Twitter 2020: The Day the Keys Were Stolen

At 4:17 PM on July 15, 2020, a tweet appeared from the verified account of Elon Musk:

“Feeling grateful, doubling all payments sent to my BTC address! You send $1,000, I send back $2,000! Only doing this for the next 30 minutes.”

Within the hour, nearly identical announcements appeared from Barack Obama, Joe Biden, Bill Gates, Jeff Bezos, Mike Bloomberg, Apple, Uber, Kanye West, and Warren Buffett.

These accounts had a combined following of hundreds of millions of users. The tweets were on verified accounts. The blue checkmarks gleamed. On screens across the world, the posts looked exactly like what they claimed to be.

They were not.

Graham Ivan Clark — a seventeen-year-old from Tampa, Florida — was watching his Bitcoin wallet fill. Within a few hours, before Twitter managed to shut down the operation, approximately $120,000 in Bitcoin had been sent to the scam address by around 400 victims.

The money was almost beside the point. What Clark had demonstrated was far more alarming: he had complete administrative control of Twitter. With that control, he could have read the direct messages of world leaders. He could have impersonated heads of state during an active geopolitical crisis. He could have posted, and then deleted, market-moving announcements from the accounts of billionaires and CEOs before anyone at Twitter understood what was happening.

He chose a Bitcoin scam.

Threat Actor Profile: Graham Ivan Clark

Real Name: Graham Ivan Clark
Handles: Kirk#099 (primary operation handle); active in the OGUsers underground community under multiple aliases
Age at time of incident: 17 (born November 2002, Tampa, Florida)
Co-conspirators: Mason Sheppard (19, United Kingdom, handle: Chaewon), charged in US federal court; Nima Fazeli (22, Florida, handle: Rolex), charged in US federal court
Status: Clark was arrested July 31, 2020, sixteen days after the attack, in Tampa. Tried as an adult under Florida law despite being a minor. Pled guilty to 30 felony counts including organized fraud, communications fraud, and identity theft. Sentenced to three years in a juvenile detention facility followed by three years of probation. Sheppard and Fazeli each faced federal charges for computer intrusion and money laundering conspiracy.

Notorious Operations:

• Twitter VIP Hack (July 15, 2020): Hijacked Twitter’s internal admin panel via social engineering, compromised 130 high-profile verified accounts, and ran a Bitcoin scam netting approximately $120,000 before Twitter disabled the affected accounts.
• OGUsers Account Trading: Clark was an active member of OGUsers — an underground forum dedicated to stealing and trading coveted short social media “OG” usernames. These operations involved years of practice social-engineering customer support staff at major platforms, providing the technical foundation for the Twitter attack.
• SIM Swapping Operations: Prior to the Twitter hack, Clark conducted SIM swap attacks against cryptocurrency holders — social-engineering mobile carriers into reassigning victim phone numbers to attacker-controlled SIM cards, enabling takeover of accounts protected by SMS-based two-factor authentication.

The Method: Phone Calls

The Twitter hack deployed no zero-day vulnerabilities. No buffer was overflowed. No cryptographic primitive was broken. No authentication bypass was reverse-engineered from binary code.

Graham Clark called Twitter employees on the phone and convinced them to give him what he needed.

The technique is called vishing — voice phishing, the telephone equivalent of a spear-phishing email. Clark impersonated Twitter’s own internal IT helpdesk, contacting support staff with a social engineering script claiming he was from Twitter’s technical team working on a VPN or credential issue. The exact script varied by target, but the objective was consistent: obtain the employee’s credentials for Twitter’s internal administrative tools.

The tool in question — referred to internally as the Twitter admin panel or “Agent Tool” — allowed support staff to take privileged actions on user accounts: resetting passwords, changing the associated email address, disabling or reconfiguring two-factor authentication, and managing account status. It was a legitimate customer support instrument. In the hands of someone with illicit access, it was a master key to every account on the platform.

Clark’s social engineering worked against multiple employees. He also targeted a specific, smaller subset of Twitter staff who had access to elevated internal tools beyond standard support functions — reaching those credentials required additional social engineering passes against specifically identified targets. The OGUsers community had spent years mapping which employees at social media companies held which levels of access. This institutional knowledge was the reconnaissance infrastructure Clark used.

The Operation: 130 Accounts

With access to the admin tool, Clark moved quickly and methodically.

He identified 130 high-value verified accounts representing world leaders, politicians, billionaires, corporations, and celebrities. His process for each hijacked account was consistent:

1. Change the associated email address to an account he controlled
2. Disable two-factor authentication on the target account
3. Log in via the resulting password reset flow
4. Post the Bitcoin scam tweet from the hijacked account

The choice of accounts was deliberate: maximum visibility, maximum apparent credibility. Musk and Gates were cryptocurrency-adjacent in public perception. Obama and Biden commanded the reach of heads of state. Apple and Uber’s corporate accounts carried institutional brand authority. The combination was engineered to appear — to a casual observer — plausible enough that at least some fraction of millions of viewers might act on it.

Approximately 45 accounts had scam tweets posted publicly. An additional 36 accounts had their direct messages accessed and downloaded. Eight accounts were fully taken over, with historical content deleted.

The DM exfiltration received less public attention than the Bitcoin scam but was, in retrospect, the operation’s most sensitive component. Which accounts had their private messages downloaded was never fully disclosed. Among them, reportedly, were accounts belonging to Dutch politicians. The contents of those messages have not been made public. A more motivated attacker — a state intelligence service rather than a teenager running a Bitcoin scheme — operating Twitter’s admin tool undetected for hours would have had access to private communications of extraordinary intelligence value.

