Twitter hack: Mischief began early for teenager arrested

The apartment complex in Tampa, Fla., where Graham Ivan Clark lived alone and was arrested, Aug. 2, 2020. Florida prosecutors said the teenager was the “mastermind” of a prominent hack last month, in which he tricked his way into Twitter’s systems and took over the Twitter accounts of some of the world’s most famous people, including Barack Obama, Kanye West and Jeff Bezos. (Octavio Jones/The New York Times)

For Graham Ivan Clark, the online mischief-making started early.

By the age of 10, he was playing the video game Minecraft, in part to escape what he told friends was an unhappy home life. In Minecraft, he became known as an adept scammer with an explosive temper who cheated people out of their money, several friends said.

At 15, he joined an online hackers’ forum. By 16, he had gravitated to the world of Bitcoin, appearing to involve himself in a theft of $856,000 of the cryptocurrency, though he was never charged for it, social media and legal records show. On Instagram posts afterward, he showed up with designer sneakers and a bling-encrusted Rolex.

The teenager’s digital misbehavior ended Friday when the police arrested him at a Tampa, Florida, apartment. Florida prosecutors said Clark, now 17, was the “mastermind” of a prominent hack last month, accusing him of tricking his way into Twitter’s systems and taking over the accounts of some of the world’s most famous people, including Barack Obama, Kanye West and Jeff Bezos.

His arrest raised questions about how someone so young could penetrate the defenses of what was supposedly one of Silicon Valley’s most sophisticated technology companies. Clark, who prosecutors said worked with at least two others to hack Twitter but was the leader, is being charged as an adult with 30 felonies.

Millions of teenagers play the same video games and interact in the same online forums as Clark. But what emerges in interviews with more than a dozen people who know him, along with legal documents, online forensic work and social media archives, is a picture of a youth who had a strained relationship with his family and who spent much of his life online becoming skilled at convincing people to give him money, photos and information.

“He scammed me for a little bit of money when I was just a kid,” said Colby Meeds, 19, a Minecraft player who said Clark stole $50 from him in 2016 by offering to sell him a digital cape for a Minecraft character but not delivering it.

Reached via a brief video call Sunday from the Hillsborough County Jail in Tampa, Clark appeared in a black sleeveless shirt, his hair tumbling into his eyes. “What are your questions?” he asked, before pushing back his chair and hanging up. He is scheduled for a virtual court appearance Tuesday.

Clark and his sister grew up in Tampa with their mother, Emiliya Clark, a Russian immigrant who holds certifications to work as a facialist and as a real estate broker. Reached at her home, his mother declined to comment. His father lives in Indiana, according to public documents; he did not return a request for comment. His parents divorced when he was 7.

Clark doted on his dog and didn’t like school or have many friends, said James Xio, who met Clark online several years ago. He had a habit of moving between emotional extremes, flying off the handle over small transgressions, Xio said.

“He’d get mad mad,” said Xio, 18. “He had a thin patience.”

Abishek Patel, 19, who played Minecraft with Clark, defended him. “He has a good heart and always looks out for the people who he cares about,” he said.

In 2016, Clark set up a YouTube channel, according to social media monitoring firm SocialBlade. He built an audience of thousands of fans and became known for playing a violent version of Minecraft called Hardcore Factions, under user names like “Open” and “OpenHCF.”

But he became even better known for taking money from other Minecraft players. People can pay for upgrades with the game, like accessories for their characters.

One tactic used by Clark was appearing to sell desirable user names for Minecraft and then not actually providing the buyer with that user name. He also offered to sell capes for Minecraft characters, but sometimes vanished after other players sent him money.

Clark once offered to sell his own Minecraft user name, “Open,” said Nick Jerome, 21, a student at Christopher Newport University in Virginia. The two messaged over Skype and Jerome, who was then 17, said he sent about $100 for the user name because he thought it was cool. Then Clark blocked him.

“I was just kind of a dumb teenager, and looking back, there’s no way I should have ever done this,” Jerome said. “Why should I ever have trusted this dude?”

