Joseph James O’Connor, aka “PlugwalkJoke”, pleaded guilty to multiple cybercrime offenses including SIM card swapping attacks, cyberstalking, hacking and hijacking prominent accounts on Twitter and TikTok.
O’Connor, a British citizen, was eventually extradited to the United States from Spain on April 26, 2023, and the court for the Southern District of New York is now handling the case.
A long series of attacks
Court documents indicate that O’Connor and his co-conspirators engaged in SIM card swapping between March 2019 and August 2020, transferring their victims’ phone numbers to SIM cards under their control.
Among the targets of these attacks were three corporate executives who held significant amounts of digital assets and whose accounts were protected by SMS-based two-factor authentication.
The attackers managed to steal $794,000 worth of cryptocurrency from the victims, bypassing 2FA protection by using a SIM card swapping attack to send unique codes to their own devices, then laundering the amounts on various Bitcoin mixers.
O’Connor admitted his role in the hack which impacted Twitter in June 2020where he and his three co-conspirators gained access to the accounts of figures such as Barack Obama, Joe Biden, Elon Musk, Bill Gates, Jeff Bezos, Warren Buffet, Binance, Apple, Uber and Bitcoin.
Some of these accounts were used to run a cryptocurrency donation scam, allowing attackers to steal around $105,000.
Hackers used social engineering to gain access to internal administrative tools used by Twitter employees, then transferred control of target accounts to unauthorized users.
In August 2020, the hacker used SIM swapping to hijack a TikTok account belonging to a public figure with millions of followers and misused it for self-promotion purposes.
The hacker further threatened the owner of the victim account to leak sensitive personal data on a Discord server.
The United States Department of Justice announcement mentions that the accused began his social media hacking spree in June 2019 by gaining unauthorized access to a Snapchat account, stealing sensitive data, and then blackmailing the owner of the account.
“O’Connor used his sophisticated technological capabilities for malicious purposes – carrying out a complex SIM card swapping attack to steal large amounts of cryptocurrency, hacking into Twitter, carrying out computer intrusions to take over social media accounts , and even cyberstalking of two victims, including a minor victim,” said U.S. Attorney Damian Williams for the Southern District of New York.
O’Connor is due June 23, 2023, and his multiple charges can carry a maximum sentence of 20 years in prison.
The defendant agreed to waive the amount of $794,012.64, which will be used to compensate the victims of his cybercrimes.