Joseph O’Connor - 2020 Twitter Hacker arrested in Spain at the request of DOJ -UPDATED- Revenge Porn Victim speaks
The update includes a new public statement from one of O’Connor’s victims. I would never highlight a victim. She published this on her Instagram. Joe O’Connor is sickAF -update at bottom of article
Full Disclosure KrebsOnSecurity is one of my favorite news sites. They have consistently been months and sometimes years ahead of other news organizations. I genuinely respect their “collaborative reporting” approach because it’s a perfect marriage of tech talk, statutes and receipts for days. Truly you should subscribe or at the minimum follow @btiankrebs when I was on Twitter -we had a few occasions to exchange DMs and he was nothing but helpful, professional and he didn’t make me feel like an idiot when it came to specific questions.
July 16, 2020 Krebs On Security
went on to published an article entitled; Who’s Behind Wednesday’s Epic Twitter Hack?By far this article is one of the best sourced and meticulously detailed…and no I’m not being paid to say/write this
The first public signs of the intrusion came around 3 PM EDT, when the Twitter account for the cryptocurrency exchange Binance tweeted a message saying it had partnered with “CryptoForHealth” to give back 5000 bitcoin to the community, with a link where people could donate or send money.
Minutes after that, similar tweets went out from the accounts of other cryptocurrency exchanges, and from the Twitter accounts for democratic presidential candidate Joe Biden, Amazon CEO Jeff Bezos, President Barack Obama, Tesla CEO Elon Musk, former New York Mayor Michael Bloomberg and investment mogul Warren Buffett.
My July 15 story observed there were strong indications that the people involved in the Twitter hack have connections to SIM swapping, an increasingly rampant form of crime that involves bribing, hacking or coercing employees at mobile phone and social media companies into providing access to a target’s account.
SIM swapping was thought to be behind the hijacking of Twitter CEO Jack Dorsey‘s Twitter account last year. As recounted by Wired.com, @jack was hijacked after the attackers conducted a SIM swap attack against AT&T, the mobile provider for the phone number tied to Dorsey’s Twitter account.
Immediately after Jack Dorsey’s Twitter handle was hijacked, the hackers tweeted out several shout-outs, including one to @PlugWalkJoe. O’Connor told KrebsOnSecurity he has never been involved in SIM swapping, although that statement was contradicted by two law enforcement sources who closely track such crimes.
July 31, 2020 USAO-NDCA Announcement
On July 31, 2020 the USAO-NDCA made an announcement, that Three individuals have been accused today for their alleged roles in the Twitter hack that occurred on July 15, 2020.
Mason Sheppard, aka “Chaewon,” —of Bognor Regis, in the United Kingdom, was charged in a criminal complaint in the Northern District of California with conspiracy to commit wire fraud, conspiracy to commit money laundering, and the intentional access of a protected computer.
Nima Fazeli, aka “Rolex,” 22, of Orlando, Florida, was charged in a criminal complaint in the Northern District of California with aiding and abetting the intentional access of a protected computer.
The third defendant is a juvenile. With exceptions that do not apply to this case, juvenile proceedings in federal court are sealed to protect the identity of the juvenile. Pursuant to the Federal Juvenile Delinquency Act, the Justice Department has referred the individual to the State Attorney for the 13th Judicial District in Tampa, Florida.
