OAKLAND, Calif. — One by one, the celebrity Twitter accounts posted the same strange message: Send Bitcoin and they would send back double your money. Elon Musk. Bill Gates. Kanye West. Joseph R. Biden Jr. Former President Barack Obama. They, and dozens of others, were being hacked, and Twitter appeared powerless to stop it.
While some initially thought the hack was the work of professionals, it turns out the “mastermind” of one of the most high-profile hacks in recent years was a 17-year-old recent high school graduate from Florida, the authorities said on Friday.
Graham Ivan Clark was arrested in his Tampa apartment, where he lived by himself, early Friday, state officials said. He faces 30 felony charges in the hack, including fraud, and is being charged as an adult.
Two other people, Mason John Sheppard, 19, of the United Kingdom, and Nima Fazeli, 22, of Orlando, Fla., were accused of helping Mr. Clark during the takeover. Prosecutors said the two appeared to have aided the central figure in the attack, who went by the name Kirk. Documents released on Friday do not provide the real identity of Kirk, but they suggest that it was Mr. Clark.
Mr. Clark was skilled enough to go unnoticed inside Twitter’s network, said Andrew Warren, the Florida state attorney handling the case.
“This was not an ordinary 17-year-old,” Mr. Warren said.
Mr. Clark convinced one of the company’s employees that he was a co-worker in the technology department who needed the employee’s credentials to access the customer service portal, a criminal affidavit from Florida said. By the time the hackers were done, they had broken into 130 accounts and raised significant new questions about Twitter’s security.
Despite the hackers’ cleverness, their plan quickly fell apart, according to court documents. They left hints about their real identities and scrambled to hide the money they’d made once the hack became public. Their mistakes allowed law enforcement to quickly track them down.
Less than a week after the incident, federal agents, search warrant in hand, went to a home in Northern California, according to the documents. There, they interviewed another youngster who admitted participating in the scheme. The individual, who is not named in the documents because he or she is a minor, gave authorities information that helped them identify Mr. Sheppard and said that Mr. Sheppard had discussed turning himself in to law enforcement.
Because Mr. Clark is under 18, he was charged by the Florida state attorney in Tampa, rather than by federal authorities. His age also means that many details of his case are being kept under wraps.
Federal authorities were already tracking Mr. Clark’s online activity before the Twitter hack, according to legal documents. In April, the Secret Service seized over $700,000 worth of Bitcoin from him, but it was unclear why.
The documents released on Friday largely repeat what several hackers involved in the attack told The New York Times two weeks ago: The hack began early on July 15 as a quiet scheme to steal and sell unusual user names.
But as the day wore on, the attack, led by Kirk, took over dozens of accounts belonging to cryptocurrency companies and celebrities. Bitcoin flowed into the hackers’ accounts. The scheme netted Bitcoin worth more than $180,000, according to a New York Times estimate.
A special agent with an Internal Revenue Service investigative unit said in a court filing that Mr. Sheppard participated in the hack while using the screen name “ever so anxious.” A person using that name told The Times a few days after the attack that he got involved because he wanted to acquire unique Twitter user names.
“i just kinda found it cool having a username that other people would want,” “ever so anxious” said in a chat with The Times. He ultimately brokered the sale of at least 10 addresses, such as @drug, @w and @L, according to the indictment against him.
Mr. Fazeli is also accused of serving as a middleman, helping to sell stolen Twitter accounts on the day of the attack under the user name “Rolex.” But the indictment provides few details on Mr. Fazeli’s work as a middleman.
By the time Twitter finally managed to stop the attack, the hackers had tweeted from 45 of the accounts they had broken into, gained access to the direct messages of 36 accounts, and downloaded full information from seven accounts, the company said.
Mr. Fazeli and Mr. Clark were arrested on Friday. Mr. Sheppard has not been arrested but is expected to be taken into custody, the F.B.I. said.
“While investigations into cyber breaches can sometimes take years, our investigators were able to bring these hackers into custody in a matter of weeks,” said John Bennett, a special agent in charge with the F.B.I. The investigation is still underway, and it is possible there will be additional arrests, a bureau spokeswoman said.
The young men who participated in the breach come from a loose-knit community of hackers who focus on account takeovers, cybersecurity experts said. Using a practice known as SIM-swapping, they often target telecom companies to compromise victims’ phone numbers and intercept login credentials.
The attackers targeted Twitter employees, stealing their account credentials in order to gain access to an internal system that allowed them to reset the passwords of most Twitter users. (Some users, like President Trump, have extra security on their accounts to prevent takeovers.)
“These people come trained to be efficient and creative at their attack methods,” said Allison Nixon, the chief research officer of the security firm Unit 221B. “They’ve realized there’s this world of soft targets.”
These hackers often focus on financial fraud, but their ability to gain access to the accounts of political figures could attract new and dangerous customers, Ms. Nixon said.
“One of the things that concerns me is that, as these actors continue to refine their techniques and learn, they’re going to realize that there are other customers who will pay a lot more for things other than a single-character user name,” she said. “I don’t think they’ve even scratched the surface of how much damage they could cause.”
In a statement, Twitter thanked law enforcement for its “swift actions” and said it would continue to cooperate with the investigation.
The relatively young age of the hackers did not come as a surprise to security professionals who monitor the SIM-swapper community. Many of the people drawn to it are teenagers who pursue unique user names because controlling them conveys a sense of importance and clout.
“This activity is addictive in a way, it’s a thrill,” Ms. Nixon. “Breaking into gigantic companies and stealing ridiculous amounts of money is a huge thrill for them.”