July 26, 2021

Joseph “PlugwalkJoe” O’Connor, in a photo from a paid press release on Sept. 02, 2020, pitching him as a trustworthy cryptocurrency expert and advisor.

One day after last summer’s mass-hack of Twitter, KrebsOnSecurity wrote that 22-year-old British citizen Joseph “PlugwalkJoe” O’Connor appeared to have been involved in the incident. When the U.S. Justice Department last week announced O’Connor’s arrest and indictment, his alleged role in the Twitter compromise was well covered in the media.

But most of the coverage seems to have overlooked the far more sinister criminal charges in the indictment, which involve an underground scene wherein young men turn to extortion, sextortion, SIM swapping, death threats and physical attacks — all in a frenzied effort to seize control over social media accounts.

Skim the government’s indictment and you might overlook a footnote on Page 4 that says O’Connor is part of a group that had exactly zero reservations about using their playbook of harassment tactics against law enforcement agents who were already investigating their alleged crimes.

O’Connor has potentially been linked to additional prior swatting incidents and possibly (although not confirmed and currently still under investigation) the swatting of a U.S. law enforcement officer,” the footnote reads.

Swatting involves making a false report to authorities in a target’s name with the intention of sending a heavily armed police force to that person’s address. It’s a potentially deadly hoax: Earlier this month, a Tennessee man was sentenced to 60 months in prison for setting in motion a swatting attack that led to the death of a 60-year-old grandfather.

As for the actual criminal charges, O’Connor faces ten counts, including conspiracy, computer intrusion, extortive communications, stalking and threatening communications.

FEMALE TARGETS

All of those come into play in the case of the Snapchat account of actor Bella Thorne, who was allegedly targeted by PlugwalkJoe and associates in June 2019.

Investigators say O’Connor was involved in a “SIM swap” against Thorne’s mobile phone number. Unauthorized SIM swapping is a scheme in which fraudsters trick or bribe employees at wireless phone companies into redirecting the target’s text messages and phone calls to a device they control. From there, the attackers can reset the password for any online account that allows password resets via SMS.

In this case, the SIM swap was done to wrest control over Thorne’s Snapchat account. Once inside, the attackers found nude photos of Thorne, which they then threatened to release unless she agreed to post on social media thanking the hackers using their online handles.

The intruders posted on Thorne’s Snapchat, “Will drop nudes if 5000 of you follow @PlugwalkJoe.” Thorne told the feds her phone lost service shortly before her account was hijacked. Investigators later found the same Internet address used to access Thorne’s Snapchat account also was used minutes later to access “@Joe” on Instagram, which O’Connor has claimed publicly.

On June 15, 2019, Thorne posted on Twitter that she’d been “threatened with my own nudes,” and posted screenshots of the text message with the individual who had extorted him/her. Thorne said she was releasing the photographs so that the individual would not be able to “take yet another thing from me.”

The indictment alleges O’Connor also swatted and cyberstalked a 16-year-old girl, sending her nude photos and threatening to rape and/or murder her and her family.

Social media personality Addison Rae had 55 million followers when her TikTok account got hacked last August. I noted on Twitter at the time that PlugWalkJoe had left his calling card yet again. The indictment alleges O’Connor also was involved in a SIM-swap against Rae’s mobile number.


BAD REACTION

Prosecutors believe that roughly a week after the Twitter hack O’Connor called in bomb threats and swatting attacks targeting a high school and an airport in California. They’re confident it was O’Connor making the swatting and bomb threat calls because his voice is on record in a call he made to federal investigators, as well as to an inmate arrested for SIM swapping.

Curiously left out of the media coverage of O’Connor’s alleged crimes is that PlugwalkJoe appears to have admitted in a phone call with the FBI to being part of a criminal conspiracy. In the days following the Twitter mass-hack, O’Connor was quoted in The New York Times denying any involvement in the Twitter bitcoin scam. “I don’t care,” O’Connor told The Times. “They can come arrest me. I would laugh at them. I haven’t done anything.”

Speaking with KrebsOnSecurity via Instagram instant message just days after the Twitter hack, O’Connor demanded that his name be kept out of future blog posts here. After he was told that couldn’t be promised, he mentioned that some people in his circle of friends had been known to hire others to deliver physical beatings on people they didn’t like. In nearly the same breath, O’Connor said he was open to talking to federal investigators and telling his side of the story.

