Login
Joseph James “PlugwalkJoe” O’Connor, a 24-year-old from the United Kingdom who earned his 15 minutes of fame by participating in the July 2020 hack of Twitter, has been sentenced to five years in a U.S. prison. That may seem like harsh punishment for a brief and very public cyber joy ride. But O’Connor also pleaded guilty in a separate investigation involving a years-long spree of cyberstalking and cryptocurrency theft enabled by “SIM swapping,” a crime wherein fraudsters trick a mobile provider into diverting a customer’s phone calls and text messages to a device they control.
Joseph “PlugwalkJoe” O’Connor, in a photo from a Globe Newswire press release Sept. 02, 2020, pitching O’Connor as a cryptocurrency expert and advisor.
On July 16, 2020 — the day after some of Twitter’s most recognizable and popular users had their accounts hacked and used to tweet out a bitcoin scam — KrebsOnSecurity observed that several social media accounts tied to O’Connor appeared to have inside knowledge of the intrusion. That story also noted that thanks to COVID-19 lockdowns at the time, O’Connor was stuck on an indefinite vacation at a popular resort in Spain.
Not long after the Twitter hack, O’Connor was quoted in The New York Times denying any involvement. “I don’t care,” O’Connor told The Times. “They can come arrest me. I would laugh at them. I haven’t done anything.”
Speaking with KrebsOnSecurity via Instagram instant message just days after the Twitter hack, PlugwalkJoe demanded that his real name be kept out of future blog posts here. After he was told that couldn’t be promised, he remarked that some people in his circle of friends had been known to hire others to deliver physical beatings on people they didn’t like.
O’Connor was still in Spain a year later when prosecutors in the Northern District of California charged him with conspiring to hack Twitter. At the same time, prosecutors in the Southern District of New York charged O’Connor with an impressive array of cyber offenses involving the exploitation of social media accounts, online extortion, cyberstalking, and the theft of cryptocurrency then valued at nearly USD $800,000.
In late April 2023, O’Connor was extradited from Spain to face charges in the United States. Two weeks later, he entered guilty pleas in both California and New York, admitting to all ten criminal charges levied against him. On June 23, O’Connor was sentenced to five years in prison.
PlugwalkJoe was part of a community that specialized in SIM-swapping victims to take over their online identities. Unauthorized SIM swapping is a scheme in which fraudsters trick or bribe employees at wireless phone companies into redirecting the target’s text messages and phone calls to a device they control.
From there, the attackers can reset the password for any of the victim’s online accounts that allow password resets via SMS. SIM swapping also lets attackers intercept one-time passwords needed for SMS-based multi-factor authentication (MFA).
O’Connor admitted to conducting SIM swapping attacks to take control over financial accounts tied to several cryptocurrency executives in May 2019, and to stealing digital currency currently valued at more than $1.6 million.
PlugwalkJoe also copped to SIM-swapping his way into the Snapchat accounts of several female celebrities and threatening to release nude photos found on their phones.
Victims who refused to give up social media accounts or submit to extortion demands were often visited with “swatting attacks,” wherein O’Connor and others would falsely report a shooting or hostage situation in the hopes of tricking police into visiting potentially lethal force on a target’s address.
Prosecutors said O’Connor even swatted and cyberstalked a 16-year-old girl, sending her nude photos and threatening to rape and/or murder her and her family.
In the case of the Twitter hack, O’Connor pleaded guilty to conspiracy to commit computer intrusions, conspiracy to commit wire fraud, and conspiracy to commit money laundering.
The account “@shinji,” a.k.a. “PlugWalkJoe,” tweeting a screenshot of Twitter’s internal tools interface, on July 15, 2020.
To resolve the case against him in New York, O’Connor pleaded guilty to conspiracy to commit computer intrusion, two counts of committing computer intrusions, making extortive communications, two counts of stalking, and making threatening communications.
In addition to the prison term, O’Connor was sentenced to three years of supervised release, and ordered to pay $794,012.64 in forfeiture.
To be clear, the Twitter hack of July 2020 did not involve SIM-swapping. Rather, Twitter said the intruders tricked a Twitter employee over the phone into providing access to internal tools.
Three others were charged along with O’Connor in the Twitter compromise. The alleged mastermind of the hack, then 17-year-old Graham Ivan Clarke from Tampa, Fla., pleaded guilty in 2021 and agreed to serve three years in prison, followed by three years probation.
This story is good reminder about the need to minimize your reliance on the mobile phone companies for securing your online identity. This means reducing the number of ways your life could be turned upside down if someone were to hijack your mobile phone number.
Most online services require users to validate a mobile phone number as part of setting up an account, but some services will let you remove your phone number after the fact. Those services that do you let you remove your phone number or disable SMS/phone calls for account recovery probably also offer more secure multi-factor authentication options, such as app-based one-time passwords and security keys. Check out 2fa.directory for a list of multi-factor options available across hundreds of popular sites and services.