Twitter’s Response: A Global Platform Locked

Twitter’s incident response team identified the attack within approximately an hour of the scam tweets appearing. The immediate response was extraordinary and unprecedented: all verified accounts were temporarily prohibited from tweeting.

For a platform where heads of state, central banks, emergency services, and public health officials use their verified accounts for official communications, disabling all verified account tweet capability globally was a decision of remarkable severity. Twitter’s @TwitterSupport account explained the lockdown in real time. The world’s major news organizations reported it within minutes.

The full restoration of verified account functionality took several hours. Twitter’s CEO Jack Dorsey described July 15 as “a tough day for us at Twitter.”

Twitter subsequently acknowledged significant internal security failures: specifically, the social engineering vulnerability of phone-based support staff, the insufficient access controls on internal administrative tools, and the absence of anomaly detection for unusual admin tool usage patterns. The incident demonstrated that Twitter’s most powerful internal capabilities could be reached by anyone who could pass a social engineering test over the phone.

The Arrests: Sixteen Days

The investigation moved with unusual speed. Clark, Sheppard, and Fazeli were identified, arrested, and charged within sixteen days of the attack.

The speed reflected several factors. The Bitcoin addresses used for the scam were public blockchain entries; the flow of funds was traceable. The OGUsers community had established patterns — documented handles, known cryptocurrency wallets, recognized operational signatures — that law enforcement had been monitoring for years. Clark had, in prior operations, used consistent handles and wallet addresses that created a traceable thread.

Twitter’s own internal logs — which the company preserved comprehensively — provided a detailed picture of the admin tool access: which accounts were accessed, in what order, at what timestamps, from which sessions. The operational fingerprint was specific and narrow.

The Legacy: Social Engineering Is Not a Technical Problem

The Twitter hack forced a reckoning the technology industry has spent decades deferring: the human layer is often the weakest link, and no amount of cryptographic sophistication prevents it from being bypassed by a phone call.

For Twitter, the incident required a fundamental rethinking of how privileged administrative access was granted, monitored, and revoked. The fix was not purely technical — it required restructuring the social and procedural controls around who can request credentials and how. Controls that had seemed adequate against external threats proved inadequate against an attacker impersonating an internal authority figure.

For the intelligence community, the DM exfiltration was the element that drew the most serious attention. What a nation-state actor — with the patience, resources, and operational security of a state intelligence service — could have accomplished with undetected access to Twitter’s admin tool for hours or days was a scenario multiple governments reportedly war-gamed after the fact.

For regulators, the hack crystallized a question about the security responsibilities of platforms that host official government and diplomatic communications. When a 17-year-old can hijack the accounts of a former president and a current presidential candidate in the same afternoon, the implications for election security are self-evident.

Clark served three years. The question his operation raised — about the security of privileged access to the world’s public communications infrastructure — remains incompletely answered.

---

Attack Chain: Twitter VIP Hack — July 15, 2020

graph TD
    A["Graham Clark (Kirk#099), Age 17\nTampa, Florida\n+ Mason Sheppard (UK)\n+ Nima Fazeli (Florida)"] --> B["Background: OGUsers Community\nYears of Practice\nSocial-Engineering Support Staff\nSIM Swapping Operations"]

    B --> C["Reconnaissance\nIdentify Twitter Employees\nWith Elevated Admin Tool Access\n('Agent Tool' — Internal Admin Panel)"]

    C --> D["Vishing (Phone Phishing)\nImpersonate Twitter IT Helpdesk\n'VPN / Credential Issue'\nTarget Support Staff Directly"]

    D --> E{"Employee Provides\nCredentials?"}
    E -->|"No"| D
    E -->|"Yes"| F["Twitter Agent Tool Access\nObtained via Stolen Credentials"]

    F --> G["Additional Social Engineering\nTarget Employees with\nElevated Admin Access\n(Higher Privilege Level)"]
    G --> H["Full Administrative Control\n130 High-Value Verified Accounts\nIdentified for Targeting"]

    H --> I1["1. Change Account Email\nto Attacker-Controlled Address"]
    H --> I2["2. Disable 2FA\nOn Target Account"]
    H --> I3["3. Log In + Post\nBitcoin Scam Tweet"]

    I1 --> J["Accounts Hijacked:\n@elonmusk · @BarackObama\n@JoeBiden · @BillGates\n@JeffBezos · @Apple · @Uber\n@KanyeWest · @MikeBloomberg\n+ 120 Others"]

    J --> K["Bitcoin Scam Posted:\n'Send $1,000 → Receive $2,000'\n4:17 PM – ~6:00 PM UTC\n45 Accounts Post Publicly"]

    K --> L["~400 Victims Send Bitcoin\n$120,000 Collected\nBefore Twitter Locks Down"]

    H --> M["DM Archive Downloads\n36+ Accounts' Private Messages\nExfiltrated by Attackers"]

    K --> N["Twitter Emergency Response\nAll Verified Accounts\nProhibited from Tweeting\n(~1 Hour After Attack Begins)"]

    N --> O["Global News Coverage\nPlatform Partially Locked\nJack Dorsey: 'Tough Day'"]

    L --> P["🔎 FBI Investigation\nBlockchain Fund Tracing\nOGUsers Community Intelligence\nTwitter Internal Logs"]

    P --> Q["Clark, Sheppard, Fazeli\nIdentified in 16 Days\nArrested July 31, 2020"]

    Q --> R["Clark: 30 Felony Counts\n3 Years Juvenile Detention\n+ 3 Years Probation"]

    M --> S["⚠️ DM Exfiltration:\nContents Undisclosed\nIntelligence Community Concern\nNation-State Implications"]

    O --> T["Twitter Internal Audit\nAdmin Tool Access Controls\nRestructured + MFA Hardened\nAnomaly Detection Added"]