When VIP Twitter accounts were posting the infamous Bitcoin scam on July 15, everyone wondered who might be behind that coordinated attack.
It was until two weeks later when US law enforcement arrested a high school student, setting in an extra shock all over the world.
The teen, accused of being behind what is arguably Twitter's biggest security breach in history, was arrested at his parents' house in Florida, US on early on July 31.
Graham Clark, 17, allegedly took over accounts of world-renown users including Barack Obama, Bill Gates, Kim Kardashian and Apple.
Twitter says that at least 130 accounts, most of which are verified, were accessed in the attack.
For 45 of those accounts, the perpetrator was able to send tweets to promote a huge Bitcoin scam.
The perpetrator, it turned out, was a high school student.
But two more individuals were formally charged for the incident.
One 22-year old Nima Fazeli and a 19-year old Mason Sheppard.
As The Verge reported, Fazeli is facing five years in prison and a $250,000 fine for one count of computer intrusion.
Whereas Sheppard is being charged with computer intrusion, wire fraud conspiracy, and money laundering conspiracy, the most serious of which comes with a 20-year sentence and a $250,000 fine in the US.
The question everyone was asking – how did a 17-year-old pull off such a felony?
Twitter said the attack was a product of spear phishing.
Simply put, Clark conned a Twitter employee into thinking he was a co-worker from the IT department, requesting the employee’s credentials.
Using a mobile phone, he obtained employee credentials which he used to gain access to internal tools.
Here, he targeted 130 Twitter accounts - Tweeting from 45, accessing the DM inbox of 36, and downloading the Twitter Data of 7.
Clark is being charged with over 30 felony counts, including organized fraud, communications fraud, identity theft, and hacking.
The teen allegedly scammed more than $100,000 out of unsuspecting Twitter users.
During and after the hours-long attack, Twitter suspended verified accounts from tweeting, replying, liking or changing user data.
All functions were gradually restored as the company and law enforcement responded to the attack.