A 19-year-old hacker who published provocative photos of teen queen Miley Cyrus earlier this year was raided by the FBI Monday morning in Murfreesboro, Tennessee.
The hacker, Josh Holly, repeatedly bragged online about breaking into the Disney star’s e-mail account and stealing her photos. He also gave interviews to bloggers and others and boasted that authorities would never find him because he moved so often. [Last month, Holly contacted Threat Level seeking to have an article written about him here.]
But this morning the FBI did find him and, after talking with him for more than an hour about his exploits, served him with a search warrant and a list of items to be seized (which was posted at the hacking site digitalgangster.com after Holly showed it to a friend).
When agents finally left his apartment after conducting an extensive search, they had three computers and Holly’s phone, among other things. Hours after the raid, Holly phoned Threat Level from his sister’s phone to report what had occurred. He hasn’t been arrested or charged with a crime yet.
Last December, Holly, who went by the screen names “TrainReq,” “Rockz” and “h4x,” obtained access to a Gmail account Cyrus had once used ([email protected]) and found images the Hannah Montana actress had purportedly sent to singer Nick Jonas of the Jonas Brothers.
Holly told Threat Level he tried to sell the pictures to TMZ.com and other celebrity outlets, but no one would buy them, given the illegal manner by which he’d obtained them. He then posted some of them online at digitalgangster.com, after which numerous gossip and celebrity websites published them for free. More photos followed thereafter.
The images showed the 15-year-old Cyrus in a wet T-shirt in the shower, baring her midriff while blowing a kiss to a mirror, and posing seductively in her underwear and bathing suit.
Holly told Threat Level he stole about a dozen Cyrus pictures but only published the most provocative ones. He said he got access to Cyrus’s
Gmail account after obtaining unauthorized access to a MySpace administrative panel where he found passwords for MySpace accounts stored in cleartext. He found the password Cyrus used for her MySpace account — Loco92 — and tried it on a Gmail account Cyrus was known to use. The password worked on that account as well, but only for a couple of weeks before it was changed.
Holly said he obtained access to the MySpace administrative panel by social engineering a MySpace worker. He was able to obtain a list of instant message buddies for one of the employees (he didn’t adequately explain to Threat Level how he’d done that before he ended our conversation) and sent an instant message to an employee named C. Cho, using the screen name of another MySpace administrator.
Posing as the other administrator, he told Cho he was having trouble logging in to the MySpace administrative panel and asked if he could use Cho’s username and password. Cho said yes, and Holly had access to the panel for about 16 hours, from about 3 a.m. to 7 p.m. one day, before
MySpace discovered its security had been breached and changed or canceled Cho’s log-in credentials. Holly said he was resetting account passwords for MySpace users, which likely tipped off MySpace.
He also told Threat Level that he’d made about $50,000 exploiting an advertising scheme on MySpace accounts, but he didn’t want the details published to avoid giving other hackers ideas. Threat Level was unable to confirm the authenticity of his claim.
MySpace wouldn’t comment on the case or on Holly’s assertion that the site stores its customer account passwords in cleartext, rather than encrypted format. A spokeswoman said the company doesn’t discuss its security policies because it doesn’t want to place customer data at risk.
Hours before the FBI arrived at his doorstep, Holly posted a message online bragging that even though he was a known hacker, federal agents would never find him.
After the raid, he told Threat Level that authorities found him only because someone had called in a false fire alarm at his apartment a couple of weeks ago. He told fire officials at the time that the call had been a prank and that he knew who had made it. Holly said the local fire marshal, under the pretense of investigating the prank, contacted him Monday morning asking to meet at his apartment in 30 minutes to show him the photo of a suspect. Holly agreed, but about 15 minutes later the FBI knocked on his door instead. Holly said the agents initially claimed to be interested in the false fire alarm but soon turned the discussion to his hacking exploits.
“The fire marshal pretty much tricked me into giving information of when I’ll be home,” Holly said.
The agents came armed with a dossier of information they’d amassed on his past activities — including online forums he had frequented and spamming activity he’d been involved in more than two years ago, which he said he’d disclosed to only a few people.
“I guess somebody ended up ratting me out,” he said.
Holly said he agreed to speak with the agents for more than an hour because “I was just kind of scared and shocked at that time.”
He told Threat Level, “I was just kind of shaking. I was thrown way off guard. I’ve never had anything like this happen before to a point that
I just didn’t know what to do. I was afraid to kick them out of my house.”
The FBI in Tennessee did not respond to a call for comment. The U.S. attorney’s office for the Middle District of Tennessee, where the warrant was obtained, said it would not confirm or deny that a search had occurred.
Holly had been warned by fellow denizens at digitalgangster.com to stop discussing the Cyrus hack, but ignored the advice.
A hacker by the name of Padillac wrote Threat Level that he had little sympathy for Holly who, he said, had “been acting like an attention starved 8-year-old.”
“The problem is that TrainReq truly believed he was untouchable, and unfortunately for him, in 2008, it’s that type of reckless thinking that gets people raided,” Padillac wrote. “While most of us have smartened up and left ‘hacking’ behind, there are always newcomers like
TrainReq who learn how to do something destructive and then execute their newfound abilities carelessly without fear of repercussion. …
[B]ut whatever here comes his big day, i just hope he doesn’t expect to touch a computer for a few years.”