We often imagine hackers to be tucked away in a dim basement somewhere in the world… not right on our doorstep on the northern beaches of Sydney. Today it has come to light the 23-year-old Sydneysider allegedly conspired with a US-based hacker to pull off the sophisticated scam that involved the hacked streaming service credentials of millions of people worldwide. These credentials were provided to a large pool of buyers who were promised ‘lifetime access’ for a very low rate.
Investigations were initially launched in 2018 by the FBI and Australian Federal Police (AFP) after discovering an ‘account generator’ website called WickedGen.com. As investigations continued, a further three websites exploiting the details were uncovered. Combined, the sites had more than 150,000 users between 2015 and 2019 who were charged as little as USD10.97 (approximately AUD15.00 today) to gain active credentials to a selection of streaming services including Netflix and Spotify.
As all ‘good’ things must come to an end, the scheme came crashing down in 2019 – four years after its inception – with an AFP raid on the hacker’s home following a tip from the FBI. A computer and $460,000 worth of cryptocurrency were seized, however, due to a spike in the digital assets, the cryptocurrency amount grew to over $1.3 million from the time it was transferred to AFP control in mid-2020.
How could this fraud happen in the first place? The Sydney hacker used a process called “credential stuffing”. This method initiates a large-scale automated test of login details to pull out credentials that are current. It is a machine-run trial and error system to exploit the successfully attempted log-ins. Throughout the scheme, the hacker used false identities over several accounts to cover his tracks. After the credential extraction, he could begin gathering illegal revenue through the sites which he channelled through a variety of PayPal accounts, many verified with fraudulent New South Wales driver licenses and Australian passports.
Two years on from the bust and all has come to a close with the young man pleading guilty to a copyright offence in the Supreme Court of New South Wales. Though the judge “praised the man’s remorse and conduct since being caught” (SMH, 2021), he is required to serve 200 hours of community service under intensive corrections with any offending during this period resulting in immediate imprisonment.
As for the money, he was ordered by the Supreme Court to forfeit $1.66 million to the Commonwealth Confiscated Asset Account (myGC, 2021). Minister for Home Affairs, Karen Andrews, states “good work by the AFP has seen a criminal stripped of their ill-gotten gains, and this money redirected to enhancing the safety and security of communities right around Australia”.
Where to from here? You can quickly check if your email, phone number, or password has been breached with Have I Been Pwnd?. Going forward, we recommend investing in a password manager which can help secure your passwords and generate strong credentials to protect your accounts. If you suspect you have been breached, perhaps you are getting Netflix recommendations that are nothing like your usual picks, we recommend you change your password immediately and check with your bank if your payment details have been used without authorisation.