According to the indictment, a week after the Twitter hack a man identifying himself as O’Connor called federal investigators in Northern California. Specifically, the call went to the REACT Task Force. REACT is a team of law enforcement officers and prosecutors based in Santa Clara, Calif. that is focused on catching criminal SIM swappers, and by this point REACT already had plenty of audio from phone calls traced back to O’Connor in which he allegedly participated in a SIM swapping or swatting attack.

“REACT began receiving tips in 2018 regarding illegal activity of an individual using the online moniker ‘PlugwalkJoe,’ purportedly identified as O’Connor from the United Kingdom,” the indictment states.

Prosecutors redacted the name of the law enforcement officer who allegedly was swatted by PlugwalkJoe, referring to him only as “C.T.,” a criminal investigator for the Santa Clara District Attorney and a REACT Task Force member.

FBI agents called O’Connor back at the number he left. O’Connor told the FBI that on the afternoon of July 15, 2020 he’d been in contact with other associates who were in communications with the alleged mastermind of the Twitter bitcoin scam. Those intermediaries worked directly with Graham Clark, then 17, who pleaded guilty to fraud charges last summer in connection with the Twitter hack and agreed to serve three years in prison followed by three years of probation.

The indictment says O’Connor told the feds he only wanted his friends to relay his desire for Clark to secure several different short Twitter usernames that belonged to other people, accounts that were to be later sold for a profit. The other associates who allegedly helped PlugwalkJoe interact with Clark also have since been charged in connection with the Twitter hack.

A copy of the indictment is here (PDF).


63 thoughts on “PlugwalkJoe Does the Perp Walk

  1. Bob Brown

    I’m sure readers of KrebsonSecurity already know this, but your friends do not. Using a cellular phone for anything having to do with security is not safe.

    Particularly for second-factor authentication, a hardware key like YubiKey or competitors or a time-based one-time password such as one generates with Google Authenticator and others is far safer. It’s faster, too!

    Tell your friends!

    1. Alex

      Until your hardware key dies. Then you have quite the mess on your hands.

      Not all 2FA implementations can work with an authenticator like app.

      1. G.Scott H.

        The biggest problem with 2FA is the individual has little say in the implementation. The average 2FA implementation is via SMS. The back end code running on servers to support an SMS implementation of 2FA is extremely similar if not identical to that needed for supporting an authenticator app 2FA. In other words, an SMS 2FA is most of the way there to an authenticator app 2FA, and both can be supported by the same server allowing customer preference. Hardware keys are not well adopted, period. I enable 2FA anytime it is available. I have 2 Yubikeys, one is a backup, I can use it at exactly 4 of the hundreds of online services where I have accounts. A dozen or so of them support authenticator app 2FA, but no financial institutions. A hobby forum supports authenticator 2FA, better than banks, what a shame. All the rest doing 2FA are using SMS, all the financial institutions I deal with and the rest amounts to only a few dozen more. There are still important services not even supporting 2FA. For that problem I use a password manager and unique and as long a password as is supported. I have tried to “vote with my wallet” by selecting more secure services if I can find them, but the selection is pitiful.

        1. Basic

          “I can use it at exactly 4 of the hundreds of online services where I have accounts”

          Exactly. Which is why it’s a non-solution despite “adherents” in niches.

          1. JamminJ

            The trick is… Use the hardware key (yubikey) as 2FA for a dedicated email,… that gets used as “recovery” for all the other sites.

              1. Yubikey ads in 21?

                Ooh, “dedicated” email! Super unhackable technology.

                1. sooti

                  I don’t understand your ignorance. Having a separate dedicated email for recovery seems like a good idea. Do you think i should send everything to Gmail?

                  1. Yebbi

                    No ignorance. The type of email matters a lot, dedicated is irrelevant; it has to be secure, encrypted through the entire chain, native client only, hard spam block, etc. Those are better, otherwise email was never designed to be private.
                    “Access to your Contacts” is a “feature” of far too many apps.
                    “Share your data with other apps” yup.

