They've updated the article in the last 5 minutes. The original article I read said something like "we're not releasing his name because he's under 18 years old" and now his name is fully out there. Crazy.
Well apropos the grand-parent comment using "Florida Man" We hear about "Florida Man" more often because, yeah, maybe there is a lot more partying in Florida, but also because Florida has some of the most open public record laws. I've read that unlike other places where you have to bother the police for reports, in Florida you can get yourself added to a daily email blast of reports.
>He’s being charged as an adult, and the press conference made clear that law enforcement is considering how bad consequences of the hack could have been — not just the $100,000-plus in bitcoin that the teen is alleged to have scammed out of unsuspecting Twitter users.
I always thought that was exactly the point, an acknowledgment that children and teenagers sometimes do stupid things, but there’s a big difference between doing some graffiti vs raping and murdering someone when you’re 15.
Yeah I could agree with that for violent/depraved crimes, but for hacking? I don't see why they're charging him as an adult.
Hacking into Twitter accounts isn't a depraved, violent crime. I could see that as the immaturity or lack of foresight of a smart teenager. Yes, they're prominent people. Doesn't really change it IMO.
> the scheme reaped more than $100,000 in Bitcoin in just one day
That's actually...pretty disappointing. I would have guessed into the 7 digits just based on how many Americans, and people in general, love a get-rich-quick-scheme.
All of the popular crypto currency exchanges blocked the btc address. The same one was used on all accounts. They acted faster than Twitter in mitigating this issue.
Summary for Europeans who are blocked from this site:
A Tampa teenager, 17-year-old Graham Clark, is in jail, accused of being the “mastermind” behind a hack on the social media website Twitter that caused limited access to the site and high-profile accounts.
The state attorney's office says the scheme to defraud “stole the identities of prominent people” and “posted messages in their names directing victims to send Bitcoin” to accounts that were associated with the Tampa teen. According to the state attorney, the scheme reaped more than $100,000 in Bitcoin in just one day.
(The rest of the article just rehashes the attack.)
It will be interesting to learn more as the case proceeds. Was he not using tor?
I'm actually not super surprised that they've arrested a teenager. Considering the thoroughness of the hack, just using it to scam a few bitcoins seemed a bit blasé. Imagine the shitshow he could've started by tweeting as Trump
Not all of them can, but some of them can. For instance the people that could reset that 'protected' status. It certainly won't be the tooth fairy doing that, a Twitter employee is much more likely.
Trumps account got attacked by an employee in the past, presumably it got a special case added then, but they didn't get to an overall policy on heads of state and candidates.
It's weird that Musk's didn't have elevated privileges. Trump's account getting hacked has obviously greater potential harm, but Musk's (non-hacked) tweets had demonstrably major financial and legal impact. And if you read the replies to his tweets, you can see they are constantly getting spammed by bitcoin-hawking accounts (even hacked verified accounts) impersonating Musk's display name and avatar.
If Musk didn't get elevated privileges, then who else besides Trump would have them? Or are the protections for Trump just the same emergency bespoke fix that they implemented when his account was previously deleted?
Based on the fact that the article mentioned the IRS being involved and the fact that the IRS has been more attentive to cryptocurrencies, my assumption is that they found some way to tie him to the wallets he was using. I would be surprised if the IRS did not have some pretty sophisticated ledger processing tools at this point.
I was under the (apparently false?) assumption that under-18s couldn't be named. The alleged mastermind here is 17, yet is named and pictured.
Interestingly, when I first checked this out ~8 minutes ago, they stated that they would not name the alleged mastermind due to the fact he was under 18. In the update ~4 minutes ago, they have removed that section and named him.
Florida has some of the most permissive laws about mugshots and criminal info.
The reason for the "Florida Man" meme is not that people in Florida are more weird than anywhere else, just that it's easier to find the mugshots online.
I always thought this was for precisely the oppposite - i.e. that news headlines (edit: I mean whole articles) were more often "A Florida Man has been arrested" because they were not allowed/didn't have the names.
I think using the term "Florida Man" is a meme now and probably carries more weight than using the accused's actual name.
