Cybercrime Roundup: Photobucket, Sextortion, and Bitcoin

Extortion Through Theft of Private Photobucket Images

On November 2, Brandon Bourret was sentenced to 29 months in federal prison and three years on supervised release after pleading guilty to conspiracy to commit computer fraud and abuse, access device fraud, identification document fraud, and wire fraud. Bourret was the architect of PhotoFucket, a software application that accessed password-protected and private photo albums saved on the image-hosting website Photobucket. The albums were accessed in order to find “wins”—nude or sexually explicit images. Bourret promoted his software on PhatThumbs.Photofucket.com, where he published some of the “wins.” Customers could purchase the application to trawl for “wins” themselves.

Photobucket sets privacy at the album level; a user can set it at public, private, or password protected. However, even when heightened privacy is selected, there is still a direct link that can be used to access the photo. At first, PhotoFucket automated a guessing process called “fuskering” to discover these links, rather than hacking into individual Photobucket accounts. To “fusker” is to guess obscure web addresses and their extensions, often based on logical extensions. For example, the address photobucket.com/user/sarahtate might lead to photobucket.com/user/sarahtate/media/albumname/1.jpg and photobucket.com/user/sarahtate/media/albumname/2.jpg.

Due in part to increased security at Photobucket, Bourret began to look into new ways to access “wins.” With the help of Athanasois Andrianakis, Bourret was able to “rip” rather than “fusker”, or to exploit vulnerabilities in security to access the files hosted on Photobucket and then copy them. The two worked as a team: Andrianakis found vulnerabilities, and Bourret wrote the code to exploit them.

Towards the end of its run, Bourret tweaked PhotoFucket so that it connected email addresses used in registering accounts to the images of the victims. According to the DOJ press release, victims reported being extorted and harassed by PhotoFucket users.

Notably, the co-defendants entered into agreements that created a victims’ assistance fund. All victims were previously contacted by both Photobucket and the government and are eligible for services to mitigate the impact of the disclosure of their images.

Andrianakis’s sentence has another element of restorative justice. He is spending the first 15 months of a 5 year sentence for probation on house arrest—during those 15 months, he will be working without pay for Photobucket.

Man Who Phished into Celebrities' Accounts and Stole Sensitive Photos Sentenced

In another sentencing for illegally accessing personal photos, the Department emphasized that it is “deeply committed to holding hackers accountable, even when they do not sell or distribute the stolen data.” Ryan Collins was sentenced to 18 months in federal prison after pleading guilty to violating the Computer Fraud and Abuse Act.

Collins’ case is unusually high-profile. From November 2012 to September 2014, he used a phishing scheme to gain access to 50 iCloud accounts and 72 Gmail accounts, most of which belonged to female celebrities. Once he gained access, he stole personal information, including nude photographs. On several occasions, he downloaded a victim’s entire iCloud backup.

The charges against Collins grew from an investigation into the September 2014 leak of nude photographs of various celebrities, known widely as "Celebgate." Notably, however, no evidence has been found that ties Collins to the leaks or even demonstrates that he shared the information he stole, and it remains unclear how Collins was connected to the release Collins is an example that unauthorized access—stealing sensitive, personal photos—is a crime that can stand alone.

Man Indicted in Sextortion/Pornography Fraud Scheme

On October 12th, Mario Antoine was indicted for a pornography fraud scheme. According to the Department of Justice, Antoine convinced at least six women into “auditioning” for pornography, having them sign contracts and promising to pay for their services. But there was no pornography business and no real possibility of payment: Antoine’s goal was only to trick the women into having sex with him.

Prior to beginning his scheme, Antoine allegedly researched “rape by deception,” “rape by deception in Kansas,” and “illegal to trick girls into sleeping with you.” His search expanded beyond websites and into law journals.

Evidently not deterred by his findings, Antoine reportedly contacted women on Facebook and promised them between 1,000 and 18,000 dollars for rehearsing for porn. He assured them that the material was going to an overseas market where no one from the United States would view it. Antoine would allegedly have sex with his victims while filming the encounter under the guise of porn production, often then using the tape against the women in order to force them into additional sex.

The indictment details six victims. In one case, Antoine threatened to sell or share the recording of the victim having sex with him unless the woman either paid him $9,000 or slept with him again; she chose the second option, which he again covertly recorded. In another case, he allegedly sent pornographic images of one victim to her employer when she complained about not receiving payment. He also contacted other victims’ boyfriends and ex-boyfriends and shared photos of one victim with at least two other victims.

The investigation is still ongoing; anyone who believes that they have been victimized by Antoine should contact the FBI at 816-512-8200.

Father Pleads Guilty in Bitcoin Exchange Bribery
Michael Murgio, a Floridian and former Palm Beach County school board member, pled guilty to making a false statement to the U.S. National Credit Union Administration. So far, Michael; his son, Anthony Murgio; Yuri Lebedev; and Trevon Gross have been charged in connection with a scheme to operate and conceal an illegal Bitcoin exchange, Coin.mx.

Allegedly, Anthony Murgio operated an unlawful Bitcoin exchange for Gery Shalon, the Israeli leader of an international cybercrime ring. Shalon—as well as co-conspirators Ziv Orenstein and Joshua Aaron—was indicted in 2015 for an extensive pump-and-dump scheme made possible by hacked personal information. Shalon reportedly hacked 12 different institutions, including JPMorgan Chase & Co. After stealing the personal information of individuals who were likely to be engaged in stock trading, Shalon then spammed their inboxes with emails highlighting penny stocks, which Shalon owned. Shalon then dumped the stocks and made tens of millions of dollars. According to U.S. Attorney Preet Bharara, this was “securities fraud on cyber steroids.”

However, neither the Murgios nor Lebedev or Gross have been charged with the hacking. Rather, Anthony Murgio has been indicted on eight counts including money laundering, wire fraud, conspiracy to operate an unlicensed money transmitting business, and making corrupt payments with intent to influence an officer of a financial institution. Allegedly, Anthony used the bitcoin exchange to launder money and facilitate extortion for the Shalon’s cybercrime ring. Anthony profited from ransomware by exchanging other currency for bitcoin and therefore facilitating the transfer of ransom.

As to the father’s involvement, Michael Murgio allegedly assisted in the group taking control of the board of a credit bureau in order to further Coin.mx’s operations, including laundering money for the cybercrime ring. The takeover was facilitated through bribes to co-conspirator Trevon Gross, a pastor.

Notably, in ruling on the pretrial motions, the judge held Bitcoin to be money under 18 U.S.C. §1960. After first examining both the ordinary meaning and dictionary definitions, the court cited U.S. v. Faiella, 39 F.Supp.3d 544 (S.D.N.Y. 2014) (defining money as “something generally accepted as a medium of exchange, a measure of value, or a means of payment” and holding bitcoins as money because they “can be easily purchased in exchange for ordinary currency, act[] as a denominator of value, and [are] used to conduct financial transactions”) and U.S. v. Ulbricht, 31 F.Supp.3d 540 (S.D.N.Y. 2014) (defining money as “an object used to buy things” and holding bitcoins are funds because they “can be used directly to pay for certain things or can act as a medium of exchange and be converted into a currency which can pay for things” ). Finally, after examining the legislative history’s thrust to prevent new types of illicit money transfer, the judge held that funds do not have to equal currency and that Bitcoin is both funds and money.