Joseph James “PlugwalkJoe” O’Connor, a 24-year-old from the United Kingdom, has been sentenced to five years in a U.S. prison. O’Connor gained notoriety for his involvement in the July 2020 hack of Twitter, where several high-profile accounts were compromised and used to promote a bitcoin scam. However, O’Connor’s crimes extended beyond the Twitter hack, as he also pleaded guilty in a separate investigation involving cyberstalking and cryptocurrency theft facilitated by SIM swapping.
SIM swapping is a technique used by fraudsters to trick mobile providers into redirecting a victim’s phone calls and text messages to a device under their control. This enables them to gain unauthorized access to the victim’s online accounts, reset passwords, and intercept one-time passwords used for multi-factor authentication.
In July 2020, KrebsOnSecurity, a cybersecurity news website, observed that several social media accounts linked to O’Connor appeared to have insider knowledge of the Twitter hack. At the time, O’Connor was stuck in Spain due to COVID-19 lockdowns. He denied any involvement in the hack but made concerning statements about people in his circle hiring individuals to physically harm others.
A year later, O’Connor was charged in the Northern District of California with conspiracy to hack Twitter. Prosecutors in the Southern District of New York also charged him with several cyber offenses, including online extortion, cyberstalking, and cryptocurrency theft amounting to nearly $800,000. After his extradition from Spain, O’Connor pleaded guilty to all ten charges in both California and New York.
In his guilty pleas, O’Connor admitted to conducting SIM swapping attacks to take control of financial accounts belonging to cryptocurrency executives in May 2019. He also confessed to stealing digital currency valued at over $1.6 million. Additionally, O’Connor acknowledged swatting and cyberstalking a 16-year-old girl, involving sending her explicit photos and making threats against her and her family.
On June 23, 2023, O’Connor was sentenced to five years in prison. In addition to his prison term, he will serve three years of supervised release and must pay $794,012.64 in forfeiture.
It is important to note that the Twitter hack did not involve SIM swapping. Rather, the perpetrators were able to trick a Twitter employee over the phone into granting access to internal tools. Three other individuals were charged alongside O’Connor in the Twitter compromise, with Graham Ivan Clarke, the alleged mastermind, pleading guilty and agreeing to three years in prison.
This case highlights the need to minimize reliance on mobile phone companies for securing online identities. Users should consider reducing the number of ways their digital lives can be disrupted if their mobile phone numbers are hijacked. This can be achieved by removing phone numbers from online services that allow it or disabling SMS/phone calls for account recovery. Instead, users should opt for more secure multi-factor authentication options, such as app-based one-time passwords and security keys.
As an additional resource, individuals can refer to 2fa.directory, a website that provides a list of multi-factor authentication options available across various popular sites and services.
Overall, Joseph James O’Connor’s sentencing serves as a reminder of the serious consequences that can result from engaging in cybercrimes, especially when they involve activities like SIM swapping, cyberstalking, and cryptocurrency theft. These acts not only cause financial harm but also violate individuals’ privacy and security, highlighting the importance of robust online security measures.