                    1. Yasqueen

                      I see what your saying. But I also understand what is meant by “dedicated email”.
                      Having an email separate from my day to day email, is “dedicated”, and that allows me to avoid all the features you talk about that would make it insecure.
                      If I use Gmail for day to day, and do like to use some of those convenience features, then having a separate dedicated email just for recovery is probably a good idea.

                      Also, the most common thing to cause an account takeover is phishing. It’s easier to avoid phishing on a dedicated email, rather than my daily email.

                    2. Yasqueen

                      Dedicated email seems to take care of the most serious threat, phishing.
                      While end to end email encryption is truly irrelevant. Unless you suspect your email provider of conspiring with cybercriminals.

                      End to end email encryption isn’t possible in most scenarios. I only know of Facebook that allows you to put in a PGP public keys for notifications/recovery messages. And in that case, most people will, again, need a separate dedicated email to handle decryption.
                      So dedicated email seems to be the best bang for your buck.

      2. JamminJ

        Using hardware keys is still great idea. They will always have a backup method, so if you are caught in a mess, then you missed a step.
        Many backup methods are a simple list of codes for you to print out and keep (in a) safe.
        If email recovery is available, then create a free encrypted email address used ONLY for recovery operations.
        I know it’s twice as expensive, but I always create a backup hardware key.
        For hardware keys based on a programmable secret, like yubikey HMAC, then you can copy the secret on paper and put in your safe. If your yubikey ever fails, you can create a new one.

        Yes, the biggest problem is that many sites/services don’t offer any 2FA stronger than SMS. In that case, people should really consider alternative sites.
        https://2fa.directory/

        1. Nope

          “You can create a new one” is not the only step there.
          Nice advertisements though lol.

      3. zboot

        Why? How is this any more of a mess than if you forget the master password for your password manager? At least if your hardware key dies, you can fall back on having your passwords and recovery phrases still available in a password manager.

        1. ThaCrip

          That’s why if your using YubiKey it’s best to register at least two of them to your Google account, or don’t bother using YubiKey’s at all. because with two keys, even if one dies or you happen to lose it, you will still have one stored in a secure location you can use to regain access to your account, then just remove the lost/broken key from the account and get another and re-register that and then you got two keys tied to the account once again. this is why it’s always a bad idea to use just one key, because if it’s lost/stolen/broken, you got problems, especially if it’s your only way to get back into the account, which is best that way since it’s most secure.

          but as for the password manager, that’s why it’s best to make SURE you won’t forget the master password as you simply write it down somewhere and keep it in a secure location in case you forget, and naturally, you ALWAYS make a backup (I would suggest at least three backups) of your password managers database file. I never use password managers that store anything online but are all stored locally. so backup to hard drives, USB stick etc. this helps nearly ensure you will never lose your master password or password manager database file.

    2. Jon Marcus

      Unfortunately, many services with support stronger options offer SMS messages as a fallback. For such services, it doesn’t matter how diligently one uses more secure methods. An attacker can still get in via SIM swapping.

      1. JamminJ

        Yeah. That’s a problem with many sites/services online. Even banks.

        A good workaround is to use a landline if possible. They are significantly harder to port over remotely using these social engineering tactics. Not impossible, but much harder.

        Of course, some require SMS verification before setting that number as the 2FA fallback. In that case, that online site or service is really shoehorning you into a bad security posture. When a company backs me into such a corner… I serious consider a competitor.
        Using hardware keys is still great idea. They will always have a backup method, so if you are caught in a mess, then you missed a step.
        Many backup methods are a simple list of codes for you to print out and keep (in a) safe.
        If email recovery is available, then create a free encrypted email address used ONLY for recovery operations.
        I know it’s twice as expensive, but I always create a backup hardware key.
        For hardware keys based on a programmable secret, like yubikey HMAC, then you can copy the secret on paper and put in your safe. If your yubikey ever fails, you can create a new one.

        Yes, the biggest problem is that many sites/services don’t offer any 2FA stronger than SMS. In that case, people should really consider alternative sites.
        https://2fa.directory/

  2. nobody

    brian, can you explain how it is i posted the information regarding joe, and all the others involved on reddit, and numerous other places, as well as emailed it to you when this originally went down, and you proceeded to credit yourself with the findings

    1. Brian Fiori (AKA The Dean)

      Maybe because you are “nobody”. I think any legit person would include his/her name. Don’t ya think?