USAO-NDCA video press release:
Nima Fazeli “Rolex#0373”, “ROLEX”“Rolex#373,” and “Nim F” —pretty confident Fazeli flipped
If you know what to look for in a criminal docket (See CDCA-ECF for docket report Sept 2020 thru July 2021) eventually you can made a pretty decent educated guess. To be clear I’m not stating this as fact, because the document I believe will substantiate my assertion is still under seal. Notwithstanding I’m going to walk you through my methodology…
AFFIDAVIT IN SUPPORT OF APPLICATION FOR AN ARREST WARRANT AND CRIMINAL COMPLAINT OVERVIEW
This affidavit is made in support of an issuance of an arrest warrantand a one-count criminal complaint alleging that Nima FAZELI, also known as “Rolex,” “Rolex#0373,” “Rolex#373,” and “Nim F,” committed: Computer Intrusion, i.e., intentionally accessing a computer without authorization or exceeding authorized access,and thereby obtaining information from a protected computer, in violation of 18 U.S.C. § 1030(a)(2)(C) and aiding and abetting, in violation of 18 U.S.C. § 2. For the reasons set forth below, I believe there is probable cause to believe Nima FAZELI has committed the foregoing violations of federal law
September 11, 2020: ORDER Setting Conditions of Release and Appearance; Unsecured Bond Entered as to Defendant Nima Fazeli in amount of $ 50,000
October 4, 2020: ORDER, signed 10/4/2020, by Chief Magistrate Judge Joseph C. Spero granting 12 Stipulation Continuing Preliminary Hearing and Excluding Time Under Speedy Trial as to Nima Fazeli (1). Preliminary Hearing reset for 12/7/2020
November 25, 2020 the parties filed a Stipulation and Continuing Hearing and Excluding Time Under the Speedy Trial Act as to Nima Fazeli. Preliminary Examination set for 1/7/2021 - see what I highlighted and underlined? (see Scribd Link for Nov 25th Order)
January 4, 2021: Order, signed 12/29/2020, by Chief Magistrate Judge Joseph C. Spero granting 18 Stipulation Continuing Preliminary Hearing and Excluding Time Under Speedy Trial Act as to Nima Fazeli (1). Preliminary Hearing continued to 2/8/2021
February 1, 2021 ORDER Continuing Preliminary Hearing and Excluding Time Under the Speedy Trial Act and Federal Rule of Criminal Procedure 5.1(c) and (d) as to Nima Fazeli. Signed by Magistrate Judge Laurel Beeler on 02/01/2021
March 4, 2021 Sealed Document. No NEF issued. (mjj2S, COURT STAFF) (Filed on 3/4/2021) (Entered: 03/04/2021)
And that’s why if you’re reading the various docket entries (I uploaded a fresh docket report) and you process a basic understanding of what you’re reading. Coupled with what to look for in the limited Court filings —one can either deduce or infer that Defendant Fazeli likely signed a plea agreement on or about March 4, 2021. But like I said the document I need to provide my assertion is in fact under-seal. I suppose eventually we will figure out who’s right and who’s wrong. So let’s dive into the 54+ page long affidavit into Joey O’Connor, shall we?
Defendant Joseph O’Connor - arrested in Spain and in custody;
Shortly after 12:00PM the Department of Justice Announced via a Press Release that Spanish Authorities at the request of our DOJ had arrested Joseph O’Connor and no that OPA did not include a copy of the Criminal Complaint and/or Affidavit/Statement of Facts.
Back in late July 2020 Joseph James O’Connor, during his interview with the New York Times was adamant that he had no part of the Twitter2020 hack. The newly unsealed Affidavit suggest otherwise that O’Connor played an integral role/
Several people involved in the events that took down Twitter this week spoke with The Times, giving the first account of what happened as a pursuit of Bitcoin spun out of control.
Regarding the hacking of @6 - this thread is worth retreading because it provides some details into what the hackers allegedly did in July 2020 -also see pages 5 thru 9 of the Affidavit regarding Defendant O’Connor…
Good Lord - that footnote on page 1 of the Affidavit is a whole new level of awful - also please respect my decision to proactively redact the FBI Agent(s) name(s). After the January 6th attack on our Democracy I’ve made it a habit of redacting their names because previous public reporting of Trump’s MAGA & QANON mob targeting the investigators. —I’m not willing to inadvertently put a target on their backs or that of their families.
Your affiant seeks to use a first initial throughout the affidavit and complaint due to O’Connor’s involvement in online threats. O’Connor has potentially been linked to additional prior swatting incidents and possibly (although not confirmed and currently still under investigation) the swatting of a U.S. law enforcement officer.