From the wikipedia article:
> Miami New Times claimed that freedom of information laws in Florida make it easier for journalists to obtain information about arrests from the police than in other states and that this is responsible for the large number of news articles
The headline is usually "A Florida Man has been arrested" because news stations all around the country dig through Florida public records to fill space when their local news is slow. It says "Florida" because it is not local to the outlet that is publishing it. Local news usually says "local man" or specifies a locality.
The story below the linked one is how a man rammed his way into a gated community, beat two people to death with a baseball bath, and then the police found the suspect unconscious after he drank some bleach.
That seems more weird than my local news, by a bit.
It's my opinion that Florida is weirder, because driving around, the weird signs of weird people (roadside, or on their vehicles for instance) are weirder and more common than up north. Not an airtight proof, but an independent datum not biased for the same reasons as the news.
That's still downstream of Florida's sunshine laws. If that happens in your state, there's a chance the media doesn't hear about it, or hears about it too late.
In Florida, the media hears about anything that involves an arrest because it's all published for public inspection. It's not just mugshots but other records too.
The smallest community newspapers in Florida will have a section about who got arrested.
For over a hundred years kooks and scammers from the Northeast and Midwest have made their way down to Florida. It's a weird place because weird and disreputable people move there. (Source: I grew up in the panhandle, and also inherited some "beach front" property in the middle of the woods that an uncle bought in the 1960s from a Chicago developer front running a classic Florida real estate racket. Also, see "Oh, Florida!: How America's Weirdest State Influences the Rest of the Country".)
Don't expect reason or a sense of proportionality from USA "justice system". Prosecuting a social media hack will get a lot more attention than prosecuting e.g. some common crime of violence. Prosecutors are basically the worst people in USA. (In case you're wondering, yes they are worse than police.)
There actually are very few legal restrictions on naming minors. There is substantially more scrutiny applied to false reporting when it involves accusing a minor of a crime. Most of the time when publications refuse to name a minor it’s because they promised not to while obtaining the minor’s name.
It has been a journalistic tradition done out of good faith not to print the names of accused minors. This has largely been done industry-wide under an implicit "gentleman's agreement." Similar traditions include not printing the names of victims of alleged rape victims or other sexual crimes.
Update: 18 USC Section 5038 (Juvenile Justice Act) generally prohibits the publication of juvenile delinquency records, including the identity of the accused: https://www.law.cornell.edu/uscode/text/18/5038
Note that this does not apply to violations of State laws, only Federal law violations. States may further restrict the publication of juvenile records.
Wonder when we'll get details on how he was actually able to do this - like how he got access to the internal tools, how did he succeed in social engineering, etc
> Hackers called a “small number” of employees in a phone spearphishing scheme, Twitter tweeted from its support account... The hackers were able to access some internal tools from the initial targeted employees and then learned specifically who had access to account support controls and targeted them next.
One likely scenario is they got access to the lower level employee's Slack account or similar and used it to impersonate and successfully find/phish the employee with the access.
Interesting to see that he's being charged in Florida, instead of federally. I mean yes, normally, when one commits a crime in a particular area, they're charged in that area. But my understanding is that once stuff crosses state lines, it becomes a federal issue, and this is part of why its usually the FBI that comes knocking.
Anything involving a computer connected to the internet (even firewalled or rarely connected) is considered to be a "protected computer" since it is involved in interstate commerce or communication and thus open to federal charges under 1030 (a).
Exactly. Thus why I am somewhat surprised to see that he's being charged in Florida. By the letter of the law, this is an issue for the feds to handle.
Edit: Another post on HN[1] covers the federal charges. So, it sounds like this kid is being charged by both the state and the feds. I don't envy him.
No where in the article it mentions how did they nail him or how did he do. With Twitter saying that this entire process was done by social engineering some employee and then gaining system access of others by monitoring the process - this seems to have been done by someone with Corporate process understanding and hard to believe it could be a 18 yold.
Social engineering is well within the capabilities of many 18 year olds, and plenty of them will have experience with corporate-style processes at school.
It's doubtful that he actually did it. Probably just a teen groomed by a cracking group; the group gets away with the deed by leaving a paper trail pointing to the teen (that will get a reduced prison sentence) and the teen gets PR which will inevitably lead to a well-paying job.
