Decrypted: How a teenager hacked Twitter, Garmin’s ransomware aftermath


Image Credits: Treedeo (opens in a new window) / Getty Images

A 17-year-old Florida teenager is accused of perpetrating one of the year’s biggest and most high-profile hacks: Twitter.

A federal 30-count indictment filed in Tampa said Graham Ivan Clark used a phone spearphishing attack to pivot through multiple layers of Twitter’s security and bypassed its two-factor authentication to gain access to an internal “admin” tool that let the hacker take over any account. With two accomplices named in a separate federal indictment, Clark — who went by the online handle “Kirk” — allegedly used the tool to hijack the accounts of dozens of celebrities and public figures, including Bill Gates, Elon Musk and former president Barack Obama, to post a cryptocurrency scam netting over $100,000 in bitcoin in just a few hours.

It was, by all accounts, a sophisticated attack that required technical skills and an ability to trick and deceive to pull off the scam. Some security professionals were impressed, comparing the attack to one that had the finesse and professionalism of a well-resourced nation-state attacker.

But a profile in The New York Times describes Clark was an “adept scammer with an explosive temper.”

In the teenager’s defense, the attack could have been much worse. Instead of pushing a scam that promised to “double your money,” Clark and his compatriots could have wreaked havoc. In 2013, hackers hijacked the Associated Press’ Twitter account and tweeted a fake bomb attack on the White House, sending the markets plummeting — only to quickly recover after the all-clear was given.

But with control of some of the world’s most popular Twitter accounts, Clark was for a few hours in July one of the most powerful people in the world. If found guilty, the teenager could spend his better years behind bars.

Here’s more from the past week.


Garmin hobbles back after ransomware attack, but questions remain

After reporting an “outage” for the best part of a week, Garmin eventually admitted it had been hit by a ransomware attack. Reporting had already confirmed the attack. Garmin’s internet services eventually got back on their feet after the five-day outage, but users were still livid at the lack of communication.

But how Garmin got its systems back remains a mystery — one that could be probed by federal investigators.

Garmin’s online services were down for five days following a ransomware attack. (Image: TechCrunch)

Reports confirmed the file-encrypting malware used in the attack was WastedLocker, a ransomware with ties to Russian hacking group Evil Corp. But here’s the tricky bit: Last year, the U.S. Treasury indicted its alleged head and imposed sanctions on the group, effectively making it illegal for any company infected by an Evil Corp ransomware attack to pay the ransom — even if they wanted to.

One news report said Garmin obtained the decryption key, perhaps through an intermediary. That ties in with what one source told TechCrunch prior to the company’s recovery. Garmin didn’t comment beyond its statement. But no doubt, the government will want to know how Garmin got its systems back.

Dragnet location warrants are on the rise, as is the scrutiny

An increasingly popular way for law enforcement to home in on criminal suspects using their location data is set to face scrutiny for the first time.

Say police are looking for a criminal suspect in a particular area at a certain time and day. Police can use these so-called “reverse-location” warrants to demand companies that collect tons of location data, like Google and Facebook, to turn over data on anyone who was nearby at the time. That arguably helps to narrow the search for their suspect, assuming they weren’t smart enough to leave their phone at home.

A reverse-location data warrant. (Image: TechCrunch)

But these warrants are executed often at the expense of invading the privacy of innocent people caught up in the data dragnet. In some cases, this can involve hundreds — or even thousands of phones. Police are using these warrants more frequently: The Wall Street Journal reports that these warrant demands spiked 1,500% between 2017 and 2018, and another 500% from 2018 to 2019.

Privacy advocates have long questioned the validity of these warrants, but now two criminal defendants in Virginia and San Francisco are challenging the legal basis behind reverse-location warrants and New York lawmakers are pushing to end the practice. Could reverse-location warrants soon be a thing of the past?


Last week saw the heads of Apple, Amazon, Facebook and Google defend their dominant market positions by claiming that, for the most part, everything was fine and that they aren’t too big or powerful.

It wasn’t an argument that convinced one Democratic lawmaker, who honed in on Google’s Sundar Pichai, taking issue with how the company reneged on a promise not to merge its massive bank of advertising data it obtained through its 2007 acquisition of DoubleClick with Google’s own account data. A decade later, in 2016, Google merged its ad data with user account data — a move likely authorized by Pichai himself.

