1
00:00:04,953 --> 00:00:07,080
[gentle music]
2
00:00:07,080 --> 00:00:11,209
NATHANIEL: On July 15, 2020,
I was working from home,
3
00:00:11,209 --> 00:00:14,462
talking to one of my sources
in the crypto world
4
00:00:14,462 --> 00:00:17,757
and idly scrolling
through Twitter.
5
00:00:17,757 --> 00:00:19,425
KATE: So I'm scrolling
through Twitter,
6
00:00:19,425 --> 00:00:21,469
like I do way too often,
7
00:00:21,469 --> 00:00:24,472
and I saw a tweet
from Elon Musk.
8
00:00:25,473 --> 00:00:27,725
"If you send me $1,000
worth of Bitcoin,
9
00:00:27,725 --> 00:00:30,019
I'll send you back $2,000."
10
00:00:30,019 --> 00:00:32,814
Which felt
like an obvious scam.
11
00:00:32,814 --> 00:00:35,358
I just thought, "Oh, someone
finally hacked his account.
12
00:00:35,358 --> 00:00:37,444
Good for them, I guess."
13
00:00:37,444 --> 00:00:39,028
And then I started seeing
14
00:00:39,028 --> 00:00:40,905
all these other accounts
starting to get hit.
15
00:00:40,905 --> 00:00:43,408
‐ I was seeing this same tweet
16
00:00:43,408 --> 00:00:45,660
coming up from Apple, Uber...
17
00:00:45,660 --> 00:00:47,328
KATE:
Jeff Bezos, Bill Gates...
18
00:00:47,328 --> 00:00:48,997
NATHANIEL: Joe Biden.
KATE: Barack Obama.
19
00:00:48,997 --> 00:00:51,166
NATHANIEL: Michael Bloomberg.
Floyd Mayweather.
20
00:00:51,166 --> 00:00:52,500
KATE: Kanye West.
21
00:00:52,500 --> 00:00:54,252
NATHANIEL: And of course,
Kim Kardashian.
22
00:00:54,669 --> 00:00:58,339
‐ Twitter turned off tweeting
for all the verified accounts.
23
00:00:58,339 --> 00:01:00,216
‐ And it suddenly became clear
24
00:01:00,216 --> 00:01:02,469
just how significant
Twitter was.
25
00:01:02,469 --> 00:01:03,887
‐ Developing this morning,
26
00:01:03,887 --> 00:01:06,055
Twitter is investigating
a massive hack.
27
00:01:06,055 --> 00:01:07,515
‐ [speaking French]
28
00:01:07,515 --> 00:01:09,184
ANNOUNCER: [speaking Japanese]
29
00:01:09,184 --> 00:01:12,687
‐ [speaking native language]
30
00:01:12,687 --> 00:01:15,106
‐ And they literally
brought Twitter to its knees.
31
00:01:15,106 --> 00:01:17,484
[tense music]
32
00:01:17,484 --> 00:01:19,068
The first thought was,
33
00:01:19,068 --> 00:01:21,946
"This is too sophisticated
34
00:01:21,946 --> 00:01:23,907
for this
just to be a Bitcoin scam."
35
00:01:23,907 --> 00:01:25,116
COMMENTER: It could have been
a nation‐state
36
00:01:25,116 --> 00:01:26,534
that executed this.
37
00:01:26,534 --> 00:01:29,621
‐ We've never seen anything
of this scope or scale.
38
00:01:29,621 --> 00:01:33,666
‐ It immediately sort of
recalled the 2016 elections,
39
00:01:33,666 --> 00:01:35,835
and the DNC gets hacked,
and Hillary Clinton's emails
40
00:01:35,835 --> 00:01:37,545
are floating out there.
41
00:01:37,545 --> 00:01:39,255
All this personal information
42
00:01:39,255 --> 00:01:42,383
about the most significant
cultural, business,
43
00:01:42,383 --> 00:01:44,886
and political figures
had been penetrated.
44
00:01:44,886 --> 00:01:46,012
‐ Pete, what do we know
right now?
45
00:01:46,012 --> 00:01:47,013
NEWSCASTER:
Chris, what do we know?
46
00:01:47,013 --> 00:01:48,014
‐ Don't have any real answers
47
00:01:48,014 --> 00:01:49,390
about what's going on here.
48
00:01:49,390 --> 00:01:50,600
NATHANIEL: Everybody was just
sort of waiting
49
00:01:50,600 --> 00:01:52,060
with bated breath
to figure out
50
00:01:52,060 --> 00:01:54,103
who was behind the attack.
51
00:01:56,856 --> 00:01:58,358
‐ Teenagers.
52
00:01:58,358 --> 00:02:01,903
[rock music]
53
00:02:01,903 --> 00:02:03,488
ANDREW WARREN:
Federal law enforcement agents
54
00:02:03,488 --> 00:02:06,074
arrested 17‐year‐old
Graham Clark
55
00:02:06,074 --> 00:02:09,661
for being the mastermind behind
the July 15th hack of Twitter.
56
00:02:09,661 --> 00:02:16,668
♪ ♪
57
00:02:18,419 --> 00:02:19,712
ALLISON: Should I sit down?
PRODUCER: Yeah.
58
00:02:19,712 --> 00:02:21,756
ALLISON: Okay.
59
00:02:28,846 --> 00:02:34,519
‐ Why not both?
Because that's the truth.
60
00:02:34,519 --> 00:02:39,399
Uh, like, super sophisticated,
advanced hackers and children.
61
00:02:39,399 --> 00:02:42,110
These are not mutually
exclusive categories here.
62
00:02:42,110 --> 00:02:45,113
[spacey electronic music]
63
00:02:45,113 --> 00:02:52,120
♪ ♪
64
00:02:56,791 --> 00:02:59,794
NEWSCASTER: A Florida teen
is behind bars this morning
65
00:02:59,794 --> 00:03:02,839
and accused of masterminding
that massive Twitter hack.
66
00:03:02,839 --> 00:03:06,551
JUDGE: I'm just gonna do
a $25,000 bond on each count.
67
00:03:06,551 --> 00:03:10,346
That'll be a total of $750,000.
68
00:03:10,346 --> 00:03:11,931
REPORTER: At just
17 years old,
69
00:03:11,931 --> 00:03:14,517
Florida officials say this
is the mastermind
70
00:03:14,517 --> 00:03:17,020
behind an unprecedented hack
into Twitter.
71
00:03:17,020 --> 00:03:19,939
♪ ♪
72
00:03:19,939 --> 00:03:23,067
‐ Our focus, as soon
as he got arrested,
73
00:03:23,067 --> 00:03:26,696
was to try to figure out,
who is Graham Ivan Clark?
74
00:03:26,696 --> 00:03:33,703
♪ ♪
75
00:03:37,832 --> 00:03:41,419
KATE: It is clear from talking
to some of the kids
76
00:03:41,419 --> 00:03:42,712
that went to school with him
77
00:03:42,712 --> 00:03:44,547
and other people
around the school
78
00:03:44,547 --> 00:03:46,466
that Graham was
attracting attention
79
00:03:46,466 --> 00:03:48,676
because he seemed to have
80
00:03:48,676 --> 00:03:50,887
sort of an unusual amount
of wealth
81
00:03:50,887 --> 00:03:52,430
for someone of his age.
82
00:03:52,430 --> 00:03:59,437
♪ ♪
83
00:04:01,564 --> 00:04:03,608
He was flashing
large amounts of cash,
84
00:04:03,608 --> 00:04:05,443
was offering it
to his classmates
85
00:04:05,443 --> 00:04:08,029
to do him favors.
86
00:04:08,029 --> 00:04:11,074
It begs the question, you know,
if there's a kid
87
00:04:11,074 --> 00:04:13,701
that's flaunting
this much money,
88
00:04:13,701 --> 00:04:15,912
why no one stepped in,
89
00:04:15,912 --> 00:04:18,665
and no one asked him
where the money was coming from
90
00:04:18,665 --> 00:04:20,416
and what was going on
in his life.
91
00:04:20,416 --> 00:04:23,211
[somber music]
92
00:04:23,211 --> 00:04:24,504
♪ ♪
93
00:04:24,504 --> 00:04:25,713
REPORTER: Reached
by phone Friday,
94
00:04:25,713 --> 00:04:27,465
Clark's mother told
"NBC News,"
95
00:04:27,465 --> 00:04:28,966
"I believe he didn't do it.
96
00:04:28,966 --> 00:04:31,761
I've spoken to him every day.
I'm devastated."
97
00:04:32,512 --> 00:04:34,806
NATHANIEL: I mean,
this all began when he was,
98
00:04:34,806 --> 00:04:36,766
like, 12 or 13 years old.
99
00:04:36,766 --> 00:04:38,768
♪ ♪
100
00:04:38,768 --> 00:04:42,814
His parents had divorced.