  3. The Sunshine State

    Just another narcissistic guy that more then likely is on the “autistic spectrum “

    1. basic

      More than. I don’t see why you’re involving autism in psychopathy.

      1. The Sunshine State

        “psychopathy” is a person who kills without remorse , manipulates and controls, and shows no emotion towards their victim . This O’Connor guy doesn’t fit into that category

        1. dfsfsdsf

          The only reason he doesn’t kill is because they haven’t figured out how to use the Internet to do that. Everything else fits Joe though.

          1. SeymourB

            Sure they have – swatting can lead to death, which is why they’re so attracted to it. The thought of having the power of life & death over someone is part of the reason why they do it.

            1. JamminJ

              Doesn’t make sense though. Why would they do the other stuff like sending pizza deliveries? Are the playing the long game with diabetes?

              Narcissistic bullying for attention is still a desire for power over other people. But doesn’t mean a desire for the power of life and death. Very different things. And no, it’s not a slippery slope either.

              Bullying behavior has often led to accidental death. It does traumatize the bully too, because they sincerely did not intend for it to go that far. This is one of the reasons manslaughter exists between innocence and murder.

              1. Nope

                https://en.wikipedia.org/wiki/Psychopathy

                No, your definition is flawed. Reading solves a lot of problems.
                There’s no hard requirement to “kill” anyone at all.

                Swatting people is psychopathy whether they happen to die or not, and it’s not an “accidental death” when it does turn out that way. Also that’s not what distinguishes one from the crime of manslaughter either. There is a reason lawyers exist to do that job, instead of entirely laypersons.

                1. nope

                  It’s called Mens Rea. State of mind. Intention matters a great deal in court.
                  That’s why premeditated murder is different from crimes of passion where the intention to kill happened in the moment.

                  It can still be murder even if unintentional yes. But it’s in the case of swatting, the prosecution must prove intention to have the victim killed. That’s a tough sell and a stretch, considering most swat altercations don’t end in death, and the swatter cannot reasonable control the situation.

                  Ask yourself a simple question why aren’t persecutors pursuing murder charges? Or even misdemeanors?

                2. The Sunshine State

                  Maybe you mean ” ant-social personality disorder ” for example Charles Mansion.

                  A lot of these young black hat , hacker guys are narcissistic at best.

              2. nope

                One does not preclude the other either. GI-GO on that definition.

        2. Steve C#

          Psychopathy is a neuropsychiatric disorder marked by deficient emotional responses, lack of empathy, and poor behavioral controls, commonly resulting in persistent antisocial deviance and criminal behavior.

          It does not have to involve murder.

          1. John C++

            And not all criminal behavior is pathological.

            There’s a clear profit motivation that doesn’t fit into the narrative of “he’s a psychopath”.
            He could just be a greedy a-hole, like so many other criminals.

            1. basic

              “A profit motivation” doesn’t preclude psychopathy, obviously. “Greedy aholes” are by definition trending towards sociopathy or they wouldn’t be accurately described that way, it’s baked in to some degree. Disregard for others, check.

              Swatting is a psychopathic/sociopathic means to any motivation.

              1. basic

                Sounds like you’re suggesting that all criminals are psycho or on a slippery slope.

                Disregard for other humans isn’t criminal, and it’s rarely punished. Many people are scofflaws, but that doesn’t make them psychopaths. And judging people as such sounds more like you need them to be psychopaths in order for you to make sense of the world.

                1. basic

                  Lot of people are accusing those who refuse to wear a mask as being disregarding of other peoples health and safety. Would you call them psychopaths?

                2. nope

                  “Gregory” is at it again with the self-chat.

  4. RFuller

    They are letting these people off way to easy. Should be a mandatory minimum 5 years (10 years if any violent intent was present) and potentially longer. If this kid is out in 3 years, he’ll just go back to making the easy money.

    1. ManonFire

      RFuller Nailed it. Send these douchebags away for 10 years of HARD time and the message will get out

    2. JamminJ

      Long prison sentences don’t work all that well as a deterrent, especially when the chance of getting caught is pretty low.