Rep. Val Demings slammed Google for “effectively destroying anonymity on the internet.” Demings blasted the move to combine users’ search and browsing history with location data and information from Gmail inboxes as “absolutely staggering.”

Demings was one of several lawmakers grilling the tech giants as part of the House’s investigation into possible violations of antitrust law. Privacy and security were big talking points during the hearings.

Google’s Sundar Pichai grilled over ‘destroying anonymity on the internet’


And before we sign off, here’s a quick look at the security startup world over the past week.

Cybersecurity training provider Offensive Security has acquired VulnHub, an open-source catalog of technology that’s legally breakable and hackable, allowing hackers and security researchers to get safe, hands-on experience with penetration testing. OffSec also provides a number of open-source tools, like Kali Linux, a distribution of Linux designed for helping ethical hackers run penetration tests; and Exploit-DB, a massive repository of known exploits that are popular with security professionals.

Stack Overflow, a forum and community for developers, has raised $85 million in its latest Series E round, announced at the end of July. The round was led by Singapore-based global investment firm GIC and had participation from Andreessen Horowitz, Index Ventures and others.

Ermetic, a cloud security startup, snapped up $17 million in its Series A, led by Accel and others. Ermetic helps companies that rely on cloud infrastructure, like Amazon Web Services, Google Cloud and Microsoft Azure, enforce tighter and stricter permissions, reducing the risk of data breaches or exposures — at least, in theory.

And, we wrote about Butlr last week, a home and retail automation startup that makes privacy-friendly sensors that pivoted during the pandemic to help stores reopen while complying with maximum occupancy rules and queue management. The aim is to help prevent the spread of coronavirus. But because the sensors only detect body heat, they can’t tell who you are — only where you are. You can read our story here.

This startup reworked its privacy-friendly sensors to help battle COVID-19

Send tips securely over Signal and WhatsApp to +1 646-755-8849.

More TechCrunch

Welcome back to TechCrunch’s Week in Review. This week had two major events from OpenAI and Google. OpenAI’s spring update event saw the reveal of its new model, GPT-4o, which…

OpenAI and Google lay out their competing AI visions

Expedia says Rathi Murthy and Sreenivas Rachamadugu, respectively its CTO and senior vice president of core services product & engineering, are no longer employed at the travel booking company. In…

Expedia says two execs dismissed after ‘violation of company policy’

When Jeffrey Wang posted to X asking if anyone wanted to go in on an order of fancy-but-affordable office nap pods, he didn’t expect the post to go viral.

With AI startups booming, nap pods and Silicon Valley hustle culture are back

OpenAI’s Superalignment team, responsible for developing ways to govern and steer “superintelligent” AI systems, was promised 20% of the company’s compute resources, according to a person from that team. But…

OpenAI created a team to control ‘superintelligent’ AI — then let it wither, source says

A new crop of early-stage startups — along with some recent VC investments — illustrates a niche emerging in the autonomous vehicle technology sector. Unlike the companies bringing robotaxis to…

VCs and the military are fueling self-driving startups that don’t need roads

When the founders of Sagetap, Sahil Khanna and Kevin Hughes, started working at early-stage enterprise software startups, they were surprised to find that the companies they worked at were trying…

Deal Dive: Sagetap looks to bring enterprise software sales into the 21st century

Keeping up with an industry as fast-moving as AI is a tall order. So until an AI can do it for you, here’s a handy roundup of recent stories in the world…

This Week in AI: OpenAI moves away from safety

After Apple loosened its App Store guidelines to permit game emulators, the retro game emulator Delta — an app 10 years in the making — hit the top of the…

Adobe comes after indie game emulator Delta for copying its logo

Meta is once again taking on its competitors by developing a feature that borrows concepts from others — in this case, BeReal and Snapchat. The company is developing a feature…

Meta’s latest experiment borrows from BeReal’s and Snapchat’s core ideas

Welcome to Startups Weekly! We’ve been drowning in AI news this week, with Google’s I/O setting the pace. And Elon Musk rages against the machine.

