Hacker ‘PlugwalkJoe’ pleads guilty to 2020 Twitter breach

Joseph James O'Connor, aka 'PlugwalkJoke,' has pleaded guilty to multiple cybercrime offenses, including SIM swapping attacks, cyberstalking, computer hacking, and hijacking high-profile accounts on Twitter and TikTok.

The hacker was previously indicted by the U.S. Department of Justice in November 2021, accused of stealing $784,000 worth of cryptocurrency via SIM swap attacks.

O'Connor, a U.K. citizen, was eventually extradited to the United States from Spain on April 26th, 2023, and the Southern District Court of New York now handles the case.

A long string of attacks

Court documents indicate that O'Connor and his co-conspirators engaged in SIM swaps between March 2019 and August 2020, porting the phone numbers of their victims on SIM cards under their control.

Among the targets of these attacks were three company executives who held significant amounts of digital assets and whose accounts were protected by SMS-based two-factor authentication.

The attackers managed to steal $794,000 worth of cryptocurrency from the victims, bypassing the 2FA protection by using a SIM swap attack to send one-time codes to their own devices and then laundering the amounts on various Bitcoin mixers.

O'Connor admitted his role in the hack that impacted Twitter in June 2020, where he and his three co-conspirators gained access to the accounts of high-profile individuals such as Barack Obama, Joe Biden, Elon Musk, Bill Gates, Jeff Bezos, Warren Buffet, Binance, Apple, Uber, and Bitcoin.

Some of these accounts were used to conduct a cryptocurrency giveaway scam, allowing attackers to steal approximately $105,000.

The hackers used social engineering to obtain access to internal administrative tools used by Twitter employees and then transferred control of the target accounts to unauthorized users.

In August 2020, the hacker employed SIM swapping to hijack a TikTok account belonging to a public figure with millions of followers and abused it for self-promotion.

The hacker further threatened the victimized account owner that he would release sensitive personal data on a Discord server.

The U.S. Department of Justice announcement mentions that the defendant started his social media hacking spree in June 2019 by obtaining unauthorized access to a Snapchat account, stealing sensitive data, and then blackmailing the account owner.

"O'Connor used his sophisticated technological abilities for malicious purposes – conducting a complex SIM swap attack to steal large amounts of cryptocurrency, hacking Twitter, conducting computer intrusions to take over social media accounts, and even cyberstalking two victims, including a minor victim," said U.S. Attorney Damian Williams for the Southern District of New York.

O'Connor is scheduled to be sentenced on June 23rd, 2023, and his multiple charges can incur a maximum penalty of 20 years in prison.

The defendant has agreed to forfeit the amount of $794,012.64, which will be used as restitution to victims of his cybercrimes.