Former Employee Of Technology Company Sentenced To Six Years In Prison For Stealing Confidential Data And Extorting Company For Ransom
Damian Williams, the United States Attorney for the Southern District of New York, Kenneth A. Polite, Jr., the Assistant Attorney General for the Department of Justice’s Criminal Division, and Ismail J. Ramsey, the United States Attorney for the Northern District of California, announced today the extradition and guilty plea of JOSEPH JAMES O’CONNOR, a/k/a “PlugwalkJoe,” a U.K. citizen. O’CONNOR was extradited from Spain on April 26, 2023, and pled guilty earlier today before U.S. District Judge Jed S. Rakoff to two sets of charges: (i) conspiracy to commit computer hacking and other charges pending in the Southern District of New York relating to a fraudulent scheme perpetrated by O’CONNOR and his co-conspirators to use a cyber intrusion technique known as a SIM swap attack to steal approximately $794,000 worth of cryptocurrency from a Manhattan-based cryptocurrency company and then to launder the proceeds of the scheme (the “SDNY Case”) and (ii) a set of charges filed in the Northern District of California, and transferred to the SDNY under Federal Rule of Criminal Procedure 20, relating to O’Connor’s role in the July 2020 hack of Twitter, computer intrusions related to takeovers of TikTok and Snapchat user accounts, and cyberstalking two separate victims (the “NDCA Case”).
U.S. Attorney Damian Williams said: “Joseph O’Connor, a/k/a “PlugwalkJoe,” used his sophisticated technological abilities for malicious purposes – conducting a complex SIM swap attack to steal large amounts of cryptocurrency, hacking Twitter, conducting computer intrusions to take over social media accounts, and even cyberstalking two victims, including a minor victim. O’Connor’s guilty plea today is a testament to the importance of law enforcement cooperation, and I thank our law enforcement partners for helping to bring to justice those who victimize others through cyber-attacks.”
Assistant Attorney General Kenneth A. Polite, Jr. said: “O’Connor’s criminal activities were flagrant and malicious, and his conduct impacted multiple people’s lives. He harassed, threatened, and extorted his victims, causing substantial emotional harm. Like many criminal actors, O’Connor tried to stay anonymous by using a computer to hide behind stealth accounts and aliases from outside the United States. But this plea shows that our investigators and prosecutors will identify, locate, and bring to justice such criminals to ensure they face the consequences for their crimes.”
NDCA U.S. Attorney Ismail J. Ramsey said: “O’Connor has left an impressive trail of destruction in the wake of his wave of criminality. This case serves as a warning that the reach of the law is long, and criminals anywhere who use computers to commit crimes may end up facing the consequences of their actions in places they did not anticipate.”
According to the allegations in the publicly filed charging documents against O’CONNOR, court filings, and statements made in court:
The SDNY Case
During a cyber intrusion known as a SIM swap attack, cyber threat actors gain control of a victim’s mobile phone number by linking that number to a subscriber identity module (“SIM”) card controlled by the threat actors, resulting in the victim’s calls and messages being routed to a malicious unauthorized device controlled by the threat actors. The threat actors then typically use control of the victim’s mobile phone number to obtain unauthorized access to accounts held by the victim that are registered to the mobile phone number.
Between approximately March 2019 and May 2019, JOSEPH JAMES O’CONNOR and his co-conspirators perpetrated a scheme to use SIM swaps to conduct cyber intrusions in order to steal approximately $794,000 worth of cryptocurrency from a Manhattan-based cryptocurrency company (“Company-1”), which, at all relevant times, provided wallet infrastructure and related software to cryptocurrency exchanges around the world.
As part of the scheme, O’CONNOR and his co-conspirators successfully perpetrated SIM swap attacks targeting at least three Company-1 executives. Following a successful SIM swap attack targeting one of the executives on or about April 30, 2019, O’CONNOR and his co-conspirators successfully gained unauthorized access to multiple Company-1 accounts and computer systems. On or about May 1, 2019, through their unauthorized access, O’CONNOR and his co-conspirators stole and fraudulently diverted cryptocurrency of various types (the “Stolen Cryptocurrency”) from cryptocurrency wallets maintained by Company-1 on behalf of two of its clients. The Stolen Cryptocurrency was worth at least approximately $794,000 at the time of the theft.
After stealing and fraudulently diverting the Stolen Cryptocurrency, O’CONNOR and his co-conspirators laundered it through dozens of transfers and transactions and exchanged some of it for Bitcoin using cryptocurrency exchange services. Ultimately, a portion of the Stolen Cryptocurrency was deposited into a cryptocurrency exchange account controlled by O’CONNOR.
The NDCA Case
Between 2019 and 2020, O’CONNOR participated in a variety of crimes associated with exploitation of social media accounts, online extortion, and cyberstalking.
