Demanding payment in exchange for not publicly disclosing a vulnerability isn’t the same as a bug bounty program; it’s extortion.
A 30-year-old alleged sports content pirate in Minneapolis, Minn., has found himself on the receiving end of a criminal complaint alleging that he not only stole user account credentials and sold access to pirated sports content. According to the U.S. Department of Justice, once its site was shuttered, he also went on to demand $150,000 from Major League Baseball in exchange for not telling reporters how he accessed its systems.
The defendant, identified in a newly unsealed complaint (PDF) as Joshua Streit, allegedly operated a site called HeHeStreams that sold subscribers access to hijacked user accounts for Major League Baseball (MLB), the National Basketball Association (NBA), the National Football League (NFL) and National Hockey League (NHL) for about $129 a year, undercutting prices of legitimate sources.
According to prosecutors, the MLB lost at least $2,995,272 due to Streit’s alleged theft of games.
FBI agent Joshua Williams said in the complaint that the pirate site operated from about 2017 to July 2021, drawing charges on two counts of computer intrusion, one count of wire fraud and one count of illicit digital transmission.
Game Book Included Traceable Posts for Tech Help
Williams was able to get a subscription to the illicit site using a gift card over chat with a user going by the moniker “inflix.” Williams was able to trace the site to Streit through its servers, social media, GitHub, Cloudfare’s payment processor and more, he testified.
The criminal complaint provides a detailed technical account of the compromise.
“…I believe that the Illegal Streaming Website, operated by Joshua Streit a/k/a/, ‘Josh Brody,’ the defendant, accessed and compromised user accounts to gain access to Access Tokens and identify relevant Decryption Keys,” Williams explained in the complaint. “Streit was then able to take those Access Tokens and Decryption Keys directly to the Third Party Service, allowing subscribers to the Illicit Streaming Website to view the Streaming Games.”
By June 2021, Streit started having trouble accessing the MLB platform and asked for help, the complaint said.
“I have spent the entire month of May, 16 hours each and every day, trying to find stable, scaleable [sic] solutions,” Streit allegedly posted on Reddit. “If you have any expertise with [content delivery networks, or CDNs], scraping, or sketchy [s**t], I’d love to talk to you. Please reach out to me via any channel.”
An undercover agent obliged.
In a Discord conversation with the undercover FBI agent, the complaint alleges that Streit said he’d like to “continue doing my ‘steal from nba league pass [s**t]’ as I have for the last 5 years.”
By August, the admin account for HeheStream on Reddit posted a sheepish goodbye, saying the site was “ceasing every and all operations,” because “my freedom is in jeopardy.”
Federal criminal law and sentencing guideline expert James Felman explained to Threatpost that the timeline of the post lines up with the charging document, which said that the site ceased operations by July 2021. But another crime prompted the criminal complaint filed on Oct. 25 to request a warrant for Streit’s arrest.
MLB Doesn’t Have a Bug Bounty Program
The FBI alleged that Streit wasn’t done trying to cash in on his illegal MLB system access. Just before the MLB Playoffs, on Sept. 28, Streit allegedly emailed an MLB Executive and demanded $150,000 to prevent him from disclosing the league’s network vulnerability to the media.
“…I believe that although Joshua Streit, a/k/a ‘Josh Brody,’ the defendant, approached MLB, his simultaneous intrusion into MLB accounts and illegal streaming of MLB content on the Illicit Streaming Website indicated that Streit acted knowingly and with the intent to extort the MLB.”
While prison time is possible, Felman was quick to point out to Threatpost that federal sentencing guidelines give judges loads of latitude to consider all sorts of variables. He was reluctant to offer any predictions on potential prison time for Streit, should he be found guilty of the crimes outlined in the complaint.
“It’s reasonable to assume he’ll find himself in front of a judge at a sentencing hearing,” Felman added. “He appears to have gotten their attention.”
Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.