      1. JamminJ

        It’s hard for a rational, law abiding citizen, to understand the mind of a criminal. It seems intuitive that tougher punishments translate equally to less crime.
        But that’s not the reality.

        Especially in cyberspace, where crimes are committed routinely and the chance of getting caught, arrested, charged, and convicted, Is exceedingly rare.

        For a deterrent to work, the criminal must believe in a reasonable chance of getting caught. Listen to his own words, he legitimately thought there was no chance.

        These criminals are not scared of hypothetical and mandatory minimum sentencing. Because they know so many other people who have been doing the same crime for years and aren’t getting caught at all.

        Plus, it’s not like these guys are reading court proceedings or sentencing. Maybe if it makes headlines. In their siloed underground cyber world, the only message they are getting is that crime does pay and hardly anyone ever gets caught. And they don’t care if that one in a million guy who got caught, gets the death penalty.

      2. when keepin real goes wrong

        double tap would work too.. just sayin

    3. Mubix

      Long prison sentences don’t work all that well as a deterrent, when the chance of getting caught is pretty low.

      It’s hard for a rational, law abiding citizen, to understand the mind of a criminal. It seems intuitive that tougher punishments translate equally to less crime.
      But that’s not the reality.

    4. JamminJ

      It’s hard for a rational, law abiding citizen, to understand the mind of a criminal. It seems intuitive that tougher punishments translate equally to less crime. But that’s not the reality. Especially in cyberspace, where crimes are committed routinely and the chance of getting caught, arrested, charged, and convicted, Is exceedingly rare. For a deterrent to work, the criminal must believe in a reasonable chance of getting caught. Listen to his own words, he legitimately thought there was no chance. These criminals are not scared of hypothetical and mandatory minimum sentencing. Because they know so many other people who have been doing the same crime for years and aren’t getting caught at all. Plus, it’s not like these guys are reading court proceedings or sentencing. Maybe if it makes headlines. In their siloed underground cyber world, the only message they are getting is that crime does pay and hardly anyone ever gets caught. And they don’t care if that one in a million guy who got caught, gets the death penalty.

  5. example

    “I don’t care,” O’Connor told The Times. “They can come arrest me. I would laugh at them. I haven’t done anything.”

    “Speaking with KrebsOnSecurity via Instagram instant message just days after the Twitter hack, O’Connor demanded that his name be kept out of future blog posts here. After he was told that couldn’t be promised, he mentioned that some people in his circle of friends had been known to hire others to deliver physical beatings on people they didn’t like.”

    Shame that the victims don’t have the opportunity to deliver said “beatings” that his bragged associates deliver.

  6. R. Adj

    Norton 360 requires two-factor ID to access your account with them. If you lose your phone number, they offer no alternative to get in.Of all people, you would think that the people at Norton (Symantec) would be smarter about this.

    1. SeymourB

      Symantec has been broken up and sold and resold so often over the past few years, I don’t even know what corporation bought their security division. In theory this isn’t entirely bad because Symantec at the end was creating bloated monstrous products of questionable security & stability, but everything I’ve read about their recent Norton products has not filled me with the sense that they’ve turned a corner for the better.

  7. P.D.

    OK, now he’s been indicted.

    How long until we get our hands on this little creep? Is he in the US? Do we have to have a foreign arrest and extradite?

  8. P.D.

    -Disregard above. Too many article, tired eyes.

  9. ReadandShare

    Only 23 years old. A pity that some people can only learn the hard way!

  10. JamminJ

    Instead of focusing on the deterrence of long prison sentences (which criminals don’t care about when they think there’s no chance of getting caught).

    The root cause must be addressed. Police departments must be accountable for any and all damages that result in a SWAT raid.
    From even the most minor of damages to a door, to mental anguish for innocent swatting victims, to pain and suffering, to injury and death expenses.

    When police departments can get sued for negligence… they will pay more attention to their emergency response process to ensure they validate anonymous tips BEFORE sending in the SWAT team.

    But as it stands today, “qualified immunity” laws and other roadblocks prevent the kind of accountability that would truly prevent these tragedies.