His dad had moved away.
101
00:04:42,814 --> 00:04:46,776
ALLISON: It seems like his mom
moved around quite a lot
102
00:04:46,776 --> 00:04:48,945
and actually faced eviction
in 2013.
103
00:04:48,945 --> 00:04:51,656
NATHANIEL:
And as for many kids,
104
00:04:51,656 --> 00:04:53,449
Graham turned
to the digital world
105
00:04:53,449 --> 00:04:56,285
as this place
where he could have power.
106
00:04:57,286 --> 00:04:58,788
ANNOUNCER: Let's go to a place
107
00:04:58,788 --> 00:05:00,790
where everything
is made of blocks,
108
00:05:00,790 --> 00:05:03,292
where the only limit
is your imagination.
109
00:05:03,292 --> 00:05:05,253
KATE: "Minecraft" is
a video game
110
00:05:05,253 --> 00:05:07,088
that is very expansive.
111
00:05:07,088 --> 00:05:08,965
ANNOUNCER: Climb
the tallest mountains.
112
00:05:08,965 --> 00:05:10,883
‐ The characters
kind of remind me
113
00:05:10,883 --> 00:05:12,385
of little
Lego characters, almost.
114
00:05:12,385 --> 00:05:15,638
They're just these, like,
rectangular little guys.
115
00:05:15,638 --> 00:05:18,182
You know, all the trees are
rectangles and stuff like that.
116
00:05:18,182 --> 00:05:20,309
ANNOUNCER:
There's no rules to follow.
117
00:05:20,309 --> 00:05:22,729
This adventure‐‐
it's up to you.
118
00:05:22,729 --> 00:05:25,523
CONNOR: "Minecraft" is
classified as a block game,
119
00:05:25,523 --> 00:05:27,775
and people build bases,
build houses.
120
00:05:27,775 --> 00:05:30,486
I'm more into, like‐‐
we attack them.
121
00:05:30,486 --> 00:05:31,612
We destroy them.
122
00:05:31,612 --> 00:05:34,615
[rock music]
123
00:05:34,615 --> 00:05:38,202
♪ ♪
124
00:05:38,202 --> 00:05:41,539
‐ Sorry.
125
00:05:41,539 --> 00:05:43,666
Oh, I guess that'd be fine.
126
00:05:43,666 --> 00:05:45,793
So you can meet people
on "Minecraft,"
127
00:05:45,793 --> 00:05:48,171
and you can talk
with them on the game.
128
00:05:48,171 --> 00:05:51,507
I met my girlfriend
through "Minecraft" as well.
129
00:05:51,507 --> 00:05:52,884
I'm on "Minecraft" right now.
130
00:05:54,677 --> 00:05:58,389
Obviously, that's great,
but you also have to watch out,
131
00:05:58,389 --> 00:06:00,057
because there are bad people
132
00:06:00,057 --> 00:06:01,684
that will try to take
advantage of you, as well.
133
00:06:01,684 --> 00:06:03,603
GRAHAM:
Yo, what's going on, guys?
134
00:06:03,603 --> 00:06:05,229
It's Open here,
and just before I get going‐‐
135
00:06:05,229 --> 00:06:08,691
KATE: We have some recordings
of Graham during that time
136
00:06:08,691 --> 00:06:11,652
where he's using
the username Open.
137
00:06:11,652 --> 00:06:15,114
‐ I, uh, first met
Open back in 2017,
138
00:06:15,114 --> 00:06:17,784
on the game mode that
I still play to this day.
139
00:06:17,784 --> 00:06:20,203
And I was told
by a lot of my fans
140
00:06:20,203 --> 00:06:22,789
that he was scamming them
and taking money from them.
141
00:06:22,789 --> 00:06:24,123
GRAHAM: And so if I say
"[bleep] you,"
142
00:06:24,123 --> 00:06:25,708
is that staff disrespect?
143
00:06:25,708 --> 00:06:26,793
MODERATOR: Not really.
I don't care
144
00:06:26,793 --> 00:06:28,377
'cause you're, like, 12.
145
00:06:28,377 --> 00:06:30,588
OPEN: I'm, like, 12, but I
make more money than you.
146
00:06:30,588 --> 00:06:32,298
‐ He didn't really seem
to care at all.
147
00:06:32,298 --> 00:06:33,299
GRAHAM: I don't give
a [bleep].
148
00:06:33,299 --> 00:06:34,592
You're pissing me off.
149
00:06:34,592 --> 00:06:36,010
PLAYER: All right, man.
You can leave now.
150
00:06:36,010 --> 00:06:37,011
GRAHAM: No, you can leave.
151
00:06:37,011 --> 00:06:39,180
‐ And the cape scamming
152
00:06:39,180 --> 00:06:40,765
was, like, what started it off.
153
00:06:40,765 --> 00:06:42,892
[electronic music]
154
00:06:42,892 --> 00:06:45,311
You can buy capes on the game,
155
00:06:45,311 --> 00:06:48,856
and it will go
on your "Minecraft" character.
156
00:06:48,856 --> 00:06:50,566
And I mean,
it's just‐‐they're valuable,
157
00:06:50,566 --> 00:06:52,068
and people want to show it off,
158
00:06:52,068 --> 00:06:54,654
and it's kind of cool
to have one on your character.
159
00:06:54,654 --> 00:06:57,490
Back then, I would say
each cape was around, like,
160
00:06:57,490 --> 00:06:59,408
a hundred to two hundred
dollars,
161
00:06:59,408 --> 00:07:01,035
and he would sell the cape,
162
00:07:01,035 --> 00:07:02,620
and then would never give
the cape
163
00:07:02,620 --> 00:07:04,372
to the person who bought it.
164
00:07:05,873 --> 00:07:07,375
When I heard
about what he was doing,
165
00:07:07,375 --> 00:07:09,335
I figured that I needed to say
something.
166
00:07:09,335 --> 00:07:12,171
Open has scammed.
He has fake giveaways.
167
00:07:12,171 --> 00:07:14,799
He has done
pretty much everything.
168
00:07:14,799 --> 00:07:18,177
And I pretty much made a couple
of videos on him explaining,
169
00:07:18,177 --> 00:07:19,679
like, how
he was scamming people.
170
00:07:19,679 --> 00:07:23,808
Let's get into this.
Open exposed.
171
00:07:23,808 --> 00:07:25,434
The first few would expose
172
00:07:25,434 --> 00:07:27,436
what he scammed
with the MINECON capes,
173
00:07:27,436 --> 00:07:29,438
how he treated his fans,
how he did business,
174
00:07:29,438 --> 00:07:31,524
how he would say
that he would record a video,
175
00:07:31,524 --> 00:07:34,402
he would get paid for it,
and then he wouldn't do it.
176
00:07:34,402 --> 00:07:36,862
And then the final video
that I ever posted on him
177
00:07:36,862 --> 00:07:38,823
was just us talking back and
forth
178
00:07:38,823 --> 00:07:40,449
arguing with each other.
179
00:07:40,449 --> 00:07:41,867
GRAHAM: It wasn't
a fake giveaway.
180
00:07:41,867 --> 00:07:43,202
I just didn't give
the [bleep] to the winner.
181
00:07:43,202 --> 00:07:44,787
CONNOR: Exactly.
GRAHAM: And I don't care.
182
00:07:44,787 --> 00:07:46,622
‐ If I did a MINECON cape
giveaway, I'd give it away.
183
00:07:46,622 --> 00:07:48,332
GRAHAM: But you don't have
a [bleep] MINECON cape, so‐‐
184
00:07:48,332 --> 00:07:50,126
CONNOR: Exactly.
GRAHAM: But you don't hop
185
00:07:50,126 --> 00:07:52,003
on anyone else's dick.
Like, Versi‐‐Versi does‐‐
186
00:07:52,003 --> 00:07:54,171
CONNOR: I don't know
who that is!
187
00:07:54,171 --> 00:07:55,548
So Open ended up getting banned
188
00:07:55,548 --> 00:07:57,216
off of, like,
all these servers,
189
00:07:57,216 --> 00:07:58,718
after I showed the proof
in my videos
190
00:07:58,718 --> 00:08:00,636
how he was scamming.
191
00:08:00,636 --> 00:08:04,140
And then that is when I
ended up getting hacked.
192
00:08:12,315 --> 00:08:15,318
[desolate music]
193
00:08:15,318 --> 00:08:18,321
CONNOR: I lost access
to my Skype
194
00:08:18,321 --> 00:08:21,949
and my engine account.
195
00:08:21,949 --> 00:08:23,743
They would, like,
message people
196
00:08:23,743 --> 00:08:26,829
and pretend to be me,
and scam them.