July 15, 2020 Twitter Hack:
Admittedly it’s annoying that all my previous research is gone because I remember how much time I put into researching the ___ out of this and I was surprised that SIMs were once again in play before clearly AT &T hasn’t fixed their issue(s) but I digress…as the affidavit elucidates —the July 15, 2020 Twitter hack was bad:
July 15, 2020, approximately 130 Twitter accounts were compromised. This includes multiple high-profile verified accounts, including those of Bill Gates, Elon Musk, Kanye West, Joe Biden, Barack Obama, Jeff Bezos, Mike Bloomberg, Warren Buffett, Benjamin Netanyahu, and Kim Kardashian. Accounts belonging to cryptocurrency exchanges, such as Binance, Gemini, Coinbase, Bitfinex, and AngeloBTC were also compromised, as were prominent companies like Apple Inc. and Uber Technologies Inc. For a subset of those accounts, the attackers were able to gain control of the accounts and send tweets from those accounts. The servers hosting the data for at least some of the affected accounts
…address “bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh” (hereinafter, the “Scam Address”), which received approximately $117,000 in 415 transfers. Two other bitcoin addresses were also posted on some Twitter accounts: “bc1q0kznuxzk6d82e27p7gplwl68zkv40swyy4d24x” and “bc1qwr30ddc04zqp878c0evdrqfx564mmf0dy2w39l”, which both received approximately $6,700 in 100 transactions
Wait —hold on— are you telling us that the bad actors that tweeted the cryptoforhealth(.)com and had the two aforementioned wallets
…website hosted at the domain cryptoforhealth.com, which also provided the same bitcoin address. In all of these cases, the Twitter postings said that individuals who sent any bitcoin to the aforementioned address would receive double the bitcoin in return. Multiple individuals and companies confirmed publicly and/or to the FBI that their accounts had been hacked and they did not post messages directing individuals to send them bitcoin.
Raises hand to say - erm excuse me but the reason cryptoforhealth(.)com was archived on the wayback is while others were gawking at the Twitter insanity, I was quietly and quickly archiving (see here) the two websites, the individual tweets. And I’m sure I wasn’t because the site was archived 13 times. But then again when I was on Twitter this was my SOP if I thought that preserving the data would be beneficial in the future.
The siphoning off of the cryptocurrency makes a lot of sense because I’d bet they broke up the transactions, ran each through at least one tumbler… because that makes trying to track down the cryptocurrency that much harder to trace.
Juvenile #1 regarded as the mastermind
Again my red lines, no children and no spouses, although the Florida Juvenile was later unmasked by several news organizations and you can quickly identify the 17 year old who used this moniker on Discord “Kirk#5270” but I’m not going to name him because he was a juvenile at the time of the hack.
July 30, 2020, Juvenile 1 was charged by criminal complaint in the Northern District of California in relation to this investigation. Pursuant to the Juvenile Delinquency Act, juvenile proceedings in federal court are sealed to protect the identity of the juvenile. That complaint was subsequently dismissed in favor of prosecution by state authorities in Florida. Juvenile 1 was charged in the State of Florida for violating the following Florida criminal offenses: Unauthorized Access to a Computer System (F.S. 815.06(2)(a) and (3)(b) 2.), “Scheme to Defraud” Florida Communications Fraud Act (F.S. 817.034(4)(a)1), “Communications Fraud”).
And Three means the Twitter Trifecta
In the Fazeli, Sheppard and now the O’Connor various Affidavits state that the Government obtained a search warrant for “the discord server”
On or about July 30, 2020, Nima Fazeli was charged by criminal complaint in the Northern District of California in connection with this investigation and was arrested on July 31, 2020.
On or about July 30, 2020, Mason Sheppard, a U.K national, was charged by criminal complaint in the Northern District of California in connection with this investigation.
Juvenile # 2…wait for it…
note Juvenile # 2 agreed to the interview after the FBI showed up with a search warrant…
Juvenile 2 agreed to be interviewed. Juvenile 2 admitted to law enforcement agents that he/she was the Discord user who was identified in chats as assisting the user of Discord moniker “Kirk#5270” in the sale of illegal
Twitter access. Juvenile 2 admitted that he/she worked with Sheppard, whom Juvenile 2 knew by the name “Mason,” to sell Twitter account access through Juvenile 1.
When asked whether Juvenile 2 was familiar with the name “Joseph O’Connor,” Juvenile 2 stated that he/she knew that individual to be a hacker and thought that he/she may have messaged that individual once. When asked about the Twitter handle “@shinji,” Juvenile 2 stated that it was common knowledge that the “@shinji” handle was an online moniker used by the individual he/she had referred to as the hacker. Juvenile 2
…during the course of the July 2020 Twitter hack, that individual had discussed purchasing Twitter accounts with Juvenile 2 and had stated that he had purchased the “@6” account earlier that day.