Startups Weekly: It’s the dawning of the age of AI — plus,  Musk is raging against the machine

IndieBio’s Bay Area incubator is about to debut its 15th cohort of biotech startups. We took special note of a few, which were making some major, bordering on ludicrous, claims…

IndieBio’s SF incubator lineup is making some wild biotech promises

YouTube TV has announced that its multiview feature for watching four streams at once is now available on Android phones and tablets. The Android launch comes two months after YouTube…

YouTube TV’s ‘multiview’ feature is now available on Android phones and tablets

Featured Article

Two Santa Cruz students uncover security bug that could let millions do their laundry for free

CSC ServiceWorks provides laundry machines to thousands of residential homes and universities, but the company ignored requests to fix a security bug.

2 days ago
Two Santa Cruz students uncover security bug that could let millions do their laundry for free

TechCrunch Disrupt 2024 is just around the corner, and the buzz is palpable. But what if we told you there’s a chance for you to not just attend, but also…

Harness the TechCrunch Effect: Host a Side Event at Disrupt 2024

Decks are all about telling a compelling story and Goodcarbon does a good job on that front. But there’s important information missing too.

Pitch Deck Teardown: Goodcarbon’s $5.5M seed deck

Slack is making it difficult for its customers if they want the company to stop using its data for model training.

Slack under attack over sneaky AI training policy

A Texas-based company that provides health insurance and benefit plans disclosed a data breach affecting almost 2.5 million people, some of whom had their Social Security number stolen. WebTPA said…

Healthcare company WebTPA discloses breach affecting 2.5 million people

Featured Article

Microsoft dodges UK antitrust scrutiny over its Mistral AI stake

Microsoft won’t be facing antitrust scrutiny in the U.K. over its recent investment into French AI startup Mistral AI.

2 days ago
Microsoft dodges UK antitrust scrutiny over its Mistral AI stake

Ember has partnered with HSBC in the U.K. so that the bank’s business customers can access Ember’s services from their online accounts.

Embedded finance is still trendy as accounting automation startup Ember partners with HSBC UK

Kudos uses AI to figure out consumer spending habits so it can then provide more personalized financial advice, like maximizing rewards and utilizing credit effectively.

Kudos lands $10M for an AI smart wallet that picks the best credit card for purchases

The EU’s warning comes after Microsoft failed to respond to a legally binding request for information that focused on its generative AI tools.

EU warns Microsoft it could be fined billions over missing GenAI risk info

The prospects for troubled banking-as-a-service startup Synapse have gone from bad to worse this week after a United States Trustee filed an emergency motion on Wednesday.  The trustee is asking…

A US Trustee wants troubled fintech Synapse to be liquidated via Chapter 7 bankruptcy, cites ‘gross mismanagement’

U.K.-based Seraphim Space is spinning up its 13th accelerator program, with nine participating companies working on a range of tech from propulsion to in-space manufacturing and space situational awareness. The…

Seraphim’s latest space accelerator welcomes nine companies

OpenAI has reached a deal with Reddit to use the social news site’s data for training AI models. In a blog post on OpenAI’s press relations site, the company said…

OpenAI inks deal to train AI on Reddit data

X users will now be able to discover posts from new Communities that are trending directly from an Explore tab within the section.

X pushes more users to Communities

For Mark Zuckerberg’s 40th birthday, his wife got him a photoshoot. Zuckerberg gives the camera a sly smile as he sits amid a carefully crafted re-creation of his childhood bedroom.…

Mark Zuckerberg’s makeover: Midlife crisis or carefully crafted rebrand?

Strava announced a slew of features, including AI to weed out leaderboard cheats, a new ‘family’ subscription plan, dark mode and more.

Strava taps AI to weed out leaderboard cheats, unveils ‘family’ plan, dark mode and more

We all fall down sometimes. Astronauts are no exception. You need to be in peak physical condition for space travel, but bulky space suits and lower gravity levels can be…

Astronauts fall over. Robotic limbs can help them back up.

Microsoft will launch its custom Cobalt 100 chips to customers as a public preview at its Build conference next week, TechCrunch has learned. In an analyst briefing ahead of Build,…

Microsoft’s custom Cobalt chips will come to Azure next week

What a wild week for transportation news! It was a smorgasbord of news that seemed to touch every sector and theme in transportation.

Tesla keeps cutting jobs and the feds probe Waymo