197
00:08:28,789 --> 00:08:31,584
And one of my friends that was
on that Skype account‐‐
198
00:08:31,584 --> 00:08:32,793
she was one of my fans.
199
00:08:32,793 --> 00:08:34,670
Like, she watched
my videos and stuff.
200
00:08:34,670 --> 00:08:36,631
I lost contact with her,
201
00:08:36,631 --> 00:08:39,300
and she actually ended up
dying in a car crash,
202
00:08:39,300 --> 00:08:42,553
so it really, I guess,
affected me
203
00:08:42,553 --> 00:08:45,348
that one of the reasons
I lost contact with her
204
00:08:45,348 --> 00:08:48,225
was obviously because Open
paid someone to hack me.
205
00:08:50,603 --> 00:08:53,522
KATE: I don't think
that there is a big leap
206
00:08:53,522 --> 00:08:54,899
between experimenting
207
00:08:54,899 --> 00:08:58,527
with edgy or
uncomfortable behavior online
208
00:08:58,527 --> 00:09:02,198
and experimenting
with illegal behavior online,
209
00:09:02,198 --> 00:09:03,991
especially in a world
like "Minecraft,"
210
00:09:03,991 --> 00:09:05,451
where you're just playing
with other kids.
211
00:09:05,451 --> 00:09:07,078
PLAYER: Are you [bleep]
kidding me, Open?
212
00:09:07,078 --> 00:09:08,496
You hit him off?
GRAHAM: I swear on my life.
213
00:09:08,496 --> 00:09:09,830
I swear on my mom's life.
214
00:09:09,830 --> 00:09:11,791
‐ There aren't any adults
watching,
215
00:09:11,791 --> 00:09:13,709
and there is no sense of, like,
216
00:09:13,709 --> 00:09:16,170
"Oh, this behavior
could be a problem."
217
00:09:16,170 --> 00:09:19,131
NATHANIEL: Graham eventually
got more or less driven
218
00:09:19,131 --> 00:09:20,508
out of the "Minecraft"
community.
219
00:09:20,508 --> 00:09:22,218
I mean, nobody trusted him.
220
00:09:22,218 --> 00:09:24,011
KATE:
And the next trace of him
221
00:09:24,011 --> 00:09:25,388
that we were able to find
222
00:09:25,388 --> 00:09:27,640
was that he started
setting up accounts
223
00:09:27,640 --> 00:09:29,475
on this forum
called OGUsers.
224
00:09:29,475 --> 00:09:36,357
♪ ♪
225
00:09:36,357 --> 00:09:40,194
OGUsers is a forum where
you can buy and sell usernames
226
00:09:40,194 --> 00:09:42,738
on a variety
of social media platforms.
227
00:09:42,738 --> 00:09:44,240
And some people want,
you know,
228
00:09:44,240 --> 00:09:45,783
just a funny, short name,
229
00:09:45,783 --> 00:09:48,452
or even just a number,
or a letter.
230
00:09:49,954 --> 00:09:52,206
‐ It's cool.
[laughs]
231
00:09:52,206 --> 00:09:54,375
‐ An OG Username‐‐
it stands for "original,"
232
00:09:54,375 --> 00:09:56,377
not "original gangster,"
233
00:09:56,377 --> 00:09:58,212
and these are basically
dictionary words
234
00:09:58,212 --> 00:10:00,172
or very short usernames.
235
00:10:05,386 --> 00:10:08,931
So some examples of it
would be like the letter A,
236
00:10:08,931 --> 00:10:11,642
the word "hacker,"
usernames like that,
237
00:10:11,642 --> 00:10:13,310
things that get taken up
very quickly
238
00:10:13,310 --> 00:10:16,856
and usually signify that you're
an early adopter of the service
239
00:10:16,856 --> 00:10:20,317
or a hacker.
240
00:10:20,317 --> 00:10:22,361
[spacey music]
241
00:10:22,361 --> 00:10:24,155
♪ ♪
242
00:10:24,155 --> 00:10:26,657
KATE: Graham started
setting up accounts
243
00:10:26,657 --> 00:10:28,868
and buying and selling
usernames.
244
00:10:30,411 --> 00:10:32,621
In the forum, there's
sort of a mix of people.
245
00:10:32,621 --> 00:10:35,541
You know, some people
are amateur hackers
246
00:10:35,541 --> 00:10:39,587
or just kind of starting out
in their hacking career.
247
00:10:39,587 --> 00:10:41,964
There's people who are
really experienced at this
248
00:10:41,964 --> 00:10:43,924
there, as well.
249
00:11:25,216 --> 00:11:29,470
‐ So what is a SIM swap?
Keep in‐‐let's see.
250
00:11:31,722 --> 00:11:34,975
So you have a scenario
where your second factor
251
00:11:34,975 --> 00:11:36,811
for security
is actually zero factor.
252
00:11:36,811 --> 00:11:39,063
The third factor‐‐the login
to the‐‐two‐factor token.
253
00:11:39,063 --> 00:11:41,774
Now, keep in mind,
if the token was hacked,
254
00:11:41,774 --> 00:11:43,025
the threat actor‐‐
the voice actor.
255
00:11:43,025 --> 00:11:44,652
Password. Username.
Profile. Reset.
256
00:11:44,652 --> 00:11:46,195
Register the‐‐access
the security device.
257
00:11:46,195 --> 00:11:49,406
And that's how they would take
over victims' phone numbers.
258
00:11:49,406 --> 00:11:52,409
[desolate music]
259
00:11:52,409 --> 00:11:59,416
♪ ♪
260
00:12:03,504 --> 00:12:05,548
One of the things
that they would do is,
261
00:12:05,548 --> 00:12:07,633
they could call
one of the stores
262
00:12:07,633 --> 00:12:09,593
and pretend to be
a different store,
263
00:12:09,593 --> 00:12:11,971
and steal their credentials
that way.
264
00:12:24,775 --> 00:12:27,027
‐ "I'm calling regarding a
complaint opened by this store.
265
00:12:27,027 --> 00:12:29,530
"It says here that you were
having issues with your kiosk
266
00:12:29,530 --> 00:12:31,949
connecting to Bluetooth
over on the card reader."
267
00:12:36,829 --> 00:12:38,622
‐ "Can you please go ahead
and open your Google Chrome,
268
00:12:38,622 --> 00:12:40,332
and type in this URL?"
269
00:12:46,422 --> 00:12:48,257
‐ And this username
and password
270
00:12:48,257 --> 00:12:51,719
goes to the hackers,
who then use it to log in.
271
00:12:51,719 --> 00:12:53,804
and then they can perform
SIM swaps.
272
00:12:59,977 --> 00:13:02,688
♪ ♪
273
00:13:02,688 --> 00:13:04,231
NATHANIEL: This began with,
274
00:13:04,231 --> 00:13:06,942
"Okay, I'm gonna get control
of somebody's phone number
275
00:13:06,942 --> 00:13:08,527
so that I can get
their Twitter account,"
276
00:13:08,527 --> 00:13:10,905
but they pretty quickly
realized,
277
00:13:10,905 --> 00:13:13,073
"Oh, if I can get control
of their Twitter account,
278
00:13:13,073 --> 00:13:16,076
"I can also get control
of their email account.
279
00:13:16,076 --> 00:13:17,620
"And if I can get control
of their email account,
280
00:13:17,620 --> 00:13:19,371
"maybe I can also reset
281
00:13:19,371 --> 00:13:22,625
the access
to their bank account."
282
00:13:22,625 --> 00:13:24,919
KATE: But it becomes
a lot more lucrative
283
00:13:24,919 --> 00:13:28,255
if you start going after people
who hold a lot of Bitcoin.
284
00:13:29,757 --> 00:13:32,384
NATHANIEL: I mean, you know,
you think of, like,
285
00:13:32,384 --> 00:13:35,971
a bank robber in days of old.
There was no bank robber
286
00:13:35,971 --> 00:13:38,265
who was gonna make off
with $24 million,
287
00:13:38,265 --> 00:13:40,309
but these kids
could get control
288
00:13:40,309 --> 00:13:44,063
of somebody's Bitcoin account
and take all of their money.
289
00:13:54,323 --> 00:13:56,241
ALLISON:
What would be appealing
290
00:13:56,241 --> 00:13:58,577
about this community
to a child?
291
00:13:58,577 --> 00:14:00,454
A lot of these kids are
powerless
292
00:14:00,454 --> 00:14:03,165
in their real life.
They're often mistreated.
293
00:14:03,165 --> 00:14:04,541
They often don't have
a lot of friends,
294
00:14:04,541 --> 00:14:07,252
and at the core of it,
they're seeking acceptance.
295
00:14:07,252 --> 00:14:08,754
They need a group of friends,
296
00:14:08,754 --> 00:14:11,465
and they need people
that will accept them.
