By Jim Kouri
A 35-year old Florida man entered a guilty plea on Monday to cyber crimes he committed when he hacked into the computer and e-mail accounts of over 50 victims who worked in the entertainment business, including actresses Scarlett Johansson (Lost in Translation, Bend It Like Beckham) and Mila Kunis (The Black Swan, The Book of Eli).
Christopher Chaney, of Jacksonville, Florida, pleaded guilty to nine felony counts of a 28-count indictment, including unauthorized access to protected computers, wiretapping and wire fraud, unauthorized damage to protected computers resulting in more than $5,000 loss and physical damage, according to a law enforcement source close to the investigation.
At the conclusion of the plea hearing, United States District Court Judge S. James Otero ordered Chaney to be taken into immediate custody.
During the hearing, Chaney admitted that from November 2010 to October 2011, he hacked into the e-mail accounts of Scarlett Johansson, Mila Kunis, Renee Olstead, and others by taking the victims’ e-mail addresses, clicking on the “Forgot your password?” feature, and then re-setting the victims’ passwords by correctly answering their security questions using publicly available information he found by searching the Internet.
Once Chaney gained exclusive control of the victims’ e-mail accounts, he was able to access all of their e-mail boxes. While in the accounts, Chaney also went through their contact lists to find e-mail addresses of potential new hacking targets, according to court records.
In pleading guilty to the wiretapping charges, Chaney admitted that, for most victims, he also changed their e-mail account settings by inserting his alias e-mail address into the forwarding feature so that a duplicate copy of all incoming e-mails to the victims — including any attachments — would be sent simultaneously to Chaney without the victims’ knowledge.
Most of the defendants victims did not check their account settings, so even after they regained control of their e-mail accounts, Chaney’s alias address remained in their account settings. As a result, for many victims, copies of their incoming e-mails, including attachments, were sent to Chaney for weeks or months without their knowledge, causing Chaney to receive thousands of victim e-mails.
In addition, when a victim reset his/her password to regain control of the account, Chaney sometimes hacked into the account again and reset the password, sometimes multiple times, in order to continue illegally accessing that victim’s account, said the law enforcement source.
Chaney admitted that as his hacking scheme became more extensive, he began using a proxy service called “Hide My IP” because he knew what he was doing was illegal and wanted to “cover his tracks” so that law enforcement could not trace the hacking back to his home computer.
Even after his home computers were seized by law enforcement agents pursuant to a federal search warrant, but before he was arrested, Chaney used another computer to hack into another victim’s e-mail account, according to the Public Safety Examiner’s anonymous law enforcement source.
Chaney further admitted that as a result of his hacking scheme, he obtained numerous private communications, private photographs — some nude — and confidential documents from the victims’ e-mail accounts. The confidential documents included business contracts, scripts, letters, driver’s license information, and Social Security information.
On several occasions, after hacking into victim accounts, Chaney sent e-mails from the hacked accounts to friends of the victims, fraudulently posing as the victims to request more private photographs. Chaney downloaded many of the confidential documents and photographs he stole to his home computer, where he saved them on his hard drive in separate computer file folders. Chaney e-mailed many of the stolen photographs to others, including another hacker and two gossip web sites, according to court documents.
As a result, some of those stolen photographs, several of which were explicit, were later posted on the Internet.
“Mr. Chaney’s admission to compromising victim accounts, utilizing both technically and socially engineered means, demonstrates the persistence and extent to which a hacker will go to obtain private information,” said Steven Martinez, Assistant Director in Charge of the FBI’s Los Angeles Field Office.
“This case sends an important message to all users of Internet-accessible media that practicing good computer security makes us less vulnerable to this type of attack. The FBI remains committed to investigating cyber adversaries who target protected computers, whether of private citizens or the nation’s critical infrastructure,” he said.
Chaney faces a total statutory maximum sentence of 60 years in federal prison. He is scheduled to be sentenced by United States District Judge S. James Otero on July 23, 2012.