A former member of the Chuckling Squad is presumably not laughing now after being arrested for hacking the Twitter account of Twitter CEO Jack Dorsey.
The alleged hacker, who is a minor, is said to be part of a group that used a SIM-swapping technique to hack into Dorsey’s account in August of this year and send out multiple tweets containing racial slurs. They also tweeted bomb threats and retweeted anti-Semitic material.
The group, known as the Chuckling Squad, have claimed responsibility for a number of high-profile social media hacks, including one perpetrated against actress Chloe Grace Moretz.
The threat group was able to carry out the hack after gaining access to Dorsey’s phone number and transferring that number to a new SIM card. Following the hack, Twitter has updated its two-factor authentication so that users no longer have to give their phone number.
“We applaud the efforts of all the law enforcement agencies involved in this arrest,” said the Santa Clara County District Attorney’s Office, which manages the Regional Enforcement Allied Computer Team (REACT).
“REACT continues to work with and assist our law enforcement partners in any way we can. We hope this arrest serves as a reminder to the public that people who engage in these crimes will be caught, arrested, and prosecuted.”
Hacker Debug, a leader of the Chuckling Squad, told Motherboard that the minor was arrested about two weeks ago after being kicked out of the threat group in October.
“He was a member of Chuckling Squad but not anymore. He was an active member for us by providing celebs/public figure [phone] numbers and helped us hack them,” Debug said.
After the minor furnished the group with Dorsey’s number, other squad leaders known as Aqua and NuBLoM tricked a wireless provider into giving them control of the phone number. They were then able to receive two-factor authentication SMS codes.
Guidelines issued by the Federal Trade Commission on how to protect yourself from a SIM-swap attack include recommendations to limit the personal information you share online and set up a PIN or password on your phone account. Phone users are also advised never to reply to calls, emails, or text messages that request personal information, as they may be phishing attempts.