297
00:14:11,465 --> 00:14:14,677
On top of that, this community
can offer money.
298
00:14:14,677 --> 00:14:18,097
NATHANIEL: Here's this kid
around 15, 16.
299
00:14:18,097 --> 00:14:22,059
He introduces himself
to the world of OGUsers,
300
00:14:22,059 --> 00:14:25,980
and soon enough,
he falls in with this gang
301
00:14:25,980 --> 00:14:29,149
in which he can suddenly make
$1 million in a day.
302
00:14:37,533 --> 00:14:40,536
[spacey music]
303
00:14:40,536 --> 00:14:42,621
KATE: It seems
like at a certain point,
304
00:14:42,621 --> 00:14:46,083
Graham really started
to escalate his behavior,
305
00:14:46,083 --> 00:14:47,835
and we start to see him
306
00:14:47,835 --> 00:14:50,295
move into these
much more lucrative thefts
307
00:14:50,295 --> 00:14:52,506
that could net potentially
millions of dollars.
308
00:15:14,111 --> 00:15:15,571
‐ My name is Gregg Bennett.
309
00:15:15,571 --> 00:15:18,198
I am an angel investor
in the Pacific Northwest,
310
00:15:18,198 --> 00:15:20,367
and I have
a kind of a side gig
311
00:15:20,367 --> 00:15:22,703
in Bitcoin and cryptocurrency
in general,
312
00:15:22,703 --> 00:15:24,830
which I consider
a specialty area of mine now.
313
00:15:24,830 --> 00:15:27,082
♪ ♪
314
00:15:27,082 --> 00:15:30,753
It was April 15, 2019,
and I was in my office,
315
00:15:30,753 --> 00:15:32,129
and it was a beautiful,
sunny day.
316
00:15:32,129 --> 00:15:33,714
The sun was streaming
in over my shoulder,
317
00:15:33,714 --> 00:15:35,257
and I was at my standup desk,
318
00:15:35,257 --> 00:15:37,092
and I'm looking at my phone,
and my phone,
319
00:15:37,092 --> 00:15:38,844
all of a sudden, went dead.
320
00:15:38,844 --> 00:15:42,056
I get no signal, and it's
in the middle of an urban area,
321
00:15:42,056 --> 00:15:45,267
and I don't get
anything on my phone.
322
00:15:45,267 --> 00:15:47,394
I have four email accounts.
Three of them,
323
00:15:47,394 --> 00:15:48,687
all of a sudden,
I could not get into.
324
00:15:48,687 --> 00:15:50,314
And so now I'm going,
325
00:15:50,314 --> 00:15:52,107
"Uh‐oh.
This is not good."
326
00:15:52,107 --> 00:15:53,734
I can't get access
to my email,
327
00:15:53,734 --> 00:15:55,235
and now
I can't get access to my phone.
328
00:15:55,235 --> 00:15:57,863
I smell a rat.
329
00:15:57,863 --> 00:15:59,406
So I immediately try to get
330
00:15:59,406 --> 00:16:01,325
into my three cryptocurrency
accounts
331
00:16:01,325 --> 00:16:02,910
at separate companies,
332
00:16:02,910 --> 00:16:05,245
and I couldn't get
into any one of 'em.
333
00:16:08,082 --> 00:16:11,043
And so then you realize, "Wow.
I am definitely being hacked."
334
00:16:11,043 --> 00:16:13,504
[uneasy music]
335
00:16:13,504 --> 00:16:14,922
Now, I'm in a mad panic,
336
00:16:14,922 --> 00:16:16,715
'cause I can't get access
to my accounts.
337
00:16:16,715 --> 00:16:18,550
I can't get access
to my Bitcoin.
338
00:16:18,550 --> 00:16:20,302
I can't get access
to my phone.
339
00:16:20,302 --> 00:16:21,470
I actually go
340
00:16:21,470 --> 00:16:22,971
into another application
I have
341
00:16:22,971 --> 00:16:24,306
which draws all the data
342
00:16:24,306 --> 00:16:26,266
from the three applications
into one interface
343
00:16:26,266 --> 00:16:28,560
so I can see
what I have out there.
344
00:16:28,560 --> 00:16:31,522
I was seeing transfers
of Bitcoin out of my account
345
00:16:31,522 --> 00:16:33,273
to some other account
that I had no idea,
346
00:16:33,273 --> 00:16:35,901
and it was happening‐‐certainly
not under my control,
347
00:16:35,901 --> 00:16:37,486
but it was just happening.
348
00:16:37,486 --> 00:16:39,988
And they were happening up
to my maximum limits per day
349
00:16:39,988 --> 00:16:41,532
for each one
of these accounts.
350
00:16:41,532 --> 00:16:44,243
♪ ♪
351
00:16:44,243 --> 00:16:47,496
Imagine you lost
your calendar,
352
00:16:47,496 --> 00:16:50,040
you lost your contacts.
353
00:16:50,040 --> 00:16:53,377
you lost all
your email history,
354
00:16:53,377 --> 00:16:56,421
you lost all your kids' photos,
355
00:16:56,421 --> 00:16:59,675
all your videos
you've ever taken.
356
00:16:59,675 --> 00:17:04,138
Imagine if you kind of lost
all your life up to today.
357
00:17:04,138 --> 00:17:06,014
And that's what it felt like.
358
00:17:09,393 --> 00:17:12,146
‐ Graham turns out
to be responsible
359
00:17:12,146 --> 00:17:14,648
for the theft
of Bitcoin from Gregg,
360
00:17:14,648 --> 00:17:18,152
and he gets close to $1 million
from this attack.
361
00:17:18,152 --> 00:17:20,946
♪ ♪
362
00:17:20,946 --> 00:17:22,739
ALLISON: When people succeed
363
00:17:22,739 --> 00:17:24,533
at performing
some kind of theft,
364
00:17:24,533 --> 00:17:26,827
they're usually
gonna celebrate that, right?
365
00:17:26,827 --> 00:17:28,454
So a lot of SIM swap culture
366
00:17:28,454 --> 00:17:30,414
has revolved
around glorifying people
367
00:17:30,414 --> 00:17:33,167
that are successful
at committing fraud and theft.
368
00:17:33,167 --> 00:17:35,461
[upbeat music]
369
00:17:35,461 --> 00:17:39,673
We have seen videos,
music videos, rap music...
370
00:17:39,673 --> 00:17:42,092
[rap music playing]
371
00:17:44,845 --> 00:17:46,013
‐ They'll give shout‐outs
to their friends.
372
00:17:46,013 --> 00:17:47,598
They'll diss their enemies.
373
00:17:47,598 --> 00:17:49,099
PERSON: Shout out to all
the SIM swappers out there,
374
00:17:49,099 --> 00:17:50,809
all the people that scam
[indistinct] to buy cocaine.
375
00:17:50,809 --> 00:17:52,728
‐ But they'll also brag
about their accomplishments,
376
00:17:52,728 --> 00:17:54,188
and that's a huge part of it.
377
00:17:54,188 --> 00:17:55,689
[rap music playing]
378
00:17:57,524 --> 00:18:00,819
‐ They'll talk about how good
they are at SIM swapping.
379
00:18:04,448 --> 00:18:07,743
‐ What all the girls think
about them, always positive.
380
00:18:15,167 --> 00:18:19,421
‐ You see these chat logs where
they're talking about, like,
381
00:18:19,421 --> 00:18:22,424
"What do I do with this money?
I don't even know how to drive.
382
00:18:22,424 --> 00:18:23,634
"I can't buy a car,
383
00:18:23,634 --> 00:18:25,969
so I bought a car
for my uncle."
384
00:18:25,969 --> 00:18:27,596
ALLISON: We see them
in the nightclub
385
00:18:27,596 --> 00:18:29,681
standing in a circle
with Rolexes on their wrists,
386
00:18:29,681 --> 00:18:32,100
and they'll dump bottles
of Dom Perignon champagne
387
00:18:32,100 --> 00:18:34,728
onto their Rolexes,
onto the floor.
388
00:18:34,728 --> 00:18:36,313
It's just crazy.
389
00:18:42,986 --> 00:18:44,238
NATHANIEL: In the days
390
00:18:44,238 --> 00:18:45,489
following the Gregg Bennett
hack,
391
00:18:45,489 --> 00:18:48,408
the hackers started
emailing Gregg
392
00:18:48,408 --> 00:18:52,246
from his own email address,
which they had control of,
393
00:18:52,246 --> 00:18:54,706
demanding that he hand over
the rest of the Bitcoin
394
00:18:54,706 --> 00:18:56,291
that they knew he had.
395
00:18:56,291 --> 00:18:58,502
‐ "If you want any of
your accounts back at all
396
00:18:58,502 --> 00:19:02,089
"and no issues,
we are requesting 50 Bitcoin.
