Ryan Hughes of WFLA in Tampa, Fla., reported Friday that 17-year-old Graham Clark of Tampa was arrested early Friday morning and accused of being the mastermind behind the attack.

On July 15, accounts belonging to high-profile users including Amazon CEO Jeff Bezos, former Vice President and current presidential candidate Joe Biden, Bloomberg co-founder and former presidential candidate Mike Bloomberg, Berkshire Hathaway chairman and CEO Warren Buffett, entrepreneur Elon Musk, former President Barack Obama and hip-hop superstar Kanye West were compromised, with many sharing tweets promising double the amount if people sent Bitcoin to a specific wallet mentioned within the tweets.

Hughes reported that Hillsborough State Attorney Andrew Warren filed 30 felony charges against Clark this week: one count of organized fraud; 17 counts of communications fraud; one count of fraudulent use of personal information with over $100,000 or 30 or more victims; 10 counts of fraudulent use of personal information; and one count of access to computer or electronic device without authority.

Warren said the scheme netted over $100,000 in Bitcoin in just one day, adding in a statement, “These crimes were perpetrated using the names of famous people and celebrities, but they’re not the primary victims here. This ‘Bit-Con’ was designed to steal money from regular Americans from all over the country, including here in Florida. This massive fraud was orchestrated right here in our backyard, and we will not stand for that.”

The state attorney added, “I want to congratulate our federal law enforcement partners—the U.S. Attorney’s Office for the Northern District of California, the FBI, the IRS and the Secret Service—as well as the Florida Department of Law enforcement. They worked quickly to investigate and identify the perpetrator of a sophisticated and extensive fraud.”

Twitter sent its plaudits, as well, tweeting, “We appreciate the swift actions of law enforcement in this investigation and will continue to cooperate as the case progresses. For our part, we are focused on being transparent and providing updates regularly.”

As for the “how it was done” part, Twitter updated its blog post on the incident late Thursday, saying that a “small number of employees” were targeted through a “phone spear-fishing attack.”

The social network explained that not all employees who were initially targeted had permissions to use its account management tools, which were used to carry out the attack, but credentials from the initial group were used to access internal systems and gain information about Twitter’s processes, which enabled them to target additional employees who did have access.

As previous reported, a total of 130 Twitter accounts were targeted, with 45 being used to tweet. Direct message inboxes of 36 accounts were accessed, and Twitter data was downloaded from seven accounts.

Twitter wrote, “This attack relied on a significant and concerted attempt to mislead certain employees and exploit human vulnerabilities to gain access to our internal systems. This was a striking reminder of how important each person on our team is in protecting our service. We take that responsibility seriously, and everyone at Twitter is committed to keeping your information safe.”

The social network added that access to its internal tools and systems has been significantly limited, impacting some features, calling it “a necessary precaution … We will gradually resume our normal response times when we’re confident that it’s safe to do so.”