"PlugwalkJoe" admits guilt in notorious Twitter Bitcoin scam

Joseph James O'Connor, the UK man behind hacks, was extradited to the US from Spain

Joseph James O'Connor, infamously known in cyberspace as “PlugwalkJoe,” has confessed to a series of high-profile cyber attacks from March 2019 to August 2020. The U.K. citizen was involved in an array of cybercrimes, including SIM swapping attacks, cyberstalking, and infiltrating influential Twitter and TikTok accounts.^[1]

Previously indicted by the U.S. Department of Justice in November 2021, O'Connor was accused of pilfering cryptocurrency valued at $784,000 through SIM swap attacks. In such attacks, the phone numbers of victims are transferred onto SIM cards controlled by the attackers, thereby bypassing SMS-based two-factor authentication (2FA) and gaining unauthorized access to digital assets.

After being extradited to the United States from Spain on April 26, 2023, O'Connor is now facing charges in the Southern District Court of New York.^[2] His admission of guilt has cast a spotlight on the pervasive threat of cybercrime and the vulnerabilities of even the most secure digital platforms.

Hacked accounts of Elon Musk, Joe Biden, Bill Gates, and many other prominent people

In the wake of the admission, O'Connor's role in the notorious Twitter hack of June 2020^[3] has been brought to the fore. Alongside three co-conspirators, he breached the accounts of several high-profile individuals, including Barack Obama, Joe Biden, Elon Musk,^[4] Bill Gates, and more. These accounts were subsequently manipulated to conduct a cryptocurrency giveaway scam, defrauding unsuspecting users of approximately $105,000.

The unauthorized access to these accounts required clever social engineering to secure internal administrative tools used by Twitter employees. Once access was obtained, control of the accounts was transferred to unauthorized users. The audacious breach demonstrated the potential vulnerabilities in the security measures of major social media platforms, raising questions about the adequacy of existing safeguards.

In August 2020, the plot thickened when O'Connor also used SIM swapping to commandeer a TikTok account belonging to a public figure with millions of followers. He used the account for self-promotion, leveraging the account's extensive reach for his gain, and also threatened to release sensitive personal data.

The implications of PlugwalkJoe's guilty plea

O'Connor's admission of guilt has underscored the dangers of cybercrime and drawn attention to the vulnerabilities in the security systems of major social media platforms. Cybersecurity experts have postulated that the ramifications of such a breach could have been even more severe if the hackers had more sophisticated or destructive plans than a simple Bitcoin scam.

The implications of this case reach beyond the immediate victims. It has shaken the confidence of millions of users in the security of their digital assets and personal information. The breach and subsequent admission have underscored the need for robust security measures and vigilant personal practices to safeguard against such illicit activities.

The admission also spotlights the perils of cybercrime, with U.S. Attorney Damian Williams for the Southern District of New York stating:^[5]

O'Connor used his sophisticated technological abilities for malicious purposes – conducting a complex SIM swap attack to steal large amounts of cryptocurrency, hacking Twitter, conducting computer intrusions to take over social media accounts, and even cyberstalking two victims, including a minor victim.

As O'Connor awaits his sentence, scheduled for June 23rd, 2023, he faces a maximum penalty of 20 years in prison. Apart from potential jail time, O'Connor has agreed to forfeit the amount of $794,012.64, which will serve as restitution to his victims.

The case of “PlugwalkJoe” serves as a stark reminder of the real and present danger of cybercrime. It emphasizes the urgent need for reinforced digital security, stringent law enforcement, and increased user vigilance in protecting digital assets.