Joseph James O'Connor -- also known as "PlugwalkJoe" -- technically faces up to 77 years in prison under federal sentencing guidelines but will likely get somewhere between 10 to 20 years when all is said and done.
The Liverpudlian hacker admitted during a plea hearing in federal court in Manhattan on Tuesday, May 9, that he committed one of the largest high-profile breaches in social media history.
O'Connor, who was extradited to the U.S. from Spain last month following his arrest last July, also agreed to forfeit $794,012.64 that he stole from a Manhattan-based cryptocurrency company, and to pay restitution to individual victims of his crimes.
The pleas are part of a deal that O'Connor hopes gets him leniency when he's sentenced on June 23.
According to Damian Williams, the U.S. Attorney for the Southern District of New York, O'Connor executed a complex SIM swap attack to steal the cryptocurrency from a city-based company.
That wasn't all, federal authorities said: O'Connor hacked the TikTok account of a high-profile public figure and orchestrated a series of "swatting" attacks on a juvenile.
Calling an unidentified local police department, O'Connor falsely claimed that the minor at a specific address was threatening to shoot people.
He then called the same department, gave the same address again, but this time said that he was planning to kill people there. An all-out law enforcement response to that neighborhood followed.
"O’Connor sent other swatting messages that same day to a high school, a restaurant, and a sheriff’s department in the same area," the U.S. Justice Department reported in a release that followed Tuesday's plea.
The following month, O'Connor called multiple members of the juvenile's family and threatened to kill them, the release says.
“O’Connor’s criminal activities were flagrant and malicious, and his conduct impacted multiple people’s lives," said Assistant U.S. Attorney General Kenneth A. Polite, Jr. "He harassed, threatened, and extorted his victims, causing substantial emotional harm."
O'Connor and three alleged accomplices "used social engineering techniques to obtain unauthorized access to administrative tools used by Twitter to maintain its operations" in July 2020, according to the federal release.
They then removed the two-step security verification system, changed the email addresses on the accounts to their own and did a password reset, federal authorities said.
O'Connor and the three co-defendants -- identified as a fellow Brit, Mason Sheppard, and two Americans, Graham Ivan Clark and Nima Fazeli -- then tweeted messages on the verified accounts promising to double the money of any followers who sent $1,000 in bitcoin to a specific online location with 30 minutes, federal authorities said.
Innocent victims lost an estimated $180,000, they said.
In some cases, the Justice Department said, hackers "were able to use the tools to transfer control of certain Twitter accounts from their rightful owners to various unauthorized users.
"In some instances, the co-conspirators took control themselves and used that control to launch a scheme to defraud other Twitter users," the release says. "In other instances, the co-conspirators sold access to Twitter accounts to others.
"O’Connor communicated with others regarding purchasing unauthorized access to a variety of Twitter accounts, including accounts associated with public figures around the world," the Justice Department wrote. "A number of Twitter accounts targeted by O’Connor were subsequently transferred away from their rightful owners."
All told,130 accounts had been hacked, Twitter reported after shutting down the scam, deleting the posts and denying access to a huge number of users.
Federal authorities said O'Connor also accessed a "highly visible" TikTok account in August 2020 associated with "a public figure with millions of followers" whom they wouldn't identify. He then posted self-promoting messages, including one in which his voice is recognizable from the video, they said.
O’Connor also publicly warned on the account that he would "release sensitive, personal material related to [that unidentified person] to individuals who joined a specified Discord server," the Justice Department wrote.
A similar crime was committed against another unidentified public figure on Snapchat whom O'Connor and his confederates tried to extort with private images and other sensitive material they'd obtained, the release adds.
Altogether, O'Connor pleaded guilty to:
- computer intrusion (two counts);
- conspiracy to commit computer intrusion (two counts);
- conspiracy to commit wire fraud;
- conspiracy to commit money laundering;
- making extortive communications;
- making threatening communications;
- stalking.
The maximum prison term under federal sentencing guidelines ranges from 5 to 20 years for each conviction if served consecutively. They'll likely be bundled together into a single sentence, however.
Just about all of the eventual time will have to be served because there's no parole in the federal prison system.
Click here to follow Daily Voice Hamilton Township and receive free news updates.