In July 2020, O’CONNOR participated in a conspiracy to gain unauthorized access to social media accounts maintained by Twitter, Inc. (“Twitter”). In early July 2020, O’CONNOR’s co-conspirators used social engineering techniques to obtain unauthorized access to administrative tools used by Twitter to maintain its operations. Those co-conspirators were able to use the tools to transfer control of certain Twitter accounts from their rightful owners to various unauthorized users. In some instances, the co-conspirators took control themselves and used that control to launch a scheme to defraud other Twitter users. In other instances, the co-conspirators sold access to Twitter accounts to others. O’CONNOR communicated with others regarding purchasing unauthorized access to a variety of Twitter accounts, including accounts associated with public figures around the world. A number of Twitter accounts targeted by O’CONNOR were subsequently transferred away from their rightful owners. O’CONNOR agreed to purchase unauthorized access to one Twitter account for $10,000.
O’CONNOR also accessed without authorization one of the most highly visible TikTok accounts in August 2020, which was associated with a public figure with millions of followers (“Victim-1”). O’CONNOR and his associates obtained unauthorized access to Victim-1’s account via a SIM swap after discussing a variety of celebrities to target, and O’CONNOR used his unauthorized access to Victim-1’s platform to post self-promotional messages, including a video in which O’CONNOR’s voice is recognizable. O’CONNOR also stated publicly, via a post to Victim-1’s TikTok account, that he would release sensitive, personal material related to Victim-1 to individuals who joined a specified Discord server.
O’CONNOR targeted another public figure (“Victim-2”) in June 2019. O’CONNOR and his associates obtained unauthorized access to Victim-2’s account on Snapchat via a SIM swap. They used that access to obtain sensitive materials, to include private images, that Victim-2 had not made publicly available. O’CONNOR sent copies of these sensitive materials to his associates. O’CONNOR and his associates also reached out to Victim-2 and threatened to publicly release the stolen sensitive materials unless Victim-2 agreed to publicly post messages related to O’CONNOR’s online persona, among other things.
Lastly, O’CONNOR stalked and threatened a minor victim (“Victim-3”) in June and July 2020. In June 2020, O’CONNOR orchestrated a series of swatting attacks on Victim-3. A “swatting” attack occurs when an individual makes a false emergency call to a public authority in order to cause a law enforcement response that may put the victim or others in danger. On June 25, 2020, O’CONNOR called a local police department and falsely claimed that Victim-3 was making threats to shoot people. O’CONNOR provided an address that he believed was Victim-3’s address, which would have the result of causing a law enforcement response. That same day, O’CONNOR placed another call to the same police department and stated that he was planning to kill multiple people at the same address. In response to that call, the department dispatched every on-duty officer to that address in reference to an armed and dangerous individual. O’CONNOR sent other swatting messages that same day to a high school, a restaurant, and a sheriff’s department in the same area. In those messages, O’CONNOR represented himself as either Victim-3 or as a resident at the address he believed was Victim-3’s. The following month, O’CONNOR called multiple family members of Victim-3 and threatened to kill them.
The NDCA Case was transferred to the Southern District of New York pursuant to Federal Rule of Criminal Procedure 20 and consolidated with the SDNY Case before Judge Rakoff.
* * *
O’CONNOR, 23, of the United Kingdom, pled guilty before Judge Rakoff to the following charges: (i) as part of the SDNY Case — conspiracy to commit computer intrusions, which carries a maximum sentence of five years in prison; conspiracy to commit wire fraud, which carries a maximum sentence of 20 years in prison; and conspiracy to commit money laundering, which carries a maximum sentence of 20 years in prison, and (ii) as part of the NDCA Case — conspiracy to commit computer intrusion and two counts of committing computer intrusions, each of which carries a maximum sentence of five years in prison; making extortive communications, which carries a maximum sentence of two years in prison; two counts of stalking, each of which carries a maximum sentence of five years in prison; and making threatening communications, which carries a maximum sentence of five years in prison. As part of his guilty plea, O’CONNOR agreed to forfeit a sum of money equal to $794,012.64 and to make restitution to victims of his crimes. O’CONNOR is scheduled to be sentenced by Judge Rakoff on June 23, 2023, at 3:30 p.m.
The maximum potential sentences set forth above are prescribed by Congress and are provided here for informational purposes only, as any sentencing of the defendant will be determined by the Court.
Mr. Williams praised the outstanding work of the Federal Bureau of Investigation. He also thanked the Justice Department’s Office of International Affairs for its assistance in the extradition.
The SDNY Case is being handled by the Complex Frauds and Cybercrime Unit of the United States Attorney’s Office for the Southern District of New York. Assistant U.S. Attorney Olga I. Zverovich is in charge of the prosecution of the SDNY Case. The NDCA Case is being handled by the United States Attorney’s Office for the Northern District of California and the Computer Crime and Intellectual Property Section (“CCIPS”) of the Department of Justice. Assistant United States Attorney Andrew F. Dawson and CCIPS Assistant Deputy Chief Adrienne L. Rose are in charge of the prosecution of the NDCA Case.