The individual that Juvenile 2 was chatting with inquired about a few different Twitter accounts including Donald Trump’s account. Juvenile 2 added Juvenile 1 into a group chat with that individual in order for the individual to communicate directly with Juvenile 1. Juvenile 1 refused to engage in the chat and told Juvenile 2 not to add him/her to that chat …
August 26, 2020, Juvenile 2 was interviewed by the FBI pursuant to a federal proffer agreement, with Juvenile 2’s defense attorney present. Juvenile 2 provided more detail about his/her chat with the individual discussed above. On the morning of July 15, 2020, that individual made contact with Juvenile 2 via the Discord account with the “insane” username, introducing himself as “Joe.” Included in the chat were two other parties, though Juvenile 2 could not recall their names. Part of the conversation was via text, but Juvenile 2 also spent approximately 20 minutes in a voice call with the individual via Discord
The affidavit also adds more details to the August 2020 TikTok Hacking…O’Connor is charged with computer intrusions related to takeovers of TikTok and Snapchat user accounts. O’Connor was also charged with cyberstalking a juvenile victim.
What’s completely diabolical about Defendant O’Connor is he first successful hijacked the @kpop (intentionally not linking to the Twitted account) and as he continued to cyberstalk the TikTok user - O’Connor created yet another Twitter account “yoongi“ <—who just so happens to be a very big KPop musician. See Twitter search “yoongi”
Revenge Porn or threatening to release revenge porn is Extortion -asshole
Purely from an academical and data driven perspective O’Connor OpSec was incredibly sloppy. At first glance it looks kind of ingenious but upon further examination of the facts proffered in the 54 page affidavit—once you pull back the veneer you can see how incredibly sloppy O’Connor’s OpSec was. Part of me thinks it’s largely due to arrogance and his young age but to say O’Connor is some computer whiz-kid isn’t intellectually honest. He knew just enough coding and social engineering to making him dangerous. As evident by his grotesque stalking, swatting and harassment of an underaged victim. See Twitter search for @j0e
Thereafter Defendant O’Connor created a Snapchat user “yupcal” the Defendant went on to create a separate Twitter account (because Twitter allows for case sensitive accounts @speaker <—O’Connor is not @Speaker <—current speaker of the House) what’s more insane is O’Connor also created a @j0e Instagram account (that IG account is gone but that embedded link will take you to an analytics page)
I literally have nothing to say about this new disclosure —beyond Joe O’Connor is an arrogant POS and anyone who traffics in using “sextorsion” aka “revenge porn”
Those who either pass around nude/revenge porn pictures that were either unlawfully obtained or sent to someone during a romantic tryst. You are a vile disgusting criminal pieces of shit. Threatening the use of revenge porn to silence a victim is disgusting and abhorrent. Not the least of which it’s criminal behavior. Sadly I think we all know a few certain people on Twitter who recently threatened two victims with releasing nude pictures because that’s what narcissistic sociopaths and their enablers do.
Worse yet is when another woman threatens to release revenge porn on another woman. You are truly a garage dumpster fire piece of shit human being. To be clear there’s a distinction of editing out the nudity and telling someone “hey your so called friend’s friend is randomly sending nude pictures to me saying this is her” that’s not the same as using or threatening to use revenge porn to force victims to be compliant or silent. Assholes
But this kind of behavior is grotesque 👇🏻 It’s textbook extortion-esq behavior
June 13, 2019, the account was accessed via the IP address of 185.210.219.154 two times. As shown below, the Instagram account of “@j0e” was accessed minutes later via this same IP address…pursuant to the search warrant were records from AT&T pertaining to Victim 2’s telephone number…on June 13, 2019 a SIM card change was made on Victim 2’s account. Approximately 5 hours later, another SIM card change was made to Victim 2’s account with the reason being, “Per customer request.” I am aware that when an individual conducts a SIM swap, the cell phone provider will switch the SIM number associated with the cell phone account.
