One day after last summer’s mass-hack of Twitter, KrebsOnSecurity wrote that 22-year-old British citizen Joseph “PlugwalkJoe” O’Connor appeared to have been involved in the incident. When the U.S. Justice Department last week announced O’Connor’s arrest and indictment, his alleged role in the Twitter compromise was well covered in the media.
But most of the coverage seems to have overlooked the far more sinister criminal charges in the indictment, which involve an underground scene wherein young men turn to extortion, sextortion, SIM swapping, death threats and physical attacks — all in a frenzied effort to seize control over social media accounts.
Skim the government’s indictment and you might overlook a footnote on Page 4 that says O’Connor is part of a group that had exactly zero reservations about using their playbook of harassment tactics against law enforcement agents who were already investigating their alleged crimes.
“O’Connor has potentially been linked to additional prior swatting incidents and possibly (although not confirmed and currently still under investigation) the swatting of a U.S. law enforcement officer,” the footnote reads.
Swatting involves making a false report to authorities in a target’s name with the intention of sending a heavily armed police force to that person’s address. It’s a potentially deadly hoax: Earlier this month, a Tennessee man was sentenced to 60 months in prison for setting in motion a swatting attack that led to the death of a 60-year-old grandfather.
As for the actual criminal charges, O’Connor faces ten counts, including conspiracy, computer intrusion, extortive communications, stalking and threatening communications.
All of those come into play in the case of the Snapchat account of actor Bella Thorne, who was allegedly targeted by PlugwalkJoe and associates in June 2019.
Investigators say O’Connor was involved in a “SIM swap” against Thorne’s mobile phone number. Unauthorized SIM swapping is a scheme in which fraudsters trick or bribe employees at wireless phone companies into redirecting the target’s text messages and phone calls to a device they control. From there, the attackers can reset the password for any online account that allows password resets via SMS.
In this case, the SIM swap was done to wrest control over Thorne’s Snapchat account. Once inside, the attackers found nude photos of Thorne, which they then threatened to release unless she agreed to post on social media thanking the hackers using their online handles.
The intruders posted on Thorne’s Snapchat, “Will drop nudes if 5000 of you follow @PlugwalkJoe.” Thorne told the feds her phone lost service shortly before her account was hijacked. Investigators later found the same Internet address used to access Thorne’s Snapchat account also was used minutes later to access “@Joe” on Instagram, which O’Connor has claimed publicly.
On June 15, 2019, Thorne posted on Twitter that she’d been “threatened with my own nudes,” and posted screenshots of the text message with the individual who had extorted him/her. Thorne said she was releasing the photographs so that the individual would not be able to “take yet another thing from me.”
The indictment alleges O’Connor also swatted and cyberstalked a 16-year-old girl, sending her nude photos and threatening to rape and/or murder her and her family.
Social media personality Addison Rae had 55 million followers when her TikTok account got hacked last August. I noted on Twitter at the time that PlugWalkJoe had left his calling card yet again. The indictment alleges O’Connor also was involved in a SIM-swap against Rae’s mobile number.
Prosecutors believe that roughly a week after the Twitter hack O’Connor called in bomb threats and swatting attacks targeting a high school and an airport in California. They’re confident it was O’Connor making the swatting and bomb threat calls because his voice is on record in a call he made to federal investigators, as well as to an inmate arrested for SIM swapping.
Curiously left out of the media coverage of O’Connor’s alleged crimes is that PlugwalkJoe appears to have admitted in a phone call with the FBI to being part of a criminal conspiracy. In the days following the Twitter mass-hack, O’Connor was quoted in The New York Times denying any involvement in the Twitter bitcoin scam. “I don’t care,” O’Connor told The Times. “They can come arrest me. I would laugh at them. I haven’t done anything.”
Speaking with KrebsOnSecurity via Instagram instant message just days after the Twitter hack, O’Connor demanded that his name be kept out of future blog posts here. After he was told that couldn’t be promised, he mentioned that some people in his circle of friends had been known to hire others to deliver physical beatings on people they didn’t like. In nearly the same breath, O’Connor said he was open to talking to federal investigators and telling his side of the story.
According to the indictment, a week after the Twitter hack a man identifying himself as O’Connor called federal investigators in Northern California. Specifically, the call went to the REACT Task Force. REACT is a team of law enforcement officers and prosecutors based in Santa Clara, Calif. that is focused on catching criminal SIM swappers, and by this point REACT already had plenty of audio from phone calls traced back to O’Connor in which he allegedly participated in a SIM swapping or swatting attack.
“REACT began receiving tips in 2018 regarding illegal activity of an individual using the online moniker ‘PlugwalkJoe,’ purportedly identified as O’Connor from the United Kingdom,” the indictment states.
Prosecutors redacted the name of the law enforcement officer who allegedly was swatted by PlugwalkJoe, referring to him only as “C.T.,” a criminal investigator for the Santa Clara District Attorney and a REACT Task Force member.
FBI agents called O’Connor back at the number he left. O’Connor told the FBI that on the afternoon of July 15, 2020 he’d been in contact with other associates who were in communications with the alleged mastermind of the Twitter bitcoin scam. Those intermediaries worked directly with Graham Clark, then 17, who pleaded guilty to fraud charges last summer in connection with the Twitter hack and agreed to serve three years in prison followed by three years of probation.
The indictment says O’Connor told the feds he only wanted his friends to relay his desire for Clark to secure several different short Twitter usernames that belonged to other people, accounts that were to be later sold for a profit. The other associates who allegedly helped PlugwalkJoe interact with Clark also have since been charged in connection with the Twitter hack.
A copy of the indictment is here (PDF).