Feds arrest teen Twitter hack leader, accomplices


The ringleader of the Twitter breach that used prominent accounts to run a cryptocurrency scam turns out to be a 17-year-old in Tampa arrested earlier today.

Two accomplices, Nima Fazeli, 22, of Orlando and Mason Sheppard, 19, in the U.K., known as Rolex and Chaewon, respectively, were also arrested in the scheme that took over Twitter accounts of former vice president and presumptive Democratic presidential nominee Joe Biden, former President Barack Obama, Microsoft founder Bill Gates, Apple, Kanye West and others to push a COVID-19-related cryptocurrency scam.

Sheppard, who used his own drivers license to prove his identity on Coinbase and Binance, was charged with conspiracy to commit wire fraud, conspiracy to commit money laundering, and the intentional access of a protected computer, which could add up to 20 years in jail and a $250,000 fine, according to the Justice Department.

Nima Fazeli faces a single count of aiding and abetting the intentional access of a protected computer and could have to spend up to five years in prison and pay a $250,000 fine. Less was revealed about the 17-year-old, whose identity is protected since he is a juvenile.

The Justice Department filings refer to a Kirk#5270, who claimed to be a Twitter employee who could provide access to “any” account on the social media platform. That claim may or may not be true nor is it clear if Kirk#5270 could be the unidentified juvenile arrested in Tampa.

In an update last night Twitter said that a small, targeted group of employees had been socially engineered through a phone spear phishing campaign to give up credentials and, hence, access to the company’s networks and account management tools.

The arrests should disabuse the criminal hacker community of the notion that cyberattacks can be carried out “anonymously and without consequence,” U.S. Attorney David L. Anderson for the Northern District of California said in the Justice Department release. “Criminal conduct over the Internet may feel stealthy to the people who perpetrate it, but there is nothing stealthy about it.  In particular, I want to say to would-be offenders, break the law, and we will find you.”

Rick Holland, CISO and vice president of strategy at Digital Shadows, said the arrests also should “illustrates why we shouldn't jump to conclusions” when it comes to attribution. “Given the current geopolitical tensions, it is far too easy to blame China, Russia, or Iran for intrusions. In this case, the advanced persistent threat is more like an advanced persistent teenager,” he said. “It is far more critical for defenders to understand how the adversaries gained their initial access and accomplished their objectives. Leave the attribution to law enforcement and intelligence agencies.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.