Beware Twitter Messages claiming "Your blue badge Twitter account has been reviewed as spam"

Teen behind 2020 Twitter hack pleads guilty

The so-called “mastermind” behind the 2020 Twitter hack that compromised the accounts of several celebrities and public figures—including President Barack Obama, Bill Gates, and Elon Musk—pleaded guilty to several charges on Tuesday in a Florida court.

As part of an agreed-upon plea deal with prosecutors, Graham Clark will serve three years in juvenile prison, with an additional three years spent under probation.

First reported by 10 Tampa Bay WTSP-TV, Clark’s plea deal will include restrictions to “electronic devices,” with access only permitted by the Florida Department of Law Enforcement and by those supervising Clark during his eventual probation. According to 10 Tampa Bay, at 18 years old, Clark will also be sentenced as a “youthful offender,” which could allow him to serve some of his prison time in a “boot camp.” He will also earn credit for the 229 days that he has already spent in jail.

Clark’s plea deal represents a reversal of his earlier position on August 4, 2020, when he pleaded not guilty to 30 charges of fraud brought against him by state prosecutors in Florida for allegedly stealing Bitcoin payments from countless victims. According to Hillsborough State Attorney Andrew Warren at the time, the charges filed against Clark were for “scamming people across America.”

“These crimes were perpetrated using the names of famous people and celebrities, but they’re not the primary victims here,” Warren said. “This ‘Bit-Con’ was designed to steal money from regular Americans from all over the country, including here in Florida. This massive fraud was orchestrated right here in our backyard, and we will not stand for that.” 

Last year, Clark allegedly worked with two other individuals to compromise the accounts of about 130 Twitter users in a broader scheme to steal Bitcoin payments from unsuspecting victims. On July 15, the Twitter accounts of several celebrities and industry leaders began tweeting nearly the exact same message: Sparked by sudden gratitude, anyone who donated payments to a specific Bitcoin address would receive double those payments in return.

According to the public bitcoin ledger, at the time, the hackers conned people out of more than $100,000.

Nearly two weeks later, Clark was arrested at his apartment in Tampa. Two other men—Mason Shepperd from the UK and Nima Fazeli of Orlando—were also charged in connection with the hack. Shepperd was charged with wire fraud and money laundering, while Fazeli was charged with aiding and abetting.

At the time of the attack, many asked how such a small operation—led by a teenager—could have successfully breached the security of a major technology company. According to an investigation by The New York Times, Clark’s Twitter hack was not the work of an experienced hacker, but of a tried-and-true fraudster. Having bilked victims out of small sums of about $50 for years, Clark is alleged to have eventually worked his way into a scam that involved the theft of $856,000 worth of Bitcoin, at the age of 16.

After the theft, Clark posted photos of himself on Instagram wearing a Rolex watch.

To compromise Twitter, Clark used his practiced social engineering skills to gain access to an employee control panel. From there he was able to change users’ email addresses, and to use those new email addresses to reset passwords and disable two-factor authentication, giving him access to numerous user accounts, and their millions of followers.


David Ruiz

Pro-privacy, pro-security writer. Former journalist turned advocate turned cybersecurity defender. Still a little bit of each. Failing book club member.