I'm with you on this, he's probably a fall guy who's "caught" because he "confessed" or something like that. Two reasons for this; one, Twitter isn't exactly the kind of joint you stroll into and take over, it's not really an amateur operation and people are attacking it all the time. Second, coordinating all this work is not a simple one-person job. The timing of the attack suggests lots of coordination, practice, or both. Could one kid do it? Maybe, but highly improbable. And if it turns out this kid did do it, the CIA is going to find a way to own his ass basically forever.
Totally, but opening a bitcoin account with your license driver and moving stolen bitcoins there without any anonymization is another thing altogether.
It may be a surprise to you but criminals are usually stupid. If they were smart you wouldn't realize they are there at all. Think about it: this idiot had access at a level that nation states secret services can only dream of and went for $100K in lousy bitcoins.
Because at Twitter a couple of people did not pay attention. Social engineering is the very low hanging fruit of hacking. People are so much more vulnerable than well designed systems, this has been proven over and over again.
Law enforcement rarely advertises investigative techniques and sources, even in open court. Some amount of evidence they do have was already presented to a grand jury, and will be brought to bear at trial if the defendant doesn't plead out.
Seems to me that a person sophisticated enough to social engineer Twitter employees is probably sophisticated enough to social engineer a Tampa teen into place for taking a fall. To me state level targets suggest state level actors and Twitter has been mucking about with state level political operations since at least the Arab Spring almost a decade ago.
Twitter has a lot of powerful people and organizations who have suffered discomfort at its hands. It is hard to swallow the thesis that a Tampa teen succeeded where intelligence agencies have failed despite years of efforts.
Teenagers social engineer their parents and teachers on a daily basis. Their success rate is higher than either parents or teachers would like to admit.
I wouldn't hire him. It's not like he _programmed_ his way in. And he didn't just post tweets saying "Twitter's security is bad." He actively tried to scam people. So he wasn't trying to accomplish anything good.
True, but what tech company would benefit from the social engineering skills of a young man with dubious morality? If at least he had proven to be the new Mitnick, but he hasn't.
It may make sense if you consider it more as a marketing hire. Such a person at least has potential for future interviews and talks one could leverage for increasing company visibility.
He's being charged with 30 felonies but at the same time exposed how woefully inadequate Twitter is at securing the accounts of high-profile people, some of which with control of apocalyptic weapons. I predict he'll plea out to doing a few years of free work for the government.
If this turns out to be true, then we can conclude two things:
1. It's incredible that the security of Twitter allows for a solitary 17-year old to gain full access to (any) account.
2. This also explains why the profit of the hack was 'only' ~$100k. Many speculated about how incredibly valuable such a hack could be and how much more a group could have profited from this hack. Using it for two hours of bitcoin scamming seemed very amateurish. I suppose this explains it.
Frankly, I don't take "a teenager did it" as an extra mark against hacked systems any more. It's the details that matter - the difference between one teenager and multiple adults being able to hack something is not large unless the context is government hacking.
Yes, a teenager, especially one stuck at home and not going to school, might just spend weeks and weeks poking around to see what he can hack, and is much less afraid of the consequences
My initial thought was that the bitcoin move was a red herring. DMs associated with the compromised accounts could be very well worth much more than $100k.
The Krebs article says that prior to the bitcoin hack, they were selling accounts such as @6 for $2000. They probably had a rapidly shrinking window and the bitcoin scam was the last ditch effort before whatever admin account they hijacked got discovered.
People did say things like you could have made a fortune shorting stock by tweeting something insane from Elon Musks account. I don't buy that as necessarily better than a Bitcoin account. Stock transactions are heavily regulated and monitored. You'd leave a pretty large paper trail of any stock manipulation you hoped to profit from.
Of course Bitcoin is highly traceable as well, so maybe the lesson is hacking into high-profile Twitter accounts just isn't as profitable as you'd hope?
If they knew up front they would be doing this, they could’ve shorted Tesla in smaller positions, over multiple accounts. There’s tons of people shorting Tesla, would it really be traceable to any of those?
Yes, because the SEC isn't stupid, and would trawl through the data, until they found:
* A set of freshly opened accounts.
* That only shorted a single stock.
* Right before a major hack.
* That cashed out all at once.
* That never traded again.
And then they'd start calling the owners of those accounts, and asking questions. Most of those accounts would be legitimate traders, but that's fine - there's not that many accounts that satisfy four of those five criteria. A few sql queries can narrow it down to the point that basic detective work can solve the rest.
