Connor agreed to forfeit the $794,000 to the court and to pay restitution to the victims of his crimes, the DOJ said.
O’Connor also compromised the account of “one of the most highly visible TikTok accounts” and threatened to release sensitive, personal material related to the cyberattack victim to individuals who joined a specified server on the chat app Discord, the Justice Department said.
U.S. Attorney Ismail J. Ramsey for the Northern District of California said O’Connor “left an impressive trail of destruction” in the wake of his wave of criminality.
“This case serves as a warning that the reach of the law is long, and criminals anywhere who use computers to commit crimes may end up facing the consequences of their actions in places they did not anticipate,” Ramsey said.
O’Connor was one of four individuals charged over the scheme. In 2021, American teenager Graham Ivan Clark pleaded guilty to fraud charges.
Nima Fazeli of Orlando, Florida, and Mason Sheppard, of Bognor Regis in the U.K. have also been charged in relation to the hack.
O’Connor was arrested in July 2021 in Estepona, a resort town on the Costa del Sol in southern Spain, by Spanish National Police at the request of U.S. authorities.