397
00:19:02,089 --> 00:19:04,299
"Let's get this resolved
smoothly.
398
00:19:04,299 --> 00:19:06,051
"Therefore, we don't have
to bring up any more issues
399
00:19:06,051 --> 00:19:09,513
to your work,
friends, family, or accounts."
400
00:19:10,305 --> 00:19:11,640
NATHANIEL: But in addition
401
00:19:11,640 --> 00:19:14,643
to making these ransom demands
of Gregg,
402
00:19:14,643 --> 00:19:15,852
you also start to see
403
00:19:15,852 --> 00:19:17,729
the hackers
arguing between each other.
404
00:19:17,729 --> 00:19:19,856
[tense electronic music]
405
00:19:25,320 --> 00:19:28,198
NATHANIEL: You see
his fellow hackers
406
00:19:28,198 --> 00:19:30,117
threatening Graham and saying
407
00:19:30,117 --> 00:19:33,453
that if he doesn't share
these criminal proceeds,
408
00:19:33,453 --> 00:19:36,331
they're gonna reveal who he is
and the role
409
00:19:36,331 --> 00:19:38,125
that he played in this crime.
410
00:19:38,125 --> 00:19:41,378
[somber music]
411
00:19:51,305 --> 00:19:57,561
♪ ♪
412
00:20:10,282 --> 00:20:12,159
♪ ♪
413
00:20:35,974 --> 00:20:38,101
ALLISON: A lot of the things
that we've been seeing
414
00:20:38,101 --> 00:20:40,354
when we look
at this activity online‐‐
415
00:20:40,354 --> 00:20:44,983
there's a lot of parallels
to violent youth street gangs.
416
00:20:44,983 --> 00:20:48,153
[somber music]
417
00:20:48,153 --> 00:20:51,907
♪ ♪
418
00:20:51,907 --> 00:20:55,869
‐ We do hear from people
that Graham may have had
419
00:20:55,869 --> 00:20:59,539
some involvement in drugs,
in some way.
420
00:20:59,539 --> 00:21:06,088
♪ ♪
421
00:21:07,464 --> 00:21:12,177
And then around winter break
is when things start to take
422
00:21:12,177 --> 00:21:14,763
a really serious turn
for Graham.
423
00:21:14,763 --> 00:21:17,349
REPORTER: Tonight, a home
invasion is turning deadly.
424
00:21:17,349 --> 00:21:19,059
We have a lot more information
about this.
425
00:21:19,059 --> 00:21:20,060
Here's what we know.
426
00:21:20,060 --> 00:21:21,687
‐ He's involved in a shooting
427
00:21:21,687 --> 00:21:24,022
in which one of his friends
ended up dead.
428
00:21:24,022 --> 00:21:25,816
‐ Four Bay Area teenagers
were involved in this.
429
00:21:25,816 --> 00:21:26,983
One of them is dead.
430
00:21:26,983 --> 00:21:29,444
Another one is
in critical condition.
431
00:21:29,444 --> 00:21:30,987
KATE:
We know from the police file
432
00:21:30,987 --> 00:21:32,781
that one of the other kids
433
00:21:32,781 --> 00:21:36,118
claimed Graham
had essentially set them up.
434
00:21:36,118 --> 00:21:39,413
He went with them to the house
of another drug dealer
435
00:21:39,413 --> 00:21:43,875
with a gun and then took off
when he heard the shots.
436
00:21:43,875 --> 00:21:46,169
♪ ♪
437
00:21:46,169 --> 00:21:47,838
In his interview with police,
438
00:21:47,838 --> 00:21:51,383
Graham later denies knowing
anything about the robbery.
439
00:21:51,383 --> 00:21:55,345
INTERVIEWER: You say, "I don't
know anything about it."
440
00:21:55,345 --> 00:21:56,722
GRAHAM: I'm not aware.
441
00:21:56,722 --> 00:21:57,889
That's why I gave
them the money.
442
00:21:57,889 --> 00:21:59,725
If they were gonna go rob
someone,
443
00:21:59,725 --> 00:22:01,768
why would I give them money?
444
00:22:01,768 --> 00:22:04,229
HARMON: Is that believable?
GRAHAM: What's believable?
445
00:22:04,229 --> 00:22:05,772
‐ What you're telling us.
446
00:22:05,772 --> 00:22:08,900
GRAHAM: I counted 5,500.
I gave it to him.
447
00:22:08,900 --> 00:22:12,279
They walk,
and they go do the thing.
448
00:22:12,279 --> 00:22:14,364
So what makes you think I know
449
00:22:14,364 --> 00:22:17,159
that they're gonna go rob
someone?
450
00:22:17,159 --> 00:22:18,952
‐ In his interviews
with law enforcement,
451
00:22:18,952 --> 00:22:20,746
Graham comes off as somebody
452
00:22:20,746 --> 00:22:23,123
who thinks he's the
smartest person in the room.
453
00:22:23,123 --> 00:22:30,172
♪ ♪
454
00:22:31,673 --> 00:22:34,092
There was conflicting evidence
all over the place
455
00:22:34,092 --> 00:22:35,802
about what Graham's role was.
456
00:22:35,802 --> 00:22:37,304
At the end
of the investigation,
457
00:22:37,304 --> 00:22:40,474
the only thing we knew for sure
is that he was outside,
458
00:22:40,474 --> 00:22:42,309
in the car,
when the shooting happened
459
00:22:42,309 --> 00:22:44,436
and that he knew
the people involved.
460
00:22:44,436 --> 00:22:46,438
But that's not nearly enough
461
00:22:46,438 --> 00:22:48,231
to be able
to charge him with a crime.
462
00:22:48,231 --> 00:22:54,446
♪ ♪
463
00:22:54,446 --> 00:22:56,907
‐ After the shooting,
the principal put out
464
00:22:56,907 --> 00:22:58,575
an announcement
to the school community
465
00:22:58,575 --> 00:23:00,702
saying that the students
who were involved
466
00:23:00,702 --> 00:23:02,788
would not be welcomed back,
467
00:23:02,788 --> 00:23:04,623
and so that was the end
468
00:23:04,623 --> 00:23:07,375
of Graham going
to high school.
469
00:23:07,375 --> 00:23:10,212
NATHANIEL: He moved
out of his mom's house,
470
00:23:10,212 --> 00:23:11,755
got his own apartment.
471
00:23:11,755 --> 00:23:13,924
KATE: And it seems like it was
472
00:23:13,924 --> 00:23:16,343
a moment
of rupture in his life.
473
00:23:16,343 --> 00:23:20,347
♪ ♪
474
00:23:36,238 --> 00:23:38,573
NATHANIEL: He was visited
at home by agents
475
00:23:38,573 --> 00:23:41,785
working with this task force
in California
476
00:23:41,785 --> 00:23:45,664
who knew that he had been
involved in these SIM swaps.
477
00:23:58,718 --> 00:24:02,973
‐ One of the remarkable things
about this interaction
478
00:24:02,973 --> 00:24:04,474
with law enforcement
479
00:24:04,474 --> 00:24:09,187
was that they forced Graham
to give up 100 Bitcoins,
480
00:24:09,187 --> 00:24:11,940
but they allowed him
to keep another 300 Bitcoins.
481
00:24:11,940 --> 00:24:14,818
And in addition to letting him
keep the money,
482
00:24:14,818 --> 00:24:16,069
they let him go free.
483
00:24:33,670 --> 00:24:35,338
‐ Our office spoke
with the prosecutors
484
00:24:35,338 --> 00:24:36,631
in California
485
00:24:36,631 --> 00:24:40,343
about the decision to have him
pay restitution
486
00:24:40,343 --> 00:24:43,638
and basically not to criminally
charge him as an adult.
487
00:24:43,638 --> 00:24:45,223
But again, we weren't the‐‐
488
00:24:45,223 --> 00:24:47,434
in the driver's seat
of that prosecution.
489
00:24:49,227 --> 00:24:51,438
NATHANIEL: We reached out to
the prosecutor in California,
490
00:24:51,438 --> 00:24:54,357
and they basically said
that they couldn't comment
491
00:24:54,357 --> 00:24:56,401
on a case involving minors.
492
00:24:56,401 --> 00:24:57,944
ALLISON: There's a lot
of legal barriers
493
00:24:57,944 --> 00:25:00,614
to issuing criminal charges
against a minor.
494
00:25:00,614 --> 00:25:02,198
For example,
at the federal level,
495
00:25:02,198 --> 00:25:04,159
there is
no federal juvenile system,
496
00:25:04,159 --> 00:25:06,328
so they're generally
not willing to charge minors
497
00:25:06,328 --> 00:25:07,787
for anything federal.
