The young hacker accused of being the mastermind behind a breach last year of high-profile Twitter accounts pleaded guilty on Tuesday in a Florida court, agreeing to serve three years in juvenile prison.
Graham Ivan Clark, 18, faced fraud charges after a hack that compromised Twitter accounts belonging to Elon Musk, Jeff Bezos, former President Barack Obama and other celebrities. Under Mr. Clark’s control, the accounts tweeted fraudulent messages soliciting Bitcoin, promising to double the money of anyone who sent cryptocurrency. The scheme netted Bitcoin worth more than $100,000 before it was shut down.
Mr. Clark’s plea agreement brings some closure to one of the oddest and most alarming episodes in Twitter’s history. In an election year that had already pulled the company into the center of American politics, the breach raised questions about Twitter’s corporate security and generated speculation that state-sponsored hackers could be responsible, rather than teenagers.
The arrest of Mr. Clark also raised questions about how someone so young could penetrate the defenses of what was supposedly one of the tech industry’s most sophisticated companies. The attack took control of Twitter’s internal systems that are used to manage accounts, and forced Twitter to temporarily block verified accounts from tweeting as the company scrambled to push the hackers out of its systems.
In the aftermath, security experts said Twitter was lucky that its security weaknesses were exposed by a group engaged in a moneymaking scheme, rather than government-affiliated agents looking to steal credentials or gain access to private conversations.
Twitter declined to comment on Mr. Clark’s plea deal.
Mr. Clark grew up in Tampa and, as a child, found ways to trick players of the video game Minecraft, people who knew him at the time told The New York Times. He moved on to selling and swapping rare social media user names on the forum OGUsers, where he connected with other hackers who said they participated in the Twitter breach.
The hackers, who prosecutors said were led by Mr. Clark, initially used their access to Twitter’s internal systems to take over accounts with unusual user names like @dark and @vague, which they sold on OGUsers for thousands of dollars. But as the day of the attack wore on, the hackers changed tactics. Accounts belonging to celebrities and cryptocurrency companies tweeted messages that promised to double the money of anyone who sent Bitcoin.
But the offer was a scam. “No Bitcoin currency was returned as promised to these victims,” Darrell Dirks, a prosecutor with the Florida state attorney’s office, said during a court hearing on Tuesday.
Two other young men, Nima Fazeli and Mason Sheppard, were also arrested and faced charges related to the hack. Mr. Sheppard’s and Mr. Fazeli’s cases are in progress.
Mr. Clark, who appeared in court on Tuesday via videoconference, pleaded guilty to the 30 charges against him. In a deal with prosecutors, Mr. Clark agreed to three years in juvenile prison followed by three years of probation. He also agreed not to use computers without permission or supervision from law enforcement. If he violates the terms of the deal, he could face 10 years in adult prison.
Because Mr. Clark is classified as a youthful offender under a Florida law that offers more lenient sentencing terms to young people, he may be eligible to serve some of his sentence in a boot camp. He turned over the cryptocurrency he owned at the time of his arrest, prosecutors said, and it will be used to pay restitution to the victims of the hack. He will receive 229 days credit for time served since his arrest last year.
“He took over the accounts of famous people, but the money he stole came from regular, hard-working people. Graham Clark needs to be held accountable for that crime, and other potential scammers out there need to see the consequences,” Hillsborough’s state attorney, Andrew Warren, said in a statement. “In this case, we’ve been able to deliver those consequences while recognizing that our goal with any child, whenever possible, is to have them learn their lesson without destroying their future.”
David Weisbrod, a lawyer for Mr. Clark, declined to comment on the plea deal.