Three Young Hackers Got Arrested in Relation to the Twitter Incident

Written by Bill Toulas
Last updated September 28, 2021

Only two weeks after the most catastrophic hack ever to have hit Twitter, the FBI managed to track down the persons responsible and arrest them in simultaneous operations taking place in Florida and the United Kingdom.

According to the details given in the court documents released by the US Department of Justice, the hackers behind the “Twitter Bitcoin Hack” are the following:

Graham Ivan Clark (aka “Kirk”), 17, Tampa, Florida
Nima Fazeli (aka “Rolex”), 22, Orlando, Florida
Mason Sheppard (aka “Chaewon”), 19, Bognor Regis, United Kingdom


Graham Ivan Clark, Credits: Hillsborough County Sheriff’s Office

Fazeli and Sheppard are charged with a criminal complaint, conspiracy to commit wire fraud, unauthorized access to a computer, and money laundering. Ivan Clark, however, is facing a long list of 30 counts, as he is considered to be the mastermind of the operation.

In fact, Sheppard even told investigators he did not know what “Kirk” was up to. Due to the severity of Clark’s actions and his marginal adolescence, the prosecutors decided to charge him as an adult, so we may get to see a very harsh punishment towards the young hacker.

The latest information that Twitter confirmed about the hack yesterday presents a spear-phishing attack, with the hackers targeting only a couple of employees to gain access to their tools. From there, they moved to compromise 130 Twitter accounts, tweeted from 45 of them, accessed the DM inbox of 36, and downloaded the data of seven.

According to an earlier NYT report, “Kirk” found credentials for one of Twitter’s tech support tools pinned to a Slack channel that was used internally, and which he had access to.

Related: The “Bitcoin Twitter Hack” May Have Started With a Slack Compromise

After the incident, investigators immediately started digging into the OGUsers platform and monitored every possible activity linked to the stolen 12.83 Bitcoin. FBI also reached out to Discord and got chat logs and user details from accounts the agency believed to be connected with the Twitter hack.

Moreover, Coinbase - which blocked the malicious transactions when the actors attempted to carry them out - also shared all technical details they had about the addresses with the FBI.

Coinbase requests an ID or a driver’s license for users to verify, so this was key in figuring out the real identities behind hacker monikers. Attempting to use Coinbase to receive stolen Bitcoin from such a high profile security incident was an unfortunate decision, if not a straight out stupid move.

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: