Damian Williams, the United States Attorney for the Southern District of New York, announced that JOSEPH JAMES O’CONNOR, a/k/a “PlugwalkJoe,” a U.K. citizen, was sentenced today to five years in prison for his role in a wide array of cybercrime offenses. O’CONNOR was extradited from Spain on April 26, 2023, and pled guilty on May 9, 2023, before U.S. District Judge Jed S. Rakoff to two sets of charges: (i) conspiracy to commit computer hacking and other charges pending in the Southern District of New York relating to a fraudulent scheme perpetrated by O’CONNOR and his co-conspirators to use a cyber intrusion technique known as a SIM swap attack to steal cryptocurrency, then valued at approximately $794,000, from a Manhattan-based cryptocurrency company and then to launder the proceeds of the scheme (the “SDNY Case”), and (ii) a set of charges filed in the Northern District of California, and transferred to the SDNY under Federal Rule of Criminal Procedure 20, relating to O’Connor’s role in the July 2020 hack of Twitter, computer intrusions related to takeovers of TikTok and Snapchat user accounts, and cyberstalking two separate victims (the “NDCA Case”). Judge Rakoff imposed today’s sentence.
According to the publicly filed charging documents against O’CONNOR, court filings, and statements made in court:
The SDNY Case
During a cyber intrusion known as a subscriber identity module (“SIM”) swap attack, cyber threat actors gain control of a victim’s mobile phone number by linking that number to a SIM card controlled by the threat actors, resulting in the victim’s calls and messages being routed to a malicious unauthorized device controlled by the threat actors. The threat actors then typically use control of the victim’s mobile phone number to obtain unauthorized access to accounts held by the victim that are registered to the mobile phone number.
Between approximately March 2019 and May 2019, O’CONNOR and his co-conspirators perpetrated a scheme to use SIM swaps to conduct cyber intrusions in order to steal a large amount of cryptocurrency from a Manhattan-based cryptocurrency company (“Company-1”), which, at all relevant times, provided wallet infrastructure and related software to cryptocurrency exchanges around the world.
As part of the scheme, O’CONNOR and his co-conspirators successfully perpetrated SIM swap attacks targeting at least three Company-1 executives. Following a successful SIM swap attack targeting one of the executives on or about April 30, 2019, O’CONNOR and his co-conspirators successfully gained unauthorized access to multiple Company-1 accounts and computer systems. On or about May 1, 2019, through their unauthorized access, O’CONNOR and his co-conspirators stole and fraudulently diverted cryptocurrency of various types (the “Stolen Cryptocurrency”) from cryptocurrency wallets maintained by Company-1 on behalf of two of its clients. The Stolen Cryptocurrency was worth at least approximately $794,000 at the time of the theft and is currently worth more than $1.6 million.
After stealing and fraudulently diverting the Stolen Cryptocurrency, O’CONNOR and his co-conspirators laundered it through dozens of transfers and transactions and exchanged some of it for Bitcoin using cryptocurrency exchange services. Ultimately, a portion of the Stolen Cryptocurrency was deposited into a cryptocurrency exchange account controlled by O’CONNOR.
The NDCA Case
Between 2019 and 2020, O’CONNOR participated in a variety of crimes associated with exploitation of social media accounts, online extortion, and cyberstalking.
In July 2020, O’CONNOR participated in a conspiracy to gain unauthorized access to social media accounts maintained by Twitter, Inc. (“Twitter”). In early July 2020, O’CONNOR’s co-conspirators used social engineering techniques to obtain unauthorized access to administrative tools used by Twitter to maintain its operations. Those co-conspirators were able to use the tools to transfer control of certain Twitter accounts from their rightful owners to various unauthorized users. In some instances, the co-conspirators took control themselves and used that control to launch a scheme to defraud other Twitter users. In other instances, the co-conspirators sold access to Twitter accounts to others. O’CONNOR communicated with others regarding purchasing unauthorized access to a variety of Twitter accounts, including accounts associated with public figures around the world. A number of Twitter accounts targeted by O’CONNOR were subsequently transferred away from their rightful owners. O’CONNOR agreed to purchase unauthorized access to one Twitter account for $10,000.
O’CONNOR also accessed without authorization one of the most highly visible TikTok accounts in August 2020, which was associated with a public figure with millions of followers (“Victim-1”). O’CONNOR and his associates obtained unauthorized access to Victim-1’s account via a SIM swap after discussing a variety of celebrities to target, and O’CONNOR used his unauthorized access to Victim-1’s platform to post self-promotional messages, including a video in which O’CONNOR’s voice is recognizable. O’CONNOR also stated publicly, via a post to Victim-1’s TikTok account, that he would release sensitive, personal material related to Victim-1 to individuals who joined a specified Discord server.
O’CONNOR targeted another public figure (“Victim-2”) in June 2019. O’CONNOR and his associates obtained unauthorized access to Victim-2’s account on Snapchat via a SIM swap. They used that access to obtain sensitive materials, to include private images, that Victim-2 had not made publicly available. O’CONNOR sent copies of these sensitive materials to his associates. O’CONNOR and his associates also reached out to Victim-2 and threatened to publicly release the stolen sensitive materials unless Victim-2 agreed to publicly post messages related to O’CONNOR’s online persona, among other things.
Lastly, O’CONNOR stalked and threatened a minor victim (“Victim-3”) in June and July 2020. In June 2020, O’CONNOR orchestrated a series of swatting attacks on Victim-3. A “swatting” attack occurs when an individual makes a false emergency call to a public authority in order to cause a law enforcement response that may put the victim or others in danger. On June 25, 2020, O’CONNOR called a local police department and falsely claimed that Victim-3 was making threats to shoot people. O’CONNOR provided an address that he believed was Victim-3’s address, which would have the result of causing a law enforcement response. That same day, O’CONNOR placed another call to the same police department and stated that he was planning to kill multiple people at the same address. In response to that call, the police department dispatched every on-duty officer to that address in reference to an armed and dangerous individual. O’CONNOR sent other swatting messages that same day to a high school, a restaurant, and a sheriff’s department in the same area. In those messages, O’CONNOR represented himself as either Victim-3 or as a resident at the address he believed was Victim-3’s. The following month, O’CONNOR called multiple family members of Victim-3 and threatened to kill them.
The NDCA Case was transferred to the Southern District of New York pursuant to Federal Rule of Criminal Procedure 20 and consolidated with the SDNY Case before Judge Rakoff.
* * *
O’CONNOR, 24, of the United Kingdom, pled guilty before Judge Rakoff to the following charges: (i) as part of the SDNY Case — conspiracy to commit computer intrusions, conspiracy to commit wire fraud, and conspiracy to commit money laundering; and (ii) as part of the NDCA Case — conspiracy to commit computer intrusion, two counts of committing computer intrusions, making extortive communications, two counts of stalking, and making threatening communications. In addition to the prison term, O’CONNOR was sentenced to THREE years of supervised release. O’CONNOR was further ordered to pay $794,012.64 in forfeiture.
Mr. Williams praised the outstanding work of the Federal Bureau of Investigation. He also thanked the Department of Justice’s Office of International Affairs for its assistance in the extradition.
The SDNY Case is being handled by the Complex Frauds and Cybercrime Unit of the United States Attorney’s Office for the Southern District of New York. Assistant U.S. Attorney Olga I. Zverovich is in charge of the prosecution of the SDNY Case. The NDCA Case is being handled by the U.S. Attorney’s Office for the Northern District of California and the Computer Crime and Intellectual Property Section (“CCIPS”) of the Department of Justice. Assistant U.S. Attorney Andrew F. Dawson and CCIPS Assistant Deputy Chief Adrienne L. Rose are in charge of the prosecution of the NDCA Case.