A 17-year-old Florida boy masterminded the hacking of celebrity accounts on Twitter Inc, including those of Democratic presidential candidate Joe Biden and Tesla Chief Executive Elon Musk, officials said on Friday.
A 19-year-old British man and a 22-year-old man in Orlando, Florida were also charged under U.S. federal law with aiding the attack, the Justice Department said.
A Florida prosecutor identified the 17-year-old as Graham Clark of Tampa and charged him as an adult with 30 felony counts of fraud.
Clark netted at least $100,000 from the scheme by using the celebrity accounts to solicit investments from unsuspecting Twitter users, state officials said.
"He's a 17-year-old kid who just graduated from high school," said Florida State Attorney Andrew Warren in Hillsborough County, which includes Tampa, "But make no mistake: This was not an ordinary 17-year-old."
Mason Sheppard, a 19-year-old from Bogner Regis, Britain who used the alias Chaewon, was charged with wire fraud and money laundering while Orlando-based Nima Fazeli, 22, nicknamed Rolex, was accused of aiding and abetting the crimes, according to a Justice Department statement.
Twitter said it appreciated the "swift actions of law enforcement."
Clark and one of the other participants were in custody, officials said.
- Thousands join 48-hour #NoSafeSpaceForJewHate Twitter boycott to protest antisemitism on the platform
- Constant, unchecked, dangerous antisemitism: Why British Jews are boycotting Twitter
- Israeli defense minister's Twitter account hacked; feed features Palestinian flag
In the hack, fraudulent tweets soliciting investments in the digital currency bitcoin were posted in mid-July by 45 verified Twitter accounts, including those belonging to Biden, former President Barack Obama and billionaire Bill Gates. Twitter said the hackers also likely read some direct messages including to a Dutch elected official.
More than $100,000 was obtained, bitcoin's public ledger showed.
Twitter has previously said its employees were duped into sharing account credentials.
Authorities provided new details Friday in an affidavit alleging that Clark "used social engineering to convince a Twitter employee that he was a co-worker in the IT department and had the employee provide credentials to access the customer service portal."
Sheppard and Fazeli did not return emails seeking comment. An attorney for Clark could not be immediately identified. Phone calls and an email to Clark's mother were not immediately returned.
Warren said the state rather than the federal government was prosecuting Clark because Florida law enabled him to be charged as an adult.
StopSIMCrime founder Robert Ross, whose group tries to combat a popular hacking technique, said the case showed the prowess of adolescent amateurs at defeating corporate security.
"Groups of teens/youngsters are doing this en masse," he said by email. "It's really a national security risk."