Three men in the United Kingdom were arrested this month for attempting to assault a local man and steal his virtual currencies. The incident is the latest example of how certain cybercriminal communities are increasingly turning to physical violence to settle scores and disputes.
Shortly after 11 p.m. on September 6, a resident in the Spalding Common area in the district of Lincolnshire, U.K. phoned police to say three men were acting suspiciously, and had jumped a nearby fence.
“The three men made off in a VW Golf and were shortly stopped nearby,” reads a statement by the Lincolnshire Police. “The car was searched by officers who found an imitation firearm, taser, a baseball bat and police uniform in the boot.”
Thomas Green, 23, Rayhan Miah, 23, and Leonardo Sapiano, 24 were all charged with possession of the weapons, and “with intent to cause loss to another to make an unwarranted demand of Crypto Currency from a person.”
KrebsOnSecurity has learned that the defendants were in Spalding Common to pay a surprise visit to a 19-year-old hacker known by the handles “Discoli,” “Disco Dog,” and “Chinese.” In December 2020, Discoli took credit for hacking and leaking the user database for OGUsers, a forum overrun with people looking to buy, sell and trade access to compromised social media accounts.
Reached via Telegram, Discoli confirmed that police believe the trio was trying to force their way into his home in Spalding Common, and that one of them was wearing a police uniform when they approached his residence.
“They were obvious about being fake police, so much so that one of our neighbours called,” Discoli said in an instant message chat. “That call led to the arrests. Their intent was for robbery/blackmail of crypto, I just happened to not be home at the time.”
The Lincolnshire Police declined to comment for this story, citing an ongoing investigation.
Discoli said he didn’t know any of the men charged, but believes they were hired by one of his enemies. And he said his would-be assailants didn’t just target him specifically.
“They had a list of people they wanted to hit consecutively as far as I know,” he said.
The foiled robbery is the latest drama tied to members of certain criminal hacking communities who are targeting one another with physical violence, by making a standing offer to pay thousands of dollars to anyone in the target’s region who agrees to carry out the assaults.
Last month, a 21-year-old New Jersey man was arrested and charged with stalking in connection with a federal investigation into groups of cybercriminals who are settling scores by hiring people to carry out physical attacks on their rivals.
Prosecutors say Patrick McGovern-Allen recently participated in several of these schemes — including firing a handgun into a Pennsylvania home and torching a residence in another part of the state with a Molotov Cocktail.
McGovern-Allen and the three U.K. defendants are part of an online community that is at the forefront of a dangerous escalation in coercion and intimidation tactics increasingly used by competing cybercriminal groups to steal cryptocurrency from one another and to keep their rivals in check.
The Telegram chat channels where these young men transact have hundreds to thousands of members each, and some of the more interesting solicitations on these communities are job offers for in-person assignments and tasks that can be found if one searches for posts titled, “If you live near,” or “IRL job” — short for “in real life” job.
A number of these classified ads are in service of performing “brickings,” where someone is hired to visit a specific address and toss a brick through the target’s window. Indeed, prior to McGovern-Allen’s arrest, his alleged Telegram persona bragged that he’d carried out several brickings for hire.
Many of the individuals involved in paying others to commit these physical attacks are also frequent participants in Telegram chat channels focused singularly on SIM swapping, a crime in which identity thieves hijack a target’s mobile phone number and use that to wrest control over the victim’s various online accounts and identities.
Unsurprisingly, the vast majority of people currently being targeted for brickings and other real-life physical assaults via Telegram tend to be other cybercriminals involved in SIM swapping crimes (or individuals on the periphery of that scene).
The United Kingdom is home to a number of young men accused of stealing millions of dollars worth of cryptocurrencies via SIM swapping. Joseph James O’Connor, a.k.a. “Plugwalk Joe”, was arrested in Spain in July 2021 under an FBI warrant on 10 counts of offenses related to unauthorized computer access and cyber bullying. U.S. investigators say O’Connor also played a central role in the 2020 intrusion at Twitter, wherein Twitter accounts for top celebrities and public figures were forced to tweet out links to cryptocurrency scams. O’Connor is currently fighting extradition to the United States.
Robert Lewis Barr, a 25-year-old Scottish man who allegedly stole more than $8 million worth of crypto, was arrested on an FBI warrant last year and is also fighting his extradition. U.S. investigators say Barr SIM swapped a U.S. bitcoin broker in 2017, and that he spent much of the stolen funds throwing lavish parties at rented luxury apartments in central Glasgow.
In many ways, these violence-as-a-service incidents are a natural extension of “swatting,” wherein fake bomb threats, hostage situations and other violent scenarios are phoned in to police as part of a scheme to trick them into visiting potentially deadly force on a target’s address. According to prosecutors, both Barr and O’Connor have a history of swatting their enemies and their SIM swapping victims.
FreshRSS 