In late 2016 and early 2017, other Minecraft players produced videos on YouTube describing how they had lost money or faced online attacks after brushes with Clark’s alias “Open.” In some of those videos, Clark, who can be heard using racist and sexist epithets, also talked about being home schooled while making $5,000 a month from his Minecraft activities.

Clark’s real identity rarely showed up online. At one point, he revealed his face and gaming setup online, and some players called him Graham. His name was also mentioned in a 2017 Twitter post.

Clark’s interests soon expanded to the video game Fortnite and the lucrative world of cryptocurrencies. He joined an online forum for hackers, known as OGUsers, and used the screen name Graham$. His OGUsers account was registered from the same internet protocol address in Tampa that had been attached to his Minecraft accounts, according to research done for The New York Times by the online forensics firm Echosec.

Clark described himself on OGUsers as a “full time crypto trader dropout” and said he was “focused on just making money all around for everyone.” Graham$ was later banned from the community, according to posts uncovered by Echosec, after the moderators said he failed to pay Bitcoin to another user who had already sent him money to complete a transaction.

Still, Clark had already harnessed OGUsers to find his way into a hacker community known for taking over people’s phone numbers to access all of the online accounts attached to the numbers, an attack known as SIM swapping. The main goal was to drain victims’ cryptocurrency accounts.

In 2019, hackers remotely seized control of the phone of Gregg Bennett, a tech investor in the Seattle area. Within a few minutes, they had secured Bennett’s online accounts, including his Amazon and email accounts, as well as 164 bitcoins that were worth $856,000 at the time and would be worth $1.8 million today.

Bennett soon received an extortion note, which he shared with the Times. It was signed by Scrim, another of Clark’s online aliases, according to several of his online friends.

“We just want the remainder of the funds in the Bittrex,” Scrim wrote, referring to the Bitcoin exchange from which the coins had been taken. “We are always one step ahead and this is your easiest option.”

In April, the Secret Service seized 100 bitcoins from Clark, according to government forfeiture documents. A few weeks later, Bennett received a letter from the Secret Service saying they had recovered 100 of his bitcoins, citing the same code that was assigned to the coins seized from Clark.

It is unclear whether other people were involved in the incident or what happened to the remaining 64 bitcoins.

Bennett said in an interview that a Secret Service agent told him that the person with the stolen bitcoins was not arrested because he was a minor. The Secret Service did not respond to a request for comment.

By then, Clark was living in his own apartment in a Tampa condo complex. He had an expensive gaming setup, a balcony and a view of a grassy park, according to friends and social media posts.

Two neighbors said that Clark kept to himself, coming and going at unusual hours and driving a white BMW 3 Series.

On an Instagram account that has since been taken down, @error, Clark also shared videos of himself swaying to rap music in designer sneakers. He was given a shout-out on Instagram by a jeweler to the hip-hop elite, with a picture showing that Clark, as @error, had purchased a gem-encrusted Rolex.

Xio, who became close friends with Clark, said the April run-in with the Secret Service shook Clark.

“He knew he was given a second chance,” Xio said. “And he wanted to work on being as legit as possible.”

But less than two weeks after the Secret Service seizure, prosecutors said Clark began working to get inside Twitter. According to a government affidavit, Clark convinced a “Twitter employee that he was a co-worker in the IT department and had the employee provide credentials to access the customer service portal.”

For help, Clark found accomplices on OGUsers, according to the charging documents. The accomplices offered to broker the sale of Twitter accounts that had cool user names, like @w, while Clark would enter Twitter’s systems and change ownership of the accounts, according to the filings and accounts from the accomplices.

The hack unfolded on July 15. A few days later, one accomplice, who went by the name “lol,” told the Times that the person they knew as the mastermind began cheating the customers who wanted to covertly buy the Twitter accounts. The hacker took the money and handed over the account, but then quickly reclaimed it by using his access to Twitter’s systems to boot out the client. It was reminiscent of what Clark had done earlier on Minecraft.

When Clark’s online acquaintances learned he had been charged with the hack, several said they were not surprised.

“He never really seemed to care about anyone but himself,” said Connor Belcher, a gamer known as @iMakeMcVidz who had previously teamed up on a separate YouTube channel with Clark before becoming one of his online critics.

©2019 New York Times News Service