The problem with playing stupid games on the stock market is that there's a very clear paper trail that will link you, as a human being, to the money that you're hoping to make. At least with bitcoin, you can theoretically isolate yourself from the source of the funds, through tumblers, transferring money in and out of shady exchanges, etc.
This is also exactly how the SEC catches insider-traders. By analyzing the flow of trades, and following up on suspicious ones. If the first and only trade you've ever done in your life is a $200,000 short[1] on your employer twenty minutes before a disastrous earnings, you might soon be talking to a very nicely dressed man who would love to get another conviction under his belt.
[1] If you think you're playing 34-d chess, and have done a bunch of other options trades surrounding it, to disguise it, you're just as likely to piss away all of your money before you even get a chance to insider-trade. That's the beauty of options - they will part a fool from their money before they can spit.
Insider trading is one of the few things it is really good at prosecuting - mostly because it's dead-easy to identify, easy to prove, often performed by idiots, and has a lot of incredibly-well established law surrounding it that makes turning piles of evidence into jail time easy.
None of these reasons hold for other financial crimes, which is why there are so few bankers and executives going to jail for everything that's not insider trading.
Providing lots of examples of prosecutions does nothing to prove they catch even the majority of insider trades because there is no ground truth to work with here.
Maybe the SEC is just good at catching people who don’t think through the paper trail.
Most "insider trading" is done by senior executives. As you observe, only non-connected "idiots" are ever prosecuted for insider trading. This "crime" is merely a way for corporate insiders to enforce penalties against those who defect from their conspiracy against the investing public. Non-insiders who trade on "inside" information release that information to the public, to the public's benefit, before the actual insiders are ready to profit at the public's expense.
The stock idea is dumb, in my opinion, because there were safer (no SEC) ways that required less capital and didn't require fancy trade accounts.
For example: buy up a load of super cheap shitcoins. Can be done for under $100. Then tweet from an exchange like Binance that they will shortly be listing said shitcoin. Watch the price go up, sell.
Or, with a bit more money, short one of the cryptocurrencies, tweet from a big exchange that they were hacked, profit on the panic selling.
The nice thing is, they could do one or even multiple of these and still do the scam.
if you're someone whose regularly traded 10s of thousands of certain stocks over the last few years, it would be nearly impossible for them to detect a $100k profit from stock manipulation. especially a high volume stock like TSLA
Especially that Tesla is shorted so much.
That said, shorting even with leverage requires you to have some money to invest. If you are 17 you are most likely broke.
But the fact that _I_, could have made a higher return still holds. If I was 17 and broke, yeah the whole stock manipulation thing wouldn't be my first choice.
If you’re someone who regularly trades you already have money and are unlikely to be hacking twitter accounts. Certainly a 17 year old isn’t going to be in that category.
You go on Binance, BitMEX, Bybit, FTX, Phemex or any other exchange that offers futures or perpetual swaps that track the bitcoin (or whatever) price. This is basic stuff. You can create a BitMEX account in minutes, load some bitcoin in and short with 100x leverage with minimal time or effort, just need a small amount of bitcoin to trade with.
He could have done the scam on eg Elon Musks amount to get some bitcoin and then pulled this scam on an exchange using the money from the first scam
If you don’t trust your exchange not to commit that kind of fraud, then you shouldn’t trade on it at all, as there are many ways they could defraud you even if you trade at 1x. There are plenty of. reasons why I wouldn’t recommend trading at 100x, but “the exchange might commit fraud” isn’t at the top.
Still, in the described scenario, where you use a scam and market manipulation, 100x seems like a great tool.
Are any of those exchanges based out of the USA? And do any of them not allow USA based customers? My concern is if I made a great trade at 100x and then go to transfer bitcoin and they freeze my account saying I need to provide proof of residency or some BS.
Most do not allow US customers, but even BitMEX gives you a few days to withdraw your funds after freezing your account if found the be in the US (I’ve been told by people who had their accounts frozen). Some have KYC, sure, but in my experience, many do not and let you withdraw without issue. A lot of people (stupidly, IMHO, but that’s besides the point) trade 100x, its part of many of these exchanges selling points.