O’Connor was involved in the compromise of Victim 2’s Snapchat account, obtained information from the account include nude images of Victim 2, and was involved in extorting Victim 2 using those nude images. I believe that O’Connor conducted a SIM swap to take over Victim 2’s Snapchat account and obtain information. O’Connor then posted references to his moniker “PlugwalkJoe” and to various other O’Connor accounts
SWATTING & CYBERSTALKING OF VICTIM 3
Look this is way worse than some arrogant shitty hacker showing off -O’Connor targeted minors, he then used the revenge porn extortion technique and then added swatting to his list of criminal behavior
June 25, 2020, an individual called law enforcement from 405-358-7214, a Google Voice telephone number. The caller did not identify himself but was described in the police report as speaking in an “English or Australian” accent and indicated he caught his wife cheating and planned to kill her and his six children unless he received $50,000. The caller also claimed he would kill any law enforcement officer responding to the scene. Furthermore, the caller said his children were black and he wanted to kill them because “black lives don’t matter.” The caller stated that he had a Molotov cocktail
“Hello, my name is [Jane Doe].24 I will be shooting up schools in Garn Grove, California at random times on Tuesday. . . I will be aiming at minority students (Black, Mexican, Asian, Etc) As they need to get the fuck off American soil and give us our freedom back!! All those niggers do is rob and steal! . . . I also snuck in over the weekend and put pipe bombs and duffel bags with bombs in them.”
Defendant O’Connor’s reign of terror
The call originated from 405-358-7214, the number associated with the swatting offense on Residence 1 referenced in paragraphs 108-09. Shortly after the initial call, an individual believed to be the same caller called back and stated, “I have an AR-15 with a silencer and I just killed my wife. I told you guys to come.”
In the call, the caller provided his address as Residence 1 and telephone number as 714-520-0282. I have reviewed portions of the call that were recorded. I have provided portions of this recorded call to C.T. of the REACT Task Force. C.T. informed me he believed the voice in the recorded call matched the voice he knew to be the individual he has spoken with who has identified himself as O’Connor.
live-streamed a call to police on Discor… “Joseph” apologized for his actions but thought Victim 3 deserved it..
..the subsequent phone calls to Victim 3’s family members threatening to kill each individual, messages sent through O’Connor’s Dog Snapchat account and other accounts known to be used by O’Connor, there is probable cause to believe that O’Connor was responsible for swatting and cyberstalking Victim 3.
OVERLAPPING IP ADDRESSES REVEAL THAT THE SAME INDIVIDUAL INVOLVED WITH THE TWITTER HACK COMMITTED THE HACKING OF VICTIM 1’S TIKTOK ACCOUNT, THE HACKING OF VICTIM 2’S SNAPCHAT ACCOUNT, AND THE CYBERTHREATS AGAINST VICTIM 3…
Each of the accounts in this table have substantial IP address overlap with other accounts that are associated with O’Connor and his various illegal activities. Many of these logins above are particularly notable for their proximity in time to logins into other accounts. Based on my training and experience, and the evidence set forth in this affidavit, including the account logins
See Scribd link for the 54 page affidavit —at this point I know that all defendants are afforded the presumption of innocence —but this Affidavit is 54 pages of nothing but facts, documents, returns of numerous search warrants and it’s horrifying what Joe O’Connor did to these victims. And the FBI along with local law enforcement should be lauded for their efforts that resulted in the arrest of O’Connor.
Updated July 22, 2021 9:25PM
I think I have a solid track record that I can say that I rarely if ever talk about the victims.
In Bella Thorne’s Instagram post - here I’ll let her speak for herself
….I want to thank the FBI for searching tirelessly for the person who made my life and others a living hell. I have felt violated many times in my life, but I thought I didn’t have a way out, so I made a choice. My choice. A choice I didn’t want to make but felt I had to because I wouldn’t spend another day feeling someone was taking away from me my body, my soul, my mental health, and my love and hope for the world.
So thank you, FBI, for a step in the right direction and just one less bad guy to worry about.
Today I woke up with hope again, and a weight lifted off my shoulders. But with that said, I still need to get something across that I have wanted to say for a long time. For all the people who think because a woman is comfortable with their body and how they portray themselves that they are “asking for it, “for the people who think “she deserves it” because she was there or had a beer in her hand or wore a short skirt, and for the people that think because she took the photo she deserves to be humiliated with it - and she deserves for everyone to look at it and inscribe every piece and bit of her in their mind. Or because she took the photo, she deserves that one moment to follow her, taunt her for the rest of her life through every waking moment. To those who made those remarks, they were disgusting. I hope you feel disgusting. To those few people. Sincerely fuck you.
