A man who ran a website that sold stolen credentials for services including Netflix, Spotify, Amazon Prime, HBO, Xbox Live, and EA Origin has been handed a 26-month sentence in Australia. The 23-year-old ran WickedGen, HyperGen, Autoflix and AccountBot, which according to police enabled customers to circumvent the technological protection measures put in place by official services.
Before the rise of streaming services such as Netflix and Spotify, one of the major drivers of piracy was the limited availability of legal platforms. Consumers were largely denied access to subscription content online, even if they were prepared to pay for it.
In 2021, the situation is dramatically different, with consumers spoilt for choice when it comes to legal online streaming. Unfortunately, there are so many platforms available now that users have a new problem – deciding which services will get their money and how many they can afford.
According to a recently released study from Deloitte, 82% of US consumers are now customers of a video streaming service, subscribing to an average of four services each. Even then this won’t give them access to all content, so even more subscriptions are needed at a considerable cost. This is a problem that some illegal services have been attempting to address in recent years.
‘Account Generator’ Platforms
Three years ago we reported on the rise of so-called “account generator” sites that offer access to a dazzling array of legal platforms for a very low price.
For just a few dollars per year, sites like WickedGen provided logins for movie and TV show platforms including Netflix, Amazon, Hulu, HBO Now, Crunchyroll, DIRECTV/Now, CBS All Access, and Funimation. Sports were also catered for with logins to BT Sports, MLB.TV, NBA League Pass, NFL Game Pass, UFC Fight Pass, and WWE Network. Those looking for music weren’t disappointed either, with access to Spotify, Deezer and TIDAL all on the menu.
The big question was how services like WickedGen could offer access to all of these and more for a tiny outlay per month. It now transpires that this minor miracle was being achieved by criminal means.
FBI Investigation Leads to Australia
In 2018, the FBI was carrying out an investigation into WickedGen and in May of that same year, referred the case to the authorities in Australia. A cybercrime investigation was launched by the Australian Federal Police (AFP) and in 2019 a man from Sydney was arrested under suspicion of being the operator of WickedGen and three other similar services – HyperGen, Autoflix and AccountBot.
“WickedGen operated for approximately two years selling stolen account details for online subscription services, including Netflix, Spotify and Hulu,” police reported Saturday.
“The account details were confirmed through a process of credential stuffing, which allows a list of previously stolen or leaked usernames, email addresses and corresponding passwords [to be] re-used and sold for unauthorized access.”
According to police, the number of offenses was considerable. Across the four ‘account generator’ sites, the man – who is yet to be named – attracted at least 152,863 registered users and provided at least 85,925 subscriptions to illegally access legitimate streaming services.
“The man was charged with unauthorized access to (or modification of) restricted data, dealing in proceeds of crime etc. – money or property worth AUD$100,000 or more, providing a circumvention service for a technological protection measure, dealing in identification information and false or misleading information,” police added.
Account Generators Are Lucrative Business
When the police executed a search warrant in March 2019 and seized a laptop used to run the operation, they discovered around AUD$35,000 in cryptocurrency. Overall, however, police say that the man received “at least” AUD$680,000 (US$529,798) through PayPal by selling subscriptions to sites including WickedGen.
In December 2020, the AFP-led Criminal Assets Confiscation Taskforce obtained restraining orders under the Proceeds of Crime Act which allowed them to seize assets including cryptocurrency plus bank and PayPal accounts. Police report that the combined assets have a current value of AUD$1.65m (US$1.29m).
Man Handed 26-Month Sentence
Police say that the now 23-year-old Sydney man was handed a sentence of 26 months last Friday, to be served by way of an Intensive Corrections Order (ICO). According to the authorities, an ICO is a court sentence that is served outside prison under strict supervision and is the most serious sentence that can be served in the community. The man was also ordered to serve 200 hours of community service.
Commenting on the sentence, AFP Commander Chris Goldsmid, Cybercrime Operations, said that the WickedGen service utilized the hacked credentials of millions of legitimate streaming service subscribers from all around the world.
“The harvesting and selling of personal details online was not a ‘victimless crime’ – these were the personal details of everyday people being used for someone’s greed,” he said.
“These types of offenses can often be a precursor to more insidious forms of data theft and manipulation, which can have greater consequences for the victims involved. This investigation is an example of the importance of our relationship with the FBI. These partnerships are critical to law enforcement being able to respond to a rapidly-evolving crime type.”
Many thanks to TorrentFreak for the breaking news.