But if you were pulling the twitter scam, as I described, you would be risking a few $K on this trade in the hopes for making a million or two, while still being able to do the scam they did. Sure, there are risks (such as being able to withdraw at all after using the twitter hack to manipulate the market), but chances are there are plenty of others who will have shorted too so you’d be part of the noise and wait a week before withdrawing. Its not a perfect plan, but its straightforward with the potential to multiply the scammed money.
I would add 3. People need to stop using "Trust <<insert large company>> instead of self hosting because they have teams of security "experts" and will have far better security than you ever could on your own"
Wasn't there one more person involve (Kirk#5270) who apparently did most of the work and let these kids do the work? Sounds like a MafiaBoy situation, where more experienced hackers did the work and let younger script kiddies take the fall for it.
> 1. It's incredible that the security of Twitter allows for a solitary 17-year old to gain full access to (any) account.
Someone else spoke to him being a teenager as not especially relevant, and I agree; it dismisses teenagers somewhat.
You're also falling for a selection bias. Twitter is a big target and likely stops attacks like this daily. This is just the one that got through, and probably more because of luck than skill.
3) if a teen can do it, then so can every intelligence service in the world. Just that they would probably stay quiet for years and years and gather data of "interesting" people.
Probably could have earned a lot more from his exploits if he went the formal route and directly confronted Twitter. But then who even knows if Twitter are a good 'first responder' when it comes to high-profile exploits of their system.
There was a recent post about some researcher who exposed flaws in Tor's architecture (which allowed third parties to detect Tor traffic easily) and Tor's staff didn't respond; so she published the finding without going through the proper channels, both embarrassing Tor staff, and simultaneously strengthening the Tor network.
The 'I'm going to publish this sploit because you didn't respond' is a good tactic and I want to see more people do it. It's just unfortunate that the various channels like HackerOne[0] or wherever the skiddies flock to these days are not utilized thoroughly.
I'm wondering what the objection is against this. There might be a conflict of interest in allowing an employee to share a bounty with a friend by giving the friend their password, but the rules of the bounty (and the employment contract) should be able to prevent that scenario.
In theory, any sensitive operation (such as changing the email address of a verified account) could be made to require approval from a second (randomly chosen) employee, and that second employee should see a log of recent actions taken by the first employee. An attacker may still manage to avoid raising suspicion for the first few targets, though.
The following issues are outside the scope of our vulnerability rewards program (either ineligible or false positives):
...
- Social engineering of Twitter staff or contractors
...
> It's just unfortunate that the various channels like HackerOne[0] or wherever the skiddies flock to these days are not utilized thoroughly.
A lot of the bug bounty programs don't pay as well as using exploits to steal money. Some estimates put this particular breach at having netted upwards of $120k.
I don't think I've ever seen a bug bounty that high. The highest I've ever heard of or see documentation describing is in the range of $40k.
If you don't think you'll get caught, why would you take the $40k instead of tripling that?
The opposite thing is true; people have wildly inflated expectations of how much money marginal bugs like XSS can earn, or even game-over bugs in marginally important applications. And if you're doing the financial comparison, as you note, you have to do it risk-weighted. Your intuitions about the risk of exploiting a vulnerability are likely heavily biased by the fact that most exploitation, or at least most of the exploitation you hear about, is non-monetary. Monetizing an exploit ratchets the risk up significantly.
I remember being 17. I was spectacularly bad at evaluating risks.
You're right - a lot of people who want to file bug bounties overestimate how much marginal ones are worth. At the same time, this scenario suggests to me that bug bounties aren't currently doing a good job of incentivizing people away from attempting to monetize significant exploits and towards more responsible security practices. If we have to depend on the risk analyses of teenagers, we may be in trouble.
Have any of those $250k bounties been paid out? The $40k figure was something I found from a bounty that's actually been paid, rather than a hypothetical one.
> The day after the hack, White House officials were concerned about President Donald Trump’s Twitter account, which he uses daily to push out news and other information. They assured the public that his account has extra protections.
Really? Like what? And why? Are they afraid someone will start posting stuff that is actually TRUE?
(If this is actually the person behind the attacks) Yes he may serve jail time for this, but he did get to read DMs of some of these people, and has had enough time to copy those contents to be read later. That's still valuable knowledge, he should leverage this to get people interested in those details to fund his legal defense in return for providing the contents of the DMs. Or is that illegal?