498
00:25:07,787 --> 00:25:09,247
ANDREW WARREN: The law
may need to be changed
499
00:25:09,247 --> 00:25:11,082
to allow the federal system
500
00:25:11,082 --> 00:25:15,045
to catch up with the reality
that you have younger kids
501
00:25:15,045 --> 00:25:18,381
getting involved
in online scams,
502
00:25:18,381 --> 00:25:22,469
crypto scams, that really merit
more serious prosecution
503
00:25:22,469 --> 00:25:23,762
and punishment,
504
00:25:23,762 --> 00:25:26,640
which federal law
doesn't currently allow.
505
00:25:26,640 --> 00:25:29,643
[electronic music]
506
00:25:50,455 --> 00:25:54,793
‐ But I think maybe the lesson
to Graham was,
507
00:25:54,793 --> 00:25:58,713
"I can steal a million dollars,
and they'll let me go."
508
00:26:00,131 --> 00:26:01,383
Because a few weeks
509
00:26:01,383 --> 00:26:03,385
after dealing
with federal authorities
510
00:26:03,385 --> 00:26:05,929
and giving up $1 million,
511
00:26:05,929 --> 00:26:08,348
he takes the first steps
into this Twitter hack.
512
00:26:16,898 --> 00:26:19,901
[suspenseful music]
513
00:26:19,901 --> 00:26:22,988
♪ ♪
514
00:26:22,988 --> 00:26:24,322
HOLT: Just breaking.
515
00:26:24,322 --> 00:26:26,282
Twitter says it's investigating
516
00:26:26,282 --> 00:26:29,077
the apparent hacking
of many high‐profile users.
517
00:26:29,077 --> 00:26:30,370
‐ On the day of the hacks,
518
00:26:30,370 --> 00:26:32,330
we're still trying
to figure this out.
519
00:26:32,330 --> 00:26:36,459
And in the midst of this, I get
this really interesting tip
520
00:26:36,459 --> 00:26:40,005
that somebody had sent out
a tweet that suggested
521
00:26:40,005 --> 00:26:43,508
that they knew something
about what had happened.
522
00:26:43,508 --> 00:26:45,093
I looked at the tweet,
and it appeared to be,
523
00:26:45,093 --> 00:26:47,345
like, a cell phone executive
of some sort.
524
00:26:48,430 --> 00:26:51,850
HASEEB: I'm Haseeb Awan,
and I'm CEO of Efani.
525
00:26:51,850 --> 00:26:53,685
We protect
high net worth individuals
526
00:26:53,685 --> 00:26:56,187
and important people's
cell phones.
527
00:26:56,187 --> 00:26:57,772
Do we have Wi‐Fi here,
by any chance?
528
00:26:57,772 --> 00:27:04,738
♪ ♪
529
00:27:09,409 --> 00:27:12,078
I got a message
from one of my contacts.
530
00:27:12,078 --> 00:27:13,788
"Twitter will be fun today."
531
00:27:15,206 --> 00:27:18,752
But I don't know what he means
by that, so I ask my contact,
532
00:27:18,752 --> 00:27:22,630
"Hey, what's happening?"
Says that, "We got Twitter.
533
00:27:22,630 --> 00:27:26,384
Right now, we have access
to every Twitter handle."
534
00:27:26,384 --> 00:27:30,555
So I said, "Man,
you got to be kidding me."
535
00:27:30,555 --> 00:27:33,183
So he sent me
a screenshot of that.
536
00:27:33,183 --> 00:27:35,852
"Buy any account for $2,000,
537
00:27:35,852 --> 00:27:38,354
"and I'll give you
their username and password.
538
00:27:38,354 --> 00:27:39,898
I'll give you access
to their account."
539
00:27:39,898 --> 00:27:42,275
So I was kind of‐‐
I won't say panicked,
540
00:27:42,275 --> 00:27:45,528
but I was kind of like,
you know, concerned.
541
00:27:45,528 --> 00:27:49,532
So I got the listing,
and I posted it on Twitter.
542
00:27:49,532 --> 00:27:51,993
And I think, after ten minutes,
I get a direct message.
543
00:27:53,369 --> 00:27:55,872
"Hey, can you please remove
this listing?
544
00:27:55,872 --> 00:27:58,500
I don't want
to get in trouble."
545
00:27:58,500 --> 00:28:00,543
I said, "Who are you?"
546
00:28:00,543 --> 00:28:04,839
He said,
"I am the one who did it.
547
00:28:04,839 --> 00:28:06,424
"I had no involvement
in the hacks,
548
00:28:06,424 --> 00:28:09,010
and it's freaking me out.
You know what I did‐‐"
549
00:28:09,010 --> 00:28:10,553
he was just trying
to prove that,
550
00:28:10,553 --> 00:28:12,388
"Hey, I'm just a middleman.
I actually didn't do anything."
551
00:28:12,388 --> 00:28:14,182
Gave me his real name,
552
00:28:14,182 --> 00:28:17,936
and he genuinely asked me
for help,
553
00:28:17,936 --> 00:28:20,814
and he wanted
his story out there.
554
00:28:20,814 --> 00:28:22,690
So I said, "The only way
for you to come out clean
555
00:28:22,690 --> 00:28:24,609
is by telling your story."
556
00:28:24,609 --> 00:28:26,694
So this was my suggestion‐‐
talk to a journalist,
557
00:28:26,694 --> 00:28:28,613
'cause I thought
he would be arrested
558
00:28:28,613 --> 00:28:31,783
within the next 24 hours
or 48 hours.
559
00:28:33,117 --> 00:28:35,495
NATHANIEL: And so Haseeb
connected me with this kid
560
00:28:35,495 --> 00:28:37,413
whose name was Mason.
561
00:28:37,413 --> 00:28:44,462
♪ ♪
562
00:28:45,004 --> 00:28:48,007
Mason, a kid living
in south of England,
563
00:28:48,007 --> 00:28:51,386
and he is very nervous.
564
00:28:51,386 --> 00:28:53,847
And he explained to me
very quickly
565
00:28:53,847 --> 00:28:57,058
that he wasn't the guy
at the very center of this.
566
00:28:57,058 --> 00:28:59,978
He had been the one selling
some of these addresses,
567
00:28:59,978 --> 00:29:04,440
but he hadn't been the guy
inside of Twitter's systems.
568
00:29:04,440 --> 00:29:07,402
‐ He says that there's
this guy named Kirk
569
00:29:07,402 --> 00:29:09,737
who is behind the hack,
570
00:29:09,737 --> 00:29:11,447
and he's a Twitter employee.
571
00:29:11,447 --> 00:29:18,454
♪ ♪
572
00:29:24,836 --> 00:29:28,590
NATHANIEL: And the night
before the attack, Kirk asked,
573
00:29:28,590 --> 00:29:30,300
"Do you wanna work with me?
Do you wanna help
574
00:29:30,300 --> 00:29:32,010
sell Twitter addresses?"
575
00:29:32,010 --> 00:29:39,017
♪ ♪
576
00:29:39,017 --> 00:29:41,185
And Mason, at first,
577
00:29:41,185 --> 00:29:43,104
I think, like everybody else
in this story,
578
00:29:43,104 --> 00:29:45,356
didn't believe it.
579
00:29:45,356 --> 00:29:47,817
So his way of testing this
was to ask
580
00:29:47,817 --> 00:29:50,194
for one of these valuable
Twitter handles
581
00:29:50,194 --> 00:29:54,324
that had one letter
or one name, like "anxious."
582
00:29:54,324 --> 00:29:58,953
♪ ♪
583
00:29:58,953 --> 00:30:02,290
And Kirk gives him access
584
00:30:02,290 --> 00:30:05,585
to the handle
on Twitter @anxious.
585
00:30:05,585 --> 00:30:10,340
So Mason realizes,
"This guy's for real.
586
00:30:10,340 --> 00:30:12,300
"We have
a real Twitter rep here.
587
00:30:12,300 --> 00:30:14,969
We really have somebody who's
on the inside of Twitter."
588
00:30:14,969 --> 00:30:17,013
[uneasy music]
589
00:30:17,013 --> 00:30:19,223
So Mason put out an ad
and said,
590
00:30:19,223 --> 00:30:23,561
"We can get you
any Twitter handle you want."
591
00:30:23,561 --> 00:30:25,897
In this community,
this is like, you know,
592
00:30:25,897 --> 00:30:27,899
magical fairyland access.
593
00:30:27,899 --> 00:30:30,652
♪ ♪
594
00:30:30,652 --> 00:30:32,695
KATE: And so
we start seeing, you know,
595
00:30:32,695 --> 00:30:36,157
before Joe Biden,
before Elon Musk,
596
00:30:36,157 --> 00:30:39,577
all these lesser‐known
accounts
597
00:30:39,577 --> 00:30:42,705
being taken over
and being sold on OGUsers.
