TAMPA — Before Graham Ivan Clark was arrested in last month’s high-profile hack of Twitter, the 17-year-old was under investigation for a less conspicuous digital crime:
“Sim swapping” is a scam where the cell phone provider is tricked into switching one person’s phone number to a phone owned by the scammer. Using that information, one could siphon personal information and money.
Clark’s history with sim swapping, first reported by the New York Times, was detailed in court documents filed this week by his attorney and prosecutors. They show he was the target of a sim swapping investigation by authorities in Florida and California.
Those revelations were the subject of a bail reduction hearing Wednesday requested by the defense to convince the court to reduce the 17-year-old’s $725,000 bail. He has been in the Hillsborough County jail since Friday, when he was arrested on charges that he reaped about $117,000 by accessing the Twitter accounts of prominent celebrities and companies and to solicit payments of the cryptocurrency Bitcoin.
The July 15 Twitter hack of accounts like Barack Obama and Kim Kardashian gained national media attention and so has Clark’s arrest. That notoriety brought unwanted attention to Wednesday’s virtual Zoom hearing, which was was “Zoom bombed” — provocateurs broke into the call to interrupt the proceedings. Posing as CNN and BBC News, they repeatedly interrupted the meeting with rap music, movie dialogue and shouting.
Then Hillsborough Circuit Judge Christopher Nash temporarily shut down the hearing after all of the participants’ screens were taken over by pornography.
Clark gained access to Twitter’s systems by convincing an employee he worked in the company’s information technology department, according to the arrest report produced by the Florida Department of Law Enforcement. Clark then had the employee provide credentials that Clark could use to access Twitter’s customer service portal.
Clark’s defense attorney, David Weisbrod, filed a motion seeking to reduce his client’s bail and overturn a court ruling Saturday that the teen must prove any funds used to post bail were obtained legitimately.
Weisbrod said that last year Clark was the subject of a sim swapping investigation that involved prosecutors from Hillsborough County and Santa Clara, Calif. A search warrant was executed at Clark’s home in Greater Northdale in August 2019, where agents seized about $15,000 in cash and electronic devices.
Sim swapping is most effective when the target is using two-factor authentication, said San Francisco tech executive Rob Ross, who created the website stopsimcrime.org after he fell victim to a sim swap scam in 2018. Two-factor authentication is a system where online passwords cannot be changed without the user receiving passwords or codes texted to their phone. Thus a hacker could figure out their passwords, but wouldn’t be able to change them and access the accounts without those texts.
But if a sim swapper can convince a cell phone carrier to switch the target’s cell number to a phone owned by the swapper, then they can use those texts to reset the target’s banking, email and social media accounts.
The scheme has become more frequent due to a “perfect storm” of factors, said Ross, who lost about $1 million in the fraud. Smartphones and text-message two-factor authentication have both become commonplace.
The third factor is the rise in value of Bitcoin: Each Bitcoin is currently worth more than $11,000, giving hacker a financial incentive to sim swap.
Ross isn’t familiar with Clark’s background, but said most sim swappers are in their teens or early 20s, and many get their start by hacking shoot ‘em up video games like “Call of Duty” or “Fortnite” to up their kills.
“The hackers grow up in this virtual world and they graduate from figuring out how to cheat to maybe doing credit cards to doing sim swapping,” Ross said.
Clark developed a reputation in video games “Minecraft” and “Fortnite” as an “adept scammer,” according to the New York Times.
During the 2019 investigation, agents froze a Bitcoin account used by Clark. The defense attorney said that account had about $1 million worth of Bitcoin. On Saturday, he told the court that authorities at one time had seized another $3 million worth of the cryptocurrency.
In April, investigators agreed to return Clark’s assets, Weisbrod said, but held onto about $1 million worth of Bitcoin from the frozen account. The attorney said Florida and California prosecutors both agreed not to pursue charges against the 17-year-old.
Weisbrod called the $725,000 bail — more than six times the amount Clark is accused of stealing — “disproportionate.” He argued that the Second District Court of Appeal has ruled that courts cannot hold defendants for the purpose of determining the source of bail funds. Nevertheless, he argued, the fact that $3 million was returned to Clark by investigators in 2019 legitimized those funds, otherwise authorities would still have them.
In a response to Weisbrod’s bail reduction motion, Hillsborough Assistant State Attorney Darrell Dirks argued in an opposing motion to keep the provision that Clark must prove the legitimacy of his funds. He wrote that last year Clark was the subject of a federal and California investigation into the alleged theft of about $1 million in cryptocurrency from California victims. Clark agreed to pay $900,000 worth of cryptocurrency as “partial restitution” to California victims, the motion said.
The New York Times linked Clark to the theft of Bitcoin from Seattle tech investor Gregg Bennett and that the U.S. Secret Service recovered 100 Bitcoin from Clark.
“Any attempt to suggest that this agreement should be read that prosecutors, here or in California, concluded that Defendant was not involved is incorrect and misleading,” Dirks wrote.
Santa Clara County District Attorney Erin West declined to comment on Wednesday on the case, writing in an email that she cannot discuss a juvenile case. Clark was 16 when he was investigated by California authorities.
Dirks argued in court on Wednesday that $725,00 bail was appropriate because the losses in the case are not necessarily limited to $117,000. The prosecutor also wrote that Clark’s “successful attempt to hijack the funds” took place little more than two weeks ago.
“We are still discovering the breadth and extent of the defendant’s criminal conduct,” Dirks said in court.
Weisbrod argued that believing the damages may be higher “isn’t good enough.”
The judge split the difference. After a brief hiatus that he hoped would discourage the trolls (the Zoom interruptions continued) Nash said he would not change the bail amount. But he axed the provision that Clark must prove he legitimately obtained the funds he uses to post bail.
The court this past weekend also forbade Clark from using the Internet. Weisbrod asked Wednesday that his client be allowed to go online to access his Bitcoin assets to post bail. That request was denied.
The next hearing is set for October. The judge said it will be password protected.