British teenager charged in US with aiding Twitter's biggest ever hack

A British teenager has been charged with helping to orchestrate a massive cyber-attack which hijacked the Twitter accounts of major celebrities and brought the social network used by Donald Trump to its knees.

The United States Department of Justice (DoJ) accused Mason John Sheppard, 19, of Bognor Regis, of finding buyers and brokering sales for another hacker offering illegal access to numerous Twitter accounts.

Prosecutors charged Mr Sheppard with conspiracy to commit wire fraud, conspiracy to commit money laundering, and the intentional access of a protected computer, together carrying a maximum penalty of 45 years in prison.

The investigation was aided by the UK's National Crime Agency (NCA), which on Friday searched a property in Bognor Regis associated with Mr Sheppard.

The young Brit, allegedly known in the hacking community by the aliases "Chaewon" and "ever so anxious", was one of three people charged with the hack, alongside 22-year-old Nima Fazeli of Florida (allegedly known as "Rolex") and a 17-year-old Floridian Graham Ivan Clark, who is accused of being the "mastermind" of the attack.

Accounts belonging to Barack Obama, Bill Gates, Elon Musk and Kim Kardashian West were compromised and used to post links to Bitcoin wallets along with false claims that payments would be matched.

The hack, which happened on July 15 and was the biggest in Twitter's history, sparked fears that a similar takeover of world leaders such as Donald Trump and the Ayatollah of Iran could lead to a diplomatic crisis or even armed conflict.

Twitter said on Friday that the hackers had accessed the private messages of 36 accounts, including one elected official in the Netherlands. Some accounts had all their data downloaded.

But according to US officials, the incident sprang from seat-of-the-pants plot hatched by three teenagers who failed to properly cover their tracks, for an overall financial gain of more than $100,000.

United States Attorney David L. Anderson said: “There is a false belief within the criminal hacker community that attacks like the Twitter hack can be perpetrated anonymously and without consequence.

“Today’s charging announcement demonstrates that the elation of nefarious hacking into a secure environment for fun or profit will be short-lived.

“Criminal conduct over the Internet may feel stealthy to the people who perpetrate it, but there is nothing stealthy about it.”

Florida prosecutor Andrew Warren added: “This could have had a massive, massive amount of money stolen from people; it could have destabilized financial markets within America and across the globe.

“Because he had access to powerful politicians’ Twitter accounts, he could have undermined politics as well as international diplomacy...

“This is not a game... these are serious crimes with serious consequences, and if you think you can rip people off online and get away with it, you’ll be in for a rude awakening that comes in the form of a 6 AM knock on your door.”

The announcement appears to confirm early reports that the hackers were an international group of young forum users who were primarily concerned with gaining access to particular Twitter usernames because of their desirability.

According to documents published by the DoJ, the hack began with 17-year-old Graham Clark from Tampa, Florida, who “used social engineering to convince a Twitter employee that he was a co-worker in the IT department” and had the employee give him login details to company systems.

Clark was then able to gain access to Twitter's internal “customer service portal”, which employees use to manage accounts and reset their passwords where necessary. and had the employee provide credentials to access the customer service portal.”

On July 15, a user called “Kirk#5270”, possibly Clark, messaged contacts on the chat service Discord claiming to be able to “reset, swap, and control any Twitter account at will” in exchange for Bitcoin.

Kirk initially claimed to work for Twitter itself, posting screenshots of the customer portal. Mr Sheppard, under the username “ever so anxious#001", then allegedly acted as a broker for Kirk, posting an advert on a hackers' discussion forum offering ownership of "OG" Twitter accounts.

Such accounts often have rare and desirable usernames that are usually short words or phrases, grabbed by their owners in the social network's early days. Chatlogs showed Kirk and "ever so anxious" discussing the sale of Twitter handles @xx, @dark, and @vampire, all of which were taken over in the July 15 hack.

Mr Sheppard himself allegedly bought the Twitter name @anxious, while telling potential buyers that he could give them access to accounts for $2,500 to $3,000 each – plus a $250 commission for himself.

A cluster of Bitcoin wallets allegedly owned by him received $40,000 in Bitcoin during the hack, and paid out $33,000 to a cluster owned by Kirk.

The forum, however, had itself been hacked in April 2020, with full records of its users, their information and their messages dumped online. The FBI obtained those records, linking "ever so anxious" to the username Chaewon and then to the email address masonhppy@gmail.com.

The final stroke, officials claimed, came from Mr Sheppard himself. Investigators requested records matching that email address from Coinbase and Binance, two popular cryptocurrency exchanges, finding a British driver's licence in Mr Sheppard's name and bearing a picture of him.

Bitcoin exchanges are typically required by law to hold such details on their users as part of so-called "Know Your Customer" regulations.

On July 21, US government agents raided a property where they found the unnamed 17-year-old. The teenager confessed to participating in the attack, as well as allegedly confirming that they had worked with "Chaewon", whom they knew to be a teenager named Mason living in the UK.