This is just as viable as selling stolen diamonds to fund your defense for robbing a jewelry store.
It turns out that the legal system is already set up to make “selling illegally obtained material” also illegal, and to take notice of people doing so in order to fund their ongoing operations.
This site is currently unavailable to visitors from the European Economic Area while we work to ensure your data is protected in accordance with applicable EU laws.
It should not be this complicated to respect laws that just enforce minimal good practices.
A replacement link should be found for this story. Wfla dot com is clearly shit.
Multiple people already have posted alternative links in the comments. Use those, and note that this kind of complaint is off-topic according to the site rules.
> It should not be this complicated to respect laws that just enforce minimal good practices.
It's not necessarily the compliance that's the issue, it can also be figuring out how to comply. IANAL, and I can't guarantee to myself that I can implement a site with policies that comply correctly. Better to just geoblock, because it's not necessarily worth the lawyer fees.
701 comments
[ 1.6 ms ] story [ 332 ms ] threadEdit: http://archive.is/caOFK
Two possibilities (although there are obviously other possibilities):
1. I think a lot of news media was given bad legal advice about GDPR
2. They're all members of the AP and the AP required this of their members since they also work in the EU
https://www.theverge.com/2020/7/31/21349920/twitter-hack-arr...
>He’s being charged as an adult, and the press conference made clear that law enforcement is considering how bad consequences of the hack could have been — not just the $100,000-plus in bitcoin that the teen is alleged to have scammed out of unsuspecting Twitter users.
Hacking into Twitter accounts isn't a depraved, violent crime. I could see that as the immaturity or lack of foresight of a smart teenager. Yes, they're prominent people. Doesn't really change it IMO.
https://firstamendmentcoalition.org/2009/06/can-i-publish-th...
- Uses Words Like "Mastermind" and "Massive Fraud"
That's actually...pretty disappointing. I would have guessed into the 7 digits just based on how many Americans, and people in general, love a get-rich-quick-scheme.
A Tampa teenager, 17-year-old Graham Clark, is in jail, accused of being the “mastermind” behind a hack on the social media website Twitter that caused limited access to the site and high-profile accounts.
The state attorney's office says the scheme to defraud “stole the identities of prominent people” and “posted messages in their names directing victims to send Bitcoin” to accounts that were associated with the Tampa teen. According to the state attorney, the scheme reaped more than $100,000 in Bitcoin in just one day.
(The rest of the article just rehashes the attack.)
I'm actually not super surprised that they've arrested a teenager. Considering the thoroughness of the hack, just using it to scam a few bitcoins seemed a bit blasé. Imagine the shitshow he could've started by tweeting as Trump
If Musk didn't get elevated privileges, then who else besides Trump would have them? Or are the protections for Trump just the same emergency bespoke fix that they implemented when his account was previously deleted?
Interestingly, when I first checked this out ~8 minutes ago, they stated that they would not name the alleged mastermind due to the fact he was under 18. In the update ~4 minutes ago, they have removed that section and named him.
The reason for the "Florida Man" meme is not that people in Florida are more weird than anywhere else, just that it's easier to find the mugshots online.
From the wikipedia article:
> Miami New Times claimed that freedom of information laws in Florida make it easier for journalists to obtain information about arrests from the police than in other states and that this is responsible for the large number of news articles
https://en.wikipedia.org/wiki/Florida_Man
"Tim Jones has been arrested" isn't exactly an informative headline.
That seems more weird than my local news, by a bit.
Come to Oregon and we can talk weird.
In Florida, the media hears about anything that involves an arrest because it's all published for public inspection. It's not just mugshots but other records too.
The smallest community newspapers in Florida will have a section about who got arrested.
Alligators:
https://nypost.com/2020/06/11/florida-man-fights-off-alligat...
https://nypost.com/2018/07/30/florida-man-brings-gator-into-...
https://www.wfla.com/news/florida/8-foot-gator-wrestled-from...
Pythons:
https://www.naplesnews.com/story/news/local/2019/08/12/6-foo...
https://www.foxnews.com/science/alligator-fights-python-on-f...
Driving dogs:
https://www.cnn.com/2019/11/22/us/florida-dog-drives-circles...
Kangaroos:
https://www.sun-sentinel.com/local/broward/fort-lauderdale/f...
