A chapter of internet history has come to a close. One of the cybercriminals behind 2020’s major Twitter hack was sentenced to five years in U.S. federal prison on Friday. Joseph O’Connor (AKA “PlugwalkJoe”), a 24-year-old British citizen, previously pleaded guilty to seven charges associated with the digital attack. He was arrested in Spain in 2021 and extradited to the U.S. in April of this year.
In addition to the five years of jail time, O’Connor was also sentenced to three additional years under supervised release and ordered to pay back more than $790,000 in illicitly obtained funds, according to a news release from the U.S. Attorney’s Office of the Southern District of New York. Previously, Graham Ivan Clark, another one of the hackers involved who was 17 at the time of the attack, pleaded guilty to related charges and was sentenced to three years in prison.
With all charges combined, O’Connor faced a maximum of 77 years in prison, per a Reuters report, while prosecutors called for a seven-year sentence. Ultimately, he will likely only serve about half of his five years, after having already spent nearly 2.5 years in pre-trial custody, Judge Jed S. Rakoff said during the Friday hearing, according to TechCrunch.
Along with his fellow hackers, O’Connor “used his sophisticated technological abilities for malicious purposes — conducting a complex SIM swap attack to steal large amounts of cryptocurrency, hacking Twitter, conducting computer intrusions to take over social media accounts, and even cyberstalking two victims, including a minor victim,” according to a previous statement given by prosecuting U.S. Attorney Damian Williams.
Way back in 2020, when Twitter still had a coherent verification system, the verified accounts of some of the world’s most well-known public figures were breached. In a massive attack that affected 130 accounts and sowed chaos across the platform, the likes of Barack Obama, Elon Musk, Jeff Bezos, Kim Kardashian, Joe Biden, Kanye West, and Warren Buffet all seemed to be promoting a cryptocurrency scam—with each account posting some version of a time-limited offer to double any payments sent to a specific bitcoin wallet.
“Everyone is asking me to give back, and now is the time. I am doubling all payments sent to my BTC address for the next 30 minutes. You send $1,000, I send you back $2,000,” posted Bill Gates’ official Twitter account on July 15, 2020. The tweet then linked to a bitcoin address and noted “Only going on for 30 minutes! Enjoy!” Enormous companies like Apple and every major crypto exchange were also targeted.
More than $120,000 was stolen this way, according to estimates from blockchain analytics firms. In an attempt at damage control, Twitter restricted many verified accounts’ ability to post. For a brief, shining period of time, celebrities, notable figures, and many journalists were unable to tweet.
An investigation by the New York State Department of Financial Services determined that the breach was made possible because Twitter “lacked adequate cybersecurity protections,” according to an October 2020 report. O’Connor and co were able to gain access to the social platform’s internal systems through a simple scheme of calling Twitter employees posing as the company IT department. They were able to trick four Twitter workers into providing their login credentials.
The FBI launched its own investigation, which found that O’Connor and his co-conspirators had managed to transfer account ownership to unauthorized users—sometimes themselves, and sometimes to others willing to pay for the accounts. O’Connor himself paid $10,000 to take over one specific, unnamed account, according to a Department of Justice press statement from May.
In addition to the Twitter hack, O’Connor also pleaded guilty to stealing nearly $800,000 from a crypto company by SIM swapping at least three executives’ phone numbers. He further admitted to blackmailing an unnamed public figure via Snapchat and swatting a 16-year-old girl.
“I am ashamed to be here,” O’Connor told Judge Rakoff during his Friday sentencing hearing, according to a report from Bloomberg. “I’m sorry to all the victims of my crimes. I’m here because I did stupid and shameful things.”
As a result of the hack, Twitter was prompted to make some security changes, like introducing hardware security keys for employees. However, these haven’t been enough to prevent additional breaches. Millions of Twitter IDs and additional user info were stolen and leaked in 2021. Gizmodo emailed Twitter for comment on the sentencing and with questions about the platform’s security and safety measures. In response, Twitter’s non-existent press department sent a poop emoji.