Joseph James “PlugwalkJoe” O’Connor, a 24-year-old from the United Kingdom who earned his 15 minutes of fame by participating in the July 2020 hack of Twitter, has been sentenced to five years in a U.S. prison. That may seem like harsh punishment for a brief and very public cyber joy ride. But O’Connor also pleaded guilty in a separate investigation involving a years-long spree of cyberstalking and cryptocurrency theft enabled by “SIM swapping,” a crime wherein fraudsters trick a mobile provider into diverting a customer’s phone calls and text messages to a device they control.
On July 16, 2020 — the day after some of Twitter’s most recognizable and popular users had their accounts hacked and used to tweet out a bitcoin scam — KrebsOnSecurity observed that several social media accounts tied to O’Connor appeared to have inside knowledge of the intrusion. That story also noted that thanks to COVID-19 lockdowns at the time, O’Connor was stuck on an indefinite vacation at a popular resort in Spain.
Not long after the Twitter hack, O’Connor was quoted in The New York Times denying any involvement. “I don’t care,” O’Connor told The Times. “They can come arrest me. I would laugh at them. I haven’t done anything.”
Speaking with KrebsOnSecurity via Instagram instant message just days after the Twitter hack, PlugwalkJoe demanded that his real name be kept out of future blog posts here. After he was told that couldn’t be promised, he remarked that some people in his circle of friends had been known to hire others to deliver physical beatings on people they didn’t like.
O’Connor was still in Spain a year later when prosecutors in the Northern District of California charged him with conspiring to hack Twitter. At the same time, prosecutors in the Southern District of New York charged O’Connor with an impressive array of cyber offenses involving the exploitation of social media accounts, online extortion, cyberstalking, and the theft of cryptocurrency then valued at nearly USD $800,000.
In late April 2023, O’Connor was extradited from Spain to face charges in the United States. Two weeks later, he entered guilty pleas in both California and New York, admitting to all ten criminal charges levied against him. On June 23, O’Connor was sentenced to five years in prison.
PlugwalkJoe was part of a community that specialized in SIM-swapping victims to take over their online identities. Unauthorized SIM swapping is a scheme in which fraudsters trick or bribe employees at wireless phone companies into redirecting the target’s text messages and phone calls to a device they control.
From there, the attackers can reset the password for any of the victim’s online accounts that allow password resets via SMS. SIM swapping also lets attackers intercept one-time passwords needed for SMS-based multi-factor authentication (MFA).
O’Connor admitted to conducting SIM swapping attacks to take control over financial accounts tied to several cryptocurrency executives in May 2019, and to stealing digital currency currently valued at more than $1.6 million.
PlugwalkJoe also copped to SIM-swapping his way into the Snapchat accounts of several female celebrities and threatening to release nude photos found on their phones.
Victims who refused to give up social media accounts or submit to extortion demands were often visited with “swatting attacks,” wherein O’Connor and others would falsely report a shooting or hostage situation in the hopes of tricking police into visiting potentially lethal force on a target’s address.
Prosecutors said O’Connor even swatted and cyberstalked a 16-year-old girl, sending her nude photos and threatening to rape and/or murder her and her family.
In the case of the Twitter hack, O’Connor pleaded guilty to conspiracy to commit computer intrusions, conspiracy to commit wire fraud, and conspiracy to commit money laundering.
To resolve the case against him in New York, O’Connor pleaded guilty to conspiracy to commit computer intrusion, two counts of committing computer intrusions, making extortive communications, two counts of stalking, and making threatening communications.
In addition to the prison term, O’Connor was sentenced to three years of supervised release, and ordered to pay $794,012.64 in forfeiture.
To be clear, the Twitter hack of July 2020 did not involve SIM-swapping. Rather, Twitter said the intruders tricked a Twitter employee over the phone into providing access to internal tools.
Three others were charged along with O’Connor in the Twitter compromise. The alleged mastermind of the hack, then 17-year-old Graham Ivan Clarke from Tampa, Fla., pleaded guilty in 2021 and agreed to serve three years in prison, followed by three years probation.
This story is good reminder about the need to minimize your reliance on the mobile phone companies for securing your online identity. This means reducing the number of ways your life could be turned upside down if someone were to hijack your mobile phone number.
Most online services require users to validate a mobile phone number as part of setting up an account, but some services will let you remove your phone number after the fact. Those services that do you let you remove your phone number or disable SMS/phone calls for account recovery probably also offer more secure multi-factor authentication options, such as app-based one-time passwords and security keys. Check out 2fa.directory for a list of multi-factor options available across hundreds of popular sites and services.