Speed-trap towns that had to decommission their police:
https://www.youtube.com/watch?v=kELze26IXpk
https://en.wikipedia.org/wiki/Waldo,_Florida
For over a hundred years kooks and scammers from the Northeast and Midwest have made their way down to Florida. It's a weird place because weird and disreputable people move there. (Source: I grew up in the panhandle, and also inherited some "beach front" property in the middle of the woods that an uncle bought in the 1960s from a Chicago developer front running a classic Florida real estate racket. Also, see "Oh, Florida!: How America's Weirdest State Influences the Rest of the Country".)
https://en.wikipedia.org/wiki/Miami_cannibal_attack
https://vimeo.com/118532076
But there's no law against it that I am aware of.
Note that this does not apply to violations of State laws, only Federal law violations. States may further restrict the publication of juvenile records.
https://splc.org/2020/01/naming-names-identifying-minors/
> Hackers called a “small number” of employees in a phone spearphishing scheme, Twitter tweeted from its support account... The hackers were able to access some internal tools from the initial targeted employees and then learned specifically who had access to account support controls and targeted them next.
One likely scenario is they got access to the lower level employee's Slack account or similar and used it to impersonate and successfully find/phish the employee with the access.
[1]: https://www.washingtonpost.com/technology/2020/07/30/twitter...
Edit: Another post on HN[1] covers the federal charges. So, it sounds like this kid is being charged by both the state and the feds. I don't envy him.
1. https://news.ycombinator.com/item?id=24012968
If you're so stupid how can you social engineer your way into Twitter?
Twitter has a lot of powerful people and organizations who have suffered discomfort at its hands. It is hard to swallow the thesis that a Tampa teen succeeded where intelligence agencies have failed despite years of efforts.
Often interviews reformed "hackers" who have turned their lives around.
1. It's incredible that the security of Twitter allows for a solitary 17-year old to gain full access to (any) account.
2. This also explains why the profit of the hack was 'only' ~$100k. Many speculated about how incredibly valuable such a hack could be and how much more a group could have profited from this hack. Using it for two hours of bitcoin scamming seemed very amateurish. I suppose this explains it.
Overall there's not a good argument that it's a better position for an individual to be in for success.
"We believe that for up to 36 of the 130 targeted accounts, the attackers accessed the DM inbox, including 1 elected official in the Netherlands."
You might be on to something.
I say this as a former teenager
Of course Bitcoin is highly traceable as well, so maybe the lesson is hacking into high-profile Twitter accounts just isn't as profitable as you'd hope?
* A set of freshly opened accounts.
* That only shorted a single stock.
* Right before a major hack.
* That cashed out all at once.
* That never traded again.
And then they'd start calling the owners of those accounts, and asking questions. Most of those accounts would be legitimate traders, but that's fine - there's not that many accounts that satisfy four of those five criteria. A few sql queries can narrow it down to the point that basic detective work can solve the rest.
The problem with playing stupid games on the stock market is that there's a very clear paper trail that will link you, as a human being, to the money that you're hoping to make. At least with bitcoin, you can theoretically isolate yourself from the source of the funds, through tumblers, transferring money in and out of shady exchanges, etc.
This is also exactly how the SEC catches insider-traders. By analyzing the flow of trades, and following up on suspicious ones. If the first and only trade you've ever done in your life is a $200,000 short[1] on your employer twenty minutes before a disastrous earnings, you might soon be talking to a very nicely dressed man who would love to get another conviction under his belt.
[1] If you think you're playing 34-d chess, and have done a bunch of other options trades surrounding it, to disguise it, you're just as likely to piss away all of your money before you even get a chance to insider-trade. That's the beauty of options - they will part a fool from their money before they can spit.
Insider trading is one of the few things it is really good at prosecuting - mostly because it's dead-easy to identify, easy to prove, often performed by idiots, and has a lot of incredibly-well established law surrounding it that makes turning piles of evidence into jail time easy.
None of these reasons hold for other financial crimes, which is why there are so few bankers and executives going to jail for everything that's not insider trading.
Maybe the SEC is just good at catching people who don’t think through the paper trail.
For example: buy up a load of super cheap shitcoins. Can be done for under $100. Then tweet from an exchange like Binance that they will shortly be listing said shitcoin. Watch the price go up, sell.