598
00:30:42,705 --> 00:30:44,958
♪ ♪
599
00:30:44,958 --> 00:30:48,211
‐ Right around 12:30
California time‐‐
600
00:30:48,211 --> 00:30:50,088
Mason's in the UK‐‐
601
00:30:50,088 --> 00:30:52,256
essentially, right before
602
00:30:52,256 --> 00:30:54,634
the fireworks started
to happen,
603
00:30:54,634 --> 00:30:56,886
he showed me these chats
with his girlfriend
604
00:30:56,886 --> 00:31:00,848
where you can see him
going to sleep
605
00:31:00,848 --> 00:31:04,102
and then waking up
in the middle of the night.
606
00:31:04,102 --> 00:31:07,605
And he suddenly looks
on his computer again.
607
00:31:07,605 --> 00:31:09,649
‐ Breaking news tonight
on what appears to be
608
00:31:09,649 --> 00:31:11,484
a major security breach
at Twitter.
609
00:31:11,484 --> 00:31:13,111
‐ It seemed to target
high‐profile users
610
00:31:13,111 --> 00:31:15,154
with millions of followers.
611
00:31:15,154 --> 00:31:16,781
‐ Kanye West.
‐ Barack Obama.
612
00:31:16,781 --> 00:31:18,866
‐ Jeff Bezos. Bill Gates.
Elon Musk.
613
00:31:18,866 --> 00:31:22,787
‐ Apple as well as Uber.
NATHANIEL: And basically says,
614
00:31:22,787 --> 00:31:24,664
"What happened
while I was asleep?"
615
00:31:24,664 --> 00:31:28,376
♪ ♪
616
00:31:28,376 --> 00:31:31,295
Realizing that this thing
had become
617
00:31:31,295 --> 00:31:33,631
much bigger than he could
have ever comprehended.
618
00:31:33,631 --> 00:31:39,846
♪ ♪
619
00:31:39,846 --> 00:31:41,806
From the moment
I started talking to him,
620
00:31:41,806 --> 00:31:46,436
he clearly thought that what
he had done was not that bad.
621
00:31:47,270 --> 00:31:49,522
And at the same time,
it's hard to imagine
622
00:31:49,522 --> 00:31:53,276
that he didn't understand
623
00:31:53,276 --> 00:31:54,944
just how problematic
it was gonna be
624
00:31:54,944 --> 00:31:57,363
to be involved
in this crime in any way.
625
00:32:05,371 --> 00:32:07,331
KATE: So a few days
after the hack,
626
00:32:07,331 --> 00:32:08,833
we published this story
627
00:32:08,833 --> 00:32:12,295
that talked about how it had
all begun with OGUsers
628
00:32:12,295 --> 00:32:16,132
and the sale of usernames.
629
00:32:16,132 --> 00:32:22,805
And there were still
some things we didn't know.
630
00:32:22,805 --> 00:32:26,225
NATHANIEL: The big question
is, who is Kirk,
631
00:32:26,225 --> 00:32:29,729
and how did he get access
to Twitter's systems?
632
00:32:29,729 --> 00:32:32,690
[desolate music]
633
00:32:32,690 --> 00:32:34,275
♪ ♪
634
00:32:34,275 --> 00:32:37,028
NATHANIEL: It was literally
just days after Graham
635
00:32:37,028 --> 00:32:39,489
had made this agreement
with authorities
636
00:32:39,489 --> 00:32:41,783
to return the Bitcoin
he'd stolen
637
00:32:41,783 --> 00:32:45,161
when he fell in
with another kid
638
00:32:45,161 --> 00:32:49,499
who's 15 or 16 years old.
He's younger than Graham,
639
00:32:49,499 --> 00:32:53,211
and yet there's something much
more sophisticated about him.
640
00:32:53,211 --> 00:32:54,921
‐ And they start
working together.
641
00:32:54,921 --> 00:32:57,924
[suspenseful music]
642
00:32:57,924 --> 00:33:04,138
♪ ♪
643
00:33:04,138 --> 00:33:07,892
Prior to this date, he was
involved in the GoDaddy hack.
644
00:33:07,892 --> 00:33:09,519
NATHANIEL: I mean, he was 15.
645
00:33:09,519 --> 00:33:12,105
He's two years younger
than Graham,
646
00:33:12,105 --> 00:33:14,857
and yet
much more sophisticated.
647
00:33:14,857 --> 00:33:16,359
‐ And they took those skills,
648
00:33:16,359 --> 00:33:18,611
and they pivoted
to a new target.
649
00:33:18,611 --> 00:33:20,279
REPORTER: For millions,
the reality
650
00:33:20,279 --> 00:33:22,532
of working from home
could be permanent.
651
00:33:22,532 --> 00:33:25,201
Twitter CEO Jack Dorsey
telling his employees
652
00:33:25,201 --> 00:33:27,120
they can work
remotely forever,
653
00:33:27,120 --> 00:33:28,621
from anywhere.
654
00:33:28,621 --> 00:33:32,416
‐ Because every Twitter
employee was working from home,
655
00:33:32,416 --> 00:33:36,295
they all had to use
these remote systems.
656
00:33:36,295 --> 00:33:39,715
They put together a list
of everybody they could find,
657
00:33:39,715 --> 00:33:41,843
and Graham and this other kid
658
00:33:41,843 --> 00:33:43,970
would call up
Twitter employees
659
00:33:43,970 --> 00:33:47,807
and pretend to be some sort
of IT worker at Twitter
660
00:33:47,807 --> 00:33:50,935
who, you know, needed
to help them with some problem.
661
00:33:50,935 --> 00:33:52,812
‐ This requires a lot
662
00:33:52,812 --> 00:33:54,897
of the same
social engineering skills
663
00:33:54,897 --> 00:33:56,399
that SIM swapping does.
664
00:33:56,399 --> 00:33:58,609
It's really more
about being able
665
00:33:58,609 --> 00:34:00,695
to be convincing
on the phone and say,
666
00:34:00,695 --> 00:34:03,156
"I work in the IT department
at Twitter.
667
00:34:03,156 --> 00:34:04,949
"You're having issues
with your account,
668
00:34:04,949 --> 00:34:06,951
and I need you to log in
to this portal for me."
669
00:34:06,951 --> 00:34:09,162
And they would send them
a phishing web page.
670
00:34:09,162 --> 00:34:11,998
The employee would put in
their username and password,
671
00:34:11,998 --> 00:34:14,834
and that would be stolen.
672
00:34:14,834 --> 00:34:17,712
And so they were able
to start piecing together
673
00:34:17,712 --> 00:34:20,339
which employees had the access
674
00:34:20,339 --> 00:34:22,758
that they needed
to take over accounts
675
00:34:22,758 --> 00:34:24,969
and then start going
after those employees,
676
00:34:24,969 --> 00:34:26,721
trying to get
their credentials
677
00:34:26,721 --> 00:34:28,890
and finally building
this up to a point
678
00:34:28,890 --> 00:34:31,809
where they could take control
over Twitter's systems.
679
00:34:31,809 --> 00:34:35,229
[serene music]
680
00:34:35,229 --> 00:34:37,315
ALLISON: Once they have
an employee's information
681
00:34:37,315 --> 00:34:39,150
and they can log in
to the corporate network
682
00:34:39,150 --> 00:34:41,110
as the employee,
683
00:34:41,110 --> 00:34:45,364
they've essentially reached
God mode on Twitter.
684
00:34:45,364 --> 00:34:47,700
[suspenseful music]
685
00:34:47,700 --> 00:34:50,786
They could alter and look up
any account they want.
686
00:34:50,786 --> 00:34:53,122
♪ ♪
687
00:34:53,122 --> 00:34:55,208
They could take over
any account they want
688
00:34:55,208 --> 00:34:58,127
with just a click of a button.
689
00:34:58,127 --> 00:35:00,338
NATHANIEL: And the fact that
a couple of teenagers
690
00:35:00,338 --> 00:35:01,589
could do this
691
00:35:01,589 --> 00:35:05,051
is‐‐is sort of mind‐boggling.
692
00:35:05,051 --> 00:35:06,677
[sly music]
693
00:35:06,677 --> 00:35:09,889
ALLISON: So what they did
at first was, they took over
694
00:35:09,889 --> 00:35:11,849
the single‐letter
username accounts,
695
00:35:11,849 --> 00:35:14,852
because those are
the most valuable OG accounts,
696
00:35:14,852 --> 00:35:16,521
and they sold them
697
00:35:16,521 --> 00:35:18,231
to some of the people
in the community...
698
00:35:18,231 --> 00:35:22,235
‐ With the username Kirk.
699
00:35:22,235 --> 00:35:23,986
‐ But the people
in the community
700
00:35:23,986 --> 00:35:26,489
caught on that there was
a compromise at Twitter.
