When authorities arrested Graham Ivan Clark, who they said was the “mastermind” of the recent Twitter hack that ensnared Kanye West, Bill Gates and others, one detail that stood out was his age: He was only 17.
Now authorities have homed in on another person who appears to have played an equal, if not more significant role, in the July 15 attack, according to four people involved in the investigation who declined to be identified because the inquiry was ongoing. They said the person was at least partly responsible for planning the breach and carrying out some of its most sensitive and complicated elements.
His age? Just 16, public records show.
On Tuesday, federal agents served the teenager with a search warrant and scoured the Massachusetts home where he lives with his parents, said one of the people involved in the operation. A spokesman for the FBI confirmed a search warrant had been executed at the address.
The search warrant and other documents in the case are under seal and federal agents may decide not to charge the youth with a crime. If he is ultimately arrested, the case is likely to be handed over to Massachusetts authorities, who have more leverage than federal prosecutors in charging minors as adults. (The New York Times is not naming the teenager at this point because of his age and because he has not been charged.)
Rarely have federal agents gone after someone so young in a hacking case, especially given the apparent sophistication of the attack. During the hack, much of Twitter — including President Trump’s unfiltered communications on the service — was largely immobilized. The attackers gained control of the social network’s systems and compromised the accounts of Barack Obama, Joseph R. Biden, Jeff Bezos and many other prominent people, exposing just how vulnerable Twitter could be.
Authorities have already charged three other people in the hack. They include Mr. Clark, who Florida prosecutors charged in late July as an adult with 30 felonies. He has pleaded not guilty and has not made the bail payment to get out of jail. Two other people who played smaller roles in the hack — Mason John Sheppard, 19, of the United Kingdom, and Nima Fazeli, 22, of Orlando, Fla. — were also charged by federal prosecutors.
Twitter declined to comment.
The Massachusetts teenager appeared to get involved in planning the Twitter attack with Mr. Clark in May, according to investigators. While Mr. Clark and some of his accomplices talked with one another on the messaging board Discord, the youth restricted himself to using encrypted messaging systems like Signal and Wire, several hackers who saw the messages said.
“He was smarter than the rest,” Joseph O’Connor, a hacker known as PlugWalkJoe, said of the teenager. Mr. O’Connor said he talked with some of the people involved in the hack on the day of the Twitter attack and was aware of the teenager’s role in the scheme.
The youth’s secure communications made it harder for investigators to identify him. But Mr. O’Connor and other people in the online conversation that day said that he made video calls to friends on the day of the hack and showed them that he was inside Twitter’s back-end systems, which some accomplices never got near.
The teenager was known for calling employees of companies, such as Twitter, according to investigators and other hackers. He often posed as a contractor or employee to convince employees to enter their login credentials into fraudulent websites where the credentials could be captured, a method known as voice phishing or vishing. The login credentials made it possible for the hackers to then access the inner workings of the companies’ systems.
After the Twitter hack, the boy became a focus of investigators because he continued to be involved in voice phishing attacks, people involved in the probe said.
“Using vished credentials, cybercriminals mined the victim company databases for their customers’ personal information to leverage in other attacks,” federal authorities said in a warning about the ongoing scheme issued in August.
According to online forensic research and social media posts, the teenager lives in a modest two-story house in a coastal Massachusetts city where he attended a nearby private school. Facebook posts showed him with floppy hair when going for his black belt in martial arts at age 11.
His parents filed for divorce two years ago and appeared to struggle with money. His mother, a wellness instructor, reportedly lost her job after lying about her credentials, according to local newspapers. His father was foreclosed on four times and declared bankruptcy twice, according to public records.
Around age 13, the boy bought a series of websites with pornographic names and tried to resell them using his personal address and email, according to domain records.
Around the same time, online forum accounts tied to his email address and home internet protocol address showed up on the website OGusers.com, a site that was the home for the others involved in the Twitter attack, according to two online forensic firms. The site provides a place for hackers to buy and sell coveted “original gangster” user names on social media sites, such as single letter accounts like @a or @6.
The teenager rotated among several aliases tied to his various online accounts, according to intelligence analysis done by the firm Intel471. The messages from the accounts included profanities, anti-Semitic remarks and homophobic comments. At one point, the teenager complained about losing around $200,000 on a Bitcoin gambling site. He also offered to sell a user name for $3,000 in Bitcoin, according to messages from the forum that were later leaked.
“IF your broke and can’t afford or dont think thats a good price JUST DONT EVEN MESSAGE ME!” he wrote in late 2018.
He later linked up with Mr. Clark online and they began working together, people involved in the investigation said. Their early work, hackers said and investigators confirmed, was on so-called SIM swaps, a hacking method that is often used to steal social media accounts and cryptocurrency.
Late last year and early this year, hackers and investigators said, the teenager was part of a group that got inside the site GoDaddy, a company that sells and secures website names. The hackers were able to access and change customer records. GoDaddy confirmed the hack in a letter to customers.
In May, the Massachusetts teenager and Mr. Clark began tricking Twitter employees to give up their logins, leading to the July 15 hack. The boys, using the alias Kirk, began selling valuable Twitter user names to customers.
Just after noon California time that day, the other accomplices dropped out, they said in interviews with The Times a few days later. Mr. Clark and the Massachusetts teenager then took over prominent Twitter accounts — like those belonging to Mr. Obama and Elon Musk — and used them to send out a Bitcoin scam. Investigators said the Massachusetts teenager was logged into Twitter’s systems and handled at least some of the changes to the accounts and the tweets that went out from them.
People responding to the scam sent the teenagers around 12 Bitcoin, worth around $140,000. Those proceeds appeared to have been roughly split in half between the two people in charge, according to the public ledger of Bitcoin transactions.
Kate Conger contributed reporting. Sheelagh McNeil contributed research.