    1. Nope

      “The root cause must be addressed. Police departments must be accountable for any and all damages that result in a SWAT raid.”

      This is nonsense on multiple levels. It isn’t a simple qualified immunity issue. The criminals were caught here. They are the root cause, means undeterminant.

      1. nope

        How is it nonsense?
        Deterrents work on belief.
        Yeah this one swatter got caught, but he’s the exception and they know it.

        What about deterrence for police? They have no deterrence to their actions. No incentive to bother checking if the 911 call was real

      2. nuh uh

        How is it nonsense? Deterrents works on belief. This one guy got caught because he slipped up. He’s the exception and they know it. And what about deterrence for the cops actions? They have no incentive to check that the 911 call is real.

  11. Alfonso

    Great work >>>>as always. May I interest you in something along your specialty?
    Let me know.
    Regards,
    Alfonso

  12. DrunkGirl

    For years, probably as far back as 2004, Paypal had a real physical security keyfob that worked perfectly. I never logged into my account without first using the keyfob and I was super disappointed when they discontinued this option.

    1. JamminJ

      Was it an RSA fob? If so, might have been due to their own major breach and loss of seed files that compromised a bunch of those key fobs.

  13. The cyber post

    Crazy the amount of mayhem these kids cause at the peril of others….it’s actuslly quite sad. They are all probably very smart but can’t use those skills for a greater good.

    It would be awesome if you did a weekly podcast Brian.

  14. Chris Pugson

    I’m British. Put “PlugwalkJoe” behind bars for a very long time. He brings shame on us.

  15. Ice Burge

    Greetings my Krebs.

    Joe had little impact on Twitter hack. Although I can attest he is indeed guilty of the crimes laid out in the indictment, among many many many more. If you were to convict Joe on the crimes he has committed over the years, he would definitely receive a life-sentence.
    Main persons involved were Promo and Scrim. In fact I find it amusing how easily “Promo” aka Dario Karpenko has gotten off by throwing his “Big Homie” Graham Clark (Scrim) under the bus despite Clarks activities with Twitter CMS being entirely to sell the OG usernames. Promo is not some kind of naïve or misguided youth, only a year younger than Scrim. He is the one who sent these scam tweets. I am sure FBI knows all of this, so why is Karpenko not receiving his earned judicial treatment?
    Others such as Voku, Waifu, Seth and any other aliases you might hear of regarding this incident are mostly just of the same circle, and to my first-hand accounts of these events; are not involved.

    To assume that Joe had any kind of involvement apart from his typical compulsive lying to impress undesirable teenage girls on Discord app is to not really understand the English-speaking “cybercrime” scene.
    Joe was a useless loser. Most of his money was extorted from Corey De’Rose associate in the Josh Jones (BlueHost CEO and billionaire) hack. In fact, Josh Jones should be happy to know that Joe kept his stolen crypto safe, hopefully he is aware of this and will receive his coins back.

    This English-speaking criminal scene has many elements, from old forums like darkode to the present on.. Discord app. You can build a relationship map of these individuals and see, things are quite connected knowingly and unknowingly by those participating in these circles. The English speaking cyber criminals have always been technologically behind their eastern counterparts, but that gap is widening. As security continues to evolve, the English speaking criminals stagnate and devolve and the eastern criminals evolve at unprecedented rates. All the FBI and DHS need to do in order to carve out 80% of English-speaking cyber-criminals is step up their game in digging through the past 5 years of data on Discord app. Why don’t they? It’s their country, so their servers. All sovereign Government’s have mandate to do as it pleases in matters of national-security.

    My comment has no impact or interference with the FBI’s investigation. Ironically, the FBI themselves are preventing these youth offenders from facing justice. Trading the real mastermind (Karpenko) for testimony and evidence to imprison an individual of lesser importance (Clark). And why is that? Oh, because Karpenko was a year younger.

    There is much to say, but this is all I have time for.

  16. Cat

    I agree with the discord statement but honestly my tech security knowledge is more at the inquisitive level than actually having any real knowledge so my question is a real one. What about a pager for your 2FA? Would that work? I think I saw monthly prices on then within the past few years of 15$ if I remember correctly. It’s just a thought but I’m not sure of the difference in technology.

Comments are closed.