701
00:35:26,489 --> 00:35:28,741
Warnings went out
to the community
702
00:35:28,741 --> 00:35:30,409
not to purchase
these accounts,
703
00:35:30,409 --> 00:35:32,411
and the attackers
704
00:35:32,411 --> 00:35:34,664
were no longer able
to sell OG usernames.
705
00:35:34,664 --> 00:35:37,667
[serene music]
706
00:35:37,667 --> 00:35:42,046
So what do you do
at that point?
707
00:35:42,046 --> 00:35:44,257
NATHANIEL: What do you do
once you have access
708
00:35:44,257 --> 00:35:46,717
to the most powerful,
709
00:35:46,717 --> 00:35:50,263
widely‐watched news platform
in the world?
710
00:35:50,263 --> 00:35:54,225
♪ ♪
711
00:35:54,225 --> 00:35:58,354
HASEEB: Oh, man, they could
have launched a nuclear war.
712
00:35:58,354 --> 00:35:59,814
Not exactly, but think
about‐‐like,
713
00:35:59,814 --> 00:36:02,942
they could have destroyed
the economy.
714
00:36:02,942 --> 00:36:04,527
NATHANIEL: They could have
killed Apple stock,
715
00:36:04,527 --> 00:36:09,073
and made a bet on it,
and made millions of dollars.
716
00:36:18,708 --> 00:36:21,669
HASEEB: Like, think of it
happening two days
717
00:36:21,669 --> 00:36:23,796
before the elections.
718
00:36:23,796 --> 00:36:28,259
I think we got lucky here.
719
00:36:28,259 --> 00:36:30,219
ALLISON: Out of all the things
that you could possibly do
720
00:36:30,219 --> 00:36:32,597
against the Twitter platform,
721
00:36:32,597 --> 00:36:35,891
they did simple Bitcoin scams.
722
00:36:35,891 --> 00:36:38,894
[uneasy music]
723
00:36:44,984 --> 00:36:51,991
♪ ♪
724
00:36:51,991 --> 00:36:53,326
KATE: Two weeks later,
725
00:36:53,326 --> 00:36:56,078
law enforcement
made arrests in this case.
726
00:36:57,830 --> 00:37:00,166
ANDREW WARREN: Anytime we see
any type of criminal
727
00:37:00,166 --> 00:37:02,501
involved in multiple
activities,
728
00:37:02,501 --> 00:37:04,211
you always look back to see,
729
00:37:04,211 --> 00:37:07,214
"Should we have known more
at the time?"
730
00:37:07,214 --> 00:37:10,885
But we have to rely
on the investigations we have.
731
00:37:10,885 --> 00:37:13,596
And here, we were able
to now hold him responsible
732
00:37:13,596 --> 00:37:17,933
for a crime that we can prove
he committed.
733
00:37:17,933 --> 00:37:19,769
JUDGE: First one up
on the docket this morning.
734
00:37:19,769 --> 00:37:23,814
Graham Ivan Clark.
Case 20CF8794‐‐
735
00:37:23,814 --> 00:37:25,274
KATE: A couple days
after his arrest,
736
00:37:25,274 --> 00:37:27,777
Graham's attorney is meeting
with the judge
737
00:37:27,777 --> 00:37:29,278
and some of the attorneys
in the case,
738
00:37:29,278 --> 00:37:31,030
all on a Zoom call.
739
00:37:31,030 --> 00:37:32,531
‐ Darrell Dirks for the State
of Florida, Your Honor.
740
00:37:32,531 --> 00:37:33,658
Good morning.
741
00:37:33,658 --> 00:37:35,284
‐ David Weisbrod,
for Mr. Clark.
742
00:37:35,284 --> 00:37:37,203
‐ All right.
Good morning to you both.
743
00:37:37,203 --> 00:37:38,412
Mr. Weisbrod‐‐
744
00:37:38,412 --> 00:37:42,249
‐ Mr. Mike Oxmaul
representing this.
745
00:37:43,709 --> 00:37:46,087
KATE: But a number
of Graham's friends
746
00:37:46,087 --> 00:37:49,256
and acquaintances
from his online life
747
00:37:49,256 --> 00:37:53,552
signed up for the Zoom call,
posing as media outlets.
748
00:37:53,552 --> 00:37:56,180
"MIKE": I was just wondering
if you were gonna, like,
749
00:37:56,180 --> 00:37:59,100
take updog into consideration
in the Graham case.
750
00:37:59,100 --> 00:38:01,977
‐ Sorry, I'm‐‐I'm removing
people as quickly as I can.
751
00:38:01,977 --> 00:38:03,479
‐ All of them
started screaming.
752
00:38:03,479 --> 00:38:05,690
[screaming and wheezing]
753
00:38:05,690 --> 00:38:08,109
[music playing]
754
00:38:08,109 --> 00:38:10,486
At a certain point,
someone took over the screen
755
00:38:10,486 --> 00:38:13,864
and started playing
a clip of pornography.
756
00:38:13,864 --> 00:38:17,535
‐ As was pointed out
to the duty judge, why‐‐why‐‐
757
00:38:18,035 --> 00:38:19,704
JUDGE: All right.
758
00:38:19,704 --> 00:38:21,455
We're gonna‐‐we're just
gonna‐‐I'm gonna end this call.
759
00:38:21,455 --> 00:38:25,918
‐ Oh, my God!
760
00:38:25,918 --> 00:38:28,879
‐ There's this element of humor
761
00:38:28,879 --> 00:38:30,673
that is undercutting
all of this.
762
00:38:31,424 --> 00:38:34,969
And when we look
at online crime, a lot of it
763
00:38:34,969 --> 00:38:37,346
is criminals
who are juveniles,
764
00:38:37,346 --> 00:38:40,266
and you want to give them
second chances.
765
00:38:40,266 --> 00:38:42,059
You want to give them
more opportunities,
766
00:38:42,059 --> 00:38:46,105
but these crimes are serious.
767
00:38:46,105 --> 00:38:47,648
ALLISON: These attacks
on the foundations
768
00:38:47,648 --> 00:38:50,067
of the Internet‐‐I really
can't overstate
769
00:38:50,067 --> 00:38:51,652
how important this is,
770
00:38:51,652 --> 00:38:54,405
and I can't overstate
the gravity of the situation,
771
00:38:54,405 --> 00:38:56,157
because our entire economy
772
00:38:56,157 --> 00:38:59,285
and businesses‐‐they're
all built on this foundation.
773
00:38:59,285 --> 00:39:01,954
And it turns out
that we've built our economy
774
00:39:01,954 --> 00:39:03,914
on a foundation of sand.
775
00:39:03,914 --> 00:39:05,416
[foreboding electronic music]
776
00:39:05,416 --> 00:39:07,668
NATHANIEL: These online
services that have, like,
777
00:39:07,668 --> 00:39:09,587
come to occupy
this central role
778
00:39:09,587 --> 00:39:13,841
in our culture
and politics‐‐their security
779
00:39:13,841 --> 00:39:16,677
has not been tested
in any of the ways
780
00:39:16,677 --> 00:39:20,806
that the other crucial systems
that our society relies on
781
00:39:20,806 --> 00:39:24,226
are forced to be double‐
and triple‐checked.
782
00:39:24,226 --> 00:39:26,687
‐ "Once you've sent,
please respond to this email,
783
00:39:26,687 --> 00:39:28,022
and we'll get
everything fixed."
784
00:39:28,022 --> 00:39:29,690
HASEEB: For us and you,
they are just like,
785
00:39:29,690 --> 00:39:32,735
"It's just a video game."
786
00:39:32,735 --> 00:39:34,069
You know,
you are a video game,
787
00:39:34,069 --> 00:39:36,655
and you're killing people,
and that's all.
788
00:39:36,655 --> 00:39:38,991
For it‐‐it doesn't
matter to them.
789
00:39:57,802 --> 00:40:00,221
GRAHAM: Just since I was
a kid, I've always been‐‐
790
00:40:00,221 --> 00:40:01,972
like, since I was,
like, ten years old,
791
00:40:01,972 --> 00:40:03,808
I just always was into money.
792
00:40:03,808 --> 00:40:05,768
So I've always started
making money.
793
00:40:06,310 --> 00:40:08,270
I got into social media.
794
00:40:08,270 --> 00:40:11,065
I made, like, a few hundred
thousand dollars.
795
00:40:11,065 --> 00:40:12,775
And then I started getting
into, like,
796
00:40:12,775 --> 00:40:15,694
cryptocurrency and trading,
and then it got into millions.
797
00:40:16,612 --> 00:40:20,533
But I didn't plan
on none of that.
798
00:40:22,493 --> 00:40:25,496
[suspenseful music]
799
00:40:25,496 --> 00:40:32,545
♪ ♪