Damian Williams, the United States Attorney for the Southern District of New York, has handed down a five-year prison sentence to Joseph James O’Connor, a U.K. citizen and one of the hackers involved in the infamous 2020 Twitter breach. The 24-year-old, known as PlugwalkJoe online, pleaded guilty to several cyber crimes, including carrying out a SIM-swapping attack that targeted a TikTok account with millions of followers.
The breach resulted in the compromise of high-profile Twitter accounts, including those belonging to Elon Musk, Bill Gates, Barack Obama, and many others. O’Connor profited approximately $794,000 through a cryptocurrency scam that followed the hack.
Details of the Sentencing:
The Justice Department revealed that O’Connor and his co-conspirators laundered the stolen cryptocurrency through multiple transfers and transactions, eventually exchanging some of it for Bitcoin via cryptocurrency exchange services.
A portion of the funds was deposited into a cryptocurrency exchange account controlled by O’Connor. In addition to the five-year prison term, O’Connor will be subject to three years of supervised release and must forfeit the $794,000 obtained through the fraudulent activities.
Background on the Twitter Hack:
The 2020 Twitter breach witnessed the hackers breaking into numerous high-profile accounts, including Apple, Binance, Joe Biden, and Elon Musk. They exploited the access gained through a SIM swap attack and abused an internal admin tool to hijack and reassign Twitter user accounts. This allowed them to post cryptocurrency get-rich-quick scams, temporarily overwhelming Twitter’s platform.
Aftermath and Investigation:
Following the breach, Twitter faced significant scrutiny regarding its cybersecurity measures. New York’s Department of Financial Services conducted an investigation and criticized Twitter’s inadequate protections, highlighting that the hackers impersonated Twitter’s IT department by calling company employees.
The attackers then tweeted “double your bitcoin” scams from the compromised accounts, ultimately amassing approximately $120,000.
Revelations and Whistleblower Complaint:
Peiter “Mudge” Zatko, Twitter’s head of security at the time of the breach, referred to the hackers’ access as “god mode,” which allowed them to impersonate any account they desired. In a whistleblower complaint filed in 2022, Zatko accused Twitter of cybersecurity failures and labeled the incident as the “largest hack of a social media platform in history.”
Final Words:
With Joseph James O’Connor’s sentencing, one of the key perpetrators behind the 2020 Twitter hack has been held accountable for his cyber crimes. The case highlights the need for robust cybersecurity measures and the importance of protecting high-profile social media platforms from malicious actors.
Twitter has since implemented hardware security keys to enhance its cybersecurity controls and prevent future phishing attempts. The sentencing serves as a reminder that cybercriminals will face legal consequences for their actions and sends a message to others considering similar activities.