Individuals who not only share “intimate pictures” sent by someone who was in a romantic relationship without the prerequisite consent — only to later weaponize said pictures by using it a “revenge porn” - and then give their enablers and surrogates the intimate pictures only to threaten to release “revenge porn” are trash human beings engaging in criminal behavior.
This is particularly true when the person sharing the intimate pictures as a form of sextortion to make a former love interest either shut up or push them to have suicidal ideations are terrible and damaged human beings. I don’t need to name names, most of you know exactly who I am talking about.
And to be absolutely clear there’s a distinction of editing the nudity out of unsolicited intimate photos this Twitter predator sent to me. Notwithstanding I also had permission from the female who originally sent the photos to the Twitter predator. He never banked on the idea that we (his former fiancé and I would ever talk or that we would figure out who’s nude photos belong to who). We both agreed that another person needed to know “what their friend was doing” —instead that woman (who we were privately trying to warn) decided to threaten me and three others. She said to one “you’re a lawyer be smart” —the person we tried to warn (privately) then falsely stated that I had committed a cyber crime against her. So let’s repeat one more time for the slow kids
Your Twitter & Video streaming (former) collaborator sent me multiple unsolicited nude pictures of women he bragged he had “banged” -who does that?
Your Twitter friend spent months telling me these two women were “crazy, obsessed, stalkers…never proposed to her” —while he also bragging about bedding a married reporter. The predator grotesquely told me “they got naked wasted” and “I fixed her and sent her back to her husband but she’s the one that got away” —I later found out this reporter has worked hard for years on their sobriety. Yet the Twitter predator told me how wasted they got. I’m inclined to think this predator lied to me, a lot.
In Feb 2020 I gave this Twitter predator a taste of his own medicine and ghosted him. Completely. Blocked him on all forms of communications. I was tired of the constant drunk calls, sobbing, and threatening of suicide. It was exhausting. In an effort to help this predator I called in favors at the State Dept, the local FBI office, the USAO and the ACLU. These are favors I can never use in the future for a client. That’s not his fault, I am just wired if someone needs help and I can make connections to facilitate that help, I just do it. Without fanfare.
The person who sent the intimate photos gave me permission to share/ However I showed her the edits and we both agreed that I didn’t want it to appear I was sharing revenge porn (the nudity was edited out) but again we felt like the other woman should know what her Twitter friend was doing
When presented with evidence this woman decided to smear, defame and threaten at least 3 others. The goal was obvious to shut me up and/or dirty me up and smear me. Her ill thought out plan did not work because well decent women always look out for other decent women. She is not decent. She’s “the worst kind of woman” and you know what I mean
And then as predicted in Dec 2020 this Twitter predator’s biggest enabler decided to go crazy on 6 of the 7 women that came forward. What ensued was a months long coordinated attack by 3 individuals. This included dozens of Twitter threads, (she’s since deleted over 3,139 tweets). Numerous threats. Also pretty dumb to game theory it out in Twitter DMs & text messages.
Revenge porn, using the threat of releasing revenge porn to silence victims or make them compliant, is in fact criminal behavior. It is also especially gross when another woman does this to another woman. It’s disgusting, vile and atrocious behavior. This Twitter predator acts like he’s a champion of women. He’s not. He’s a predator. He uses Twitter as his hunting ground.
And as I said in December 2020 if I wanted to destroy him, I could. But now that it’s solidly a criminal matter —not a chance I’m going to engage in spoliation of evidence.
End of the story revenge porn is criminal behavior. That also includes threatening to release revenge porn—but if another woman says “so what they were tit pics” you need to know they are not only enabling this disgusting behavior but they are also not a nice or decent human being. So don’t be like them.
Sorry I neglected to embed this interesting Twitted thread -https://web.archive.org/save/https://twitter.com/subahiiro/status/1358270262530084867
See July 2020 DOJ-OPA re Twitter Hack
https://www.justice.gov/usao-ndca/pr/three-individuals-charged-alleged-roles-twitter-hack
See dated May 15, 2021 Affidavit re Defendant O’Connor
https://www.justice.gov/usao-ndca/press-release/file/1413571/download
Because unlike some I refuse to withhold public documents and those who do are manipulative megalomaniacs, you get that right?
Unlike those individuals I consistently upload public documents
https://www.scribd.com/user/489178812/File-411