LOS ANGELES—A man pleaded guilty today to a series of cyber-related crimes relating to his hacking into the personal e-mail accounts of more than 50 individuals associated with the entertainment industry.
Christopher Chaney, 35, of Jacksonville, Florida, pleaded guilty to nine felony counts of a 28-count first superseding indictment, including unauthorized access to protected computers in furtherance of wiretapping and wire fraud, unauthorized damage to protected computers resulting in more than $5,000 loss and physical harm, and wiretapping. At the conclusion of the hearing, United States District Court Judge S. James Otero ordered Chaney taken into custody.
During the hearing, Chaney admitted that from at least November 2010 to October 2011, he hacked into the e-mail accounts of Scarlett Johansson, Mila Kunis, Renee Olstead, and others by taking the victims’ e-mail addresses, clicking on the “Forgot your password?” feature, and then re-setting the victims’ passwords by correctly answering their security questions using publicly available information he found by searching the Internet. Once Chaney gained exclusive control of the victims’ e-mail accounts, he was able to access all of their e-mail boxes. While in the accounts, Chaney also went through their contact lists to find e-mail addresses of potential new hacking targets.
In pleading guilty to the wiretapping charges, Chaney admitted that, for most victims, he also changed their e-mail account settings by inserting his alias e-mail address into the forwarding feature so that a duplicate copy of all incoming e-mails to the victims—including any attachments—would be sent virtually simultaneously to Chaney without the victims’ knowledge. Most victims did not check their account settings, so even after they regained control of their e-mail accounts, Chaney’s alias address remained in their account settings. As a result, for many victims, copies of their incoming e-mails, including attachments, were sent to Chaney for weeks or months without their knowledge, causing Chaney to receive thousands of victim e-mails. In addition, when a victim reset his/her password to regain control of the account, Chaney sometimes hacked into the account again and reset the password, sometimes multiple times, in order to continue illegally accessing that victim’s account.
Chaney admitted that as his hacking scheme became more extensive, he began using a proxy service called “Hide My IP” because he knew what he was doing was illegal and wanted to “cover his tracks” so that law enforcement agents could not trace the hacking back to his home computer. Even after his home computers were seized by law enforcement agents pursuant to a federal search warrant, but before he was arrested, Chaney used another computer to hack into another victim’s e-mail account.
Chaney further admitted that as a result of his hacking scheme, he obtained numerous private communications, private photographs, and confidential documents from the victims’ e-mail accounts. The confidential documents included business contracts, scripts, letters, driver’s license information, and Social Security information. On several occasions, after hacking into victim accounts, Chaney sent e-mails from the hacked accounts to friends of the victims, fraudulently posing as the victims to request more private photographs. Chaney downloaded many of the confidential documents and photographs he stole to his home computer, where he saved them on his hard drive in separate computer file folders. Chaney e-mailed many of the stolen photographs to others, including another hacker and two gossip websites. As a result, some of those stolen photographs, several of which were explicit, were later posted on the Internet.
“Today’s guilty pleas shine a bright light on the dark underworld of computer hacking,” said United States Attorney André Birotte, Jr., whose office prosecuted the case. “This case demonstrates that everyone, even public figures, should take precautions to shield their personal information from the hackers that inhabit that dark underworld. It also demonstrates that the Department of Justice will take whatever steps are necessary to protect Americans from harm in cyberspace.”
“Mr. Chaney’s admission to compromising victim accounts, utilizing both technically and socially engineered means, demonstrates the persistence and extent to which a hacker will go to obtain private information,” said Steven Martinez, Assistant Director in Charge of the FBI’s Los Angeles Field Office. “This case sends an important message to all users of Internet-accessible media that practicing good computer security makes us less vulnerable to this type of attack. The FBI remains committed to investigating cyber adversaries who target protected computers, whether of private citizens or the nation’s critical infrastructure.”
Each charge of unauthorized access to a protected computer carries a maximum of five years in prison, each charge of unauthorized damage to a protected computer carries a maximum charge of 10 years in prison, and each charge of wiretapping carries a maximum of five years in prison. As a result of all of today’s guilty pleas, Chaney faces a total statutory maximum sentence of 60 years in federal prison. In addition to the possible prison term, as part of his plea agreement filed in federal court, Chaney agreed to forfeit his computers and related devices seized during the investigation, to pay restitution to all of the victims for any losses they suffered, and to comply with strict restrictions regarding his future use of computers and computer-related devices. In exchange, the government agreed to dismiss the remaining counts, including nine counts of aggravated identity theft, at the time defendant is sentenced.
Chaney is scheduled to be sentenced by United States District Judge S. James Otero on July 23, 2012.
The investigation of this case was led and conducted by the Federal Bureau of Investigation.