Or, with a bit more money, short one of the cryptocurrencies, tweet from a big exchange that they were hacked, profit on the panic selling.
The nice thing is, they could do one or even multiple of these and still do the scam.
He could have done the scam on eg Elon Musks amount to get some bitcoin and then pulled this scam on an exchange using the money from the first scam
Sounds like a great way to have a crooked exchange make you insolvent very quickly. Be very careful using any kind of leverage.
Still, in the described scenario, where you use a scam and market manipulation, 100x seems like a great tool.
But if you were pulling the twitter scam, as I described, you would be risking a few $K on this trade in the hopes for making a million or two, while still being able to do the scam they did. Sure, there are risks (such as being able to withdraw at all after using the twitter hack to manipulate the market), but chances are there are plenty of others who will have shorted too so you’d be part of the noise and wait a week before withdrawing. Its not a perfect plan, but its straightforward with the potential to multiply the scammed money.
Someone else spoke to him being a teenager as not especially relevant, and I agree; it dismisses teenagers somewhat.
You're also falling for a selection bias. Twitter is a big target and likely stops attacks like this daily. This is just the one that got through, and probably more because of luck than skill.
3) if a teen can do it, then so can every intelligence service in the world. Just that they would probably stay quiet for years and years and gather data of "interesting" people.
There was a recent post about some researcher who exposed flaws in Tor's architecture (which allowed third parties to detect Tor traffic easily) and Tor's staff didn't respond; so she published the finding without going through the proper channels, both embarrassing Tor staff, and simultaneously strengthening the Tor network.
The 'I'm going to publish this sploit because you didn't respond' is a good tactic and I want to see more people do it. It's just unfortunate that the various channels like HackerOne[0] or wherever the skiddies flock to these days are not utilized thoroughly.
[0] https://www.hackerone.com/
In theory, any sensitive operation (such as changing the email address of a verified account) could be made to require approval from a second (randomly chosen) employee, and that second employee should see a log of recent actions taken by the first employee. An attacker may still manage to avoid raising suspicion for the first few targets, though.
That's never going to fly; all Twitter bounties are multiples of $140.
Pretty standard for most if not all of the program rules I have come across.
A lot of the bug bounty programs don't pay as well as using exploits to steal money. Some estimates put this particular breach at having netted upwards of $120k.
I don't think I've ever seen a bug bounty that high. The highest I've ever heard of or see documentation describing is in the range of $40k.
If you don't think you'll get caught, why would you take the $40k instead of tripling that?
You're right - a lot of people who want to file bug bounties overestimate how much marginal ones are worth. At the same time, this scenario suggests to me that bug bounties aren't currently doing a good job of incentivizing people away from attempting to monetize significant exploits and towards more responsible security practices. If we have to depend on the risk analyses of teenagers, we may be in trouble.
Which is to say I suspect we have both problems.
> I don't think I've ever seen a bug bounty that high. The highest I've ever heard of or see documentation describing is in the range of $40k.
You're not paying attention.
https://www.microsoft.com/en-us/msrc/bounty-hyper-v?rtc=1
Have any of those $250k bounties been paid out? The $40k figure was something I found from a bounty that's actually been paid, rather than a hypothetical one.
Also do x or i release the sploit could be considered extortion if you word it wrong, and then you are in all sorts of additional trouble
Yes, this will initially be very expensive as there will be thousands of payouts, but eventually the employees will learn.
Offer $200 if you can get an employee's password.
Really? Like what? And why? Are they afraid someone will start posting stuff that is actually TRUE?
It turns out that the legal system is already set up to make “selling illegally obtained material” also illegal, and to take notice of people doing so in order to fund their ongoing operations.
Either they got help, this kid was already being watched or it just speaks to the DOJs data collection to all citizens.
This site is currently unavailable to visitors from the European Economic Area while we work to ensure your data is protected in accordance with applicable EU laws.
It should not be this complicated to respect laws that just enforce minimal good practices.
A replacement link should be found for this story. Wfla dot com is clearly shit.
Hell, they could be currently compliant and it still wouldn't be worth the effort to figure that out.
It's not necessarily the compliance that's the issue, it can also be figuring out how to comply. IANAL, and I can't guarantee to myself that I can implement a site with policies that comply correctly. Better to just geoblock, because it's not necessarily worth the lawyer fees.