He seems nice.
I have read about people starting to use Google Voice for their telephone calls without having any kind of cell phone access. So, no SIM cards to be hacked. With good, long passphrases, it should be quite difficult for anyone to take over the number. Of course, you have to have wifi to actually place or receive a call.
Or use Skype.
“Because nobody has ever successfully compromised Skype. Pretty sure…”
I read that on the internet somewhere, so it’s most likely true
Can Google be trusted? Asks the guy who uses a Chromebook.
I’ve seen the argument that using Google Voice for a company could be a big issue. The argument was that Google seems to try something and then, after they tire of it, they just drop it. For a business, you wouldn’t want your telephone communications to depend on Google not suddenly dropping the service.
For personal communications, it probably isn’t quite as big an issue. If I lost my phone number and needed to get a new one, I’d probably consider it a plus because far too many people know the number I have now.
… who uses the _now_ non-functional Chromebook as a doorstop.
FTFY
No it works quite well, thanks.
I have several clients who use Chromebooks. All completely functional, thank you.
IF the bad actor compromises you google account, now they’d have access to your email and phone
I always wonder in cases like this what his parents have to say about all of this? Do they care? Are they criminals also?
I checkout 2fa.directory periodically. Although there are a few banks which use hardware or software tokens, some are only through their own mobile app, or single vendor proprietary tokens, or they are not general consumer banks. So for my banking needs and my avoidance of mobile apps and my preference of using U2F tokens, there are no banks on the list.
It is a shame that non-financial online service provide higher levels of secure authentication than banks. In my experience the preference is to prefer SMS and only from mobile providers so they are setting up their customers to be potential SIM swap victims.
There is also the issue of being in an area where there is no phone service when trying to authenticate online.
This has been my experience too.
I can’t even set up my mobile number as a profile contact to receive regular notifications, as they auto enroll the number into the 2FA system. I have to give them a landline that doesn’t receive SMS.
There may be no banks, but there are a couple of services that can function as banks with deposit insurance and which have 2FA:
* PayPal Savings [1] has FDIC
* Wealthsimple Cash and Save accounts [2] have CDIC
[1] https://www.paypal.com/us/cshelp/article/paypal-savings-faqs-HELP777#:~:text=Is%20PayPal%20Savings%20FDIC%20Insured,coverage%20up%20to%20%24250%2C000.00%20USD.
[2] https://help.wealthsimple.com/hc/en-ca/articles/360056590614
“PlugwalkJoe demanded that his real name be kept out of future blog posts here.”
-Oh my, we’ll be sure to get right on that Joseph James “PerpwalkJoke” O’Connor.
Hopefully in 5 years you’ll have grown so can laugh about yourself a bit,
or whatever, spend the 5 years working out so you can beat up wikipedia.
““They can come arrest me. I would laugh at them. I haven’t done anything.””
Sounds like this O’Connor guy , is truly a narcissistic person
https://nakedsecurity.sophos.com/2023/06/26/uk-hacker-busted-in-spain-gets-5-years-over-twitter-hack-and-more/
absolutely disgusting he only got 5 years. “O’Connor even swatted and cyberstalked a 16-year-old girl, sending her nude photos and threatening to rape and/or murder her and her family.” There is no legal justice in this country. He will walk out of jail just as wealthy and abusive as the day he went in. I hope he doesn’t make it out alive.
No Club Fed for Joe. He needs to do 5 long in Gen Pop in medium security, at least. Oh, and welcome to the US.
Pardon my French but what a piece of sh*t. He’s got serious problems he needs to work through in prison.
I’ve followed your advice and purchased myself some physical keys a few months ago. I really like them, just wish more services supported those.
5 years is not enough, the swatting of an underage girl and threatening murder and rape is not simply “hacking.” Hoping he ends up in a jail with gang bangers.
Lol RIP hvhGod joe , 2017-2020 hvh scene bred some of the most toxic simswappers and all these kids were below 18. Kinda what we’re seeing with Minecraft scene and raid forums .
with that i mean, 2015s kids are on whole another level than simswaps.
I would think this thug is at the beginning of his trial experiences, vice the end.
He got his training and initial “batting practice”, shaking down his fellow Brits. Is there no evidence of his connection to electronic crimes in the UK? Was this 16 y.o. girl a Brit or US?
Does this thug also play basketball?
If so, why not trade him for that other long time hacker/thug posing as journalist, Mr. Julian Assange?
I try to use my google voice everywhere. Sadly, some places like my frigging bank refuse to let me use it.