A hacker who boasted that he was responsible for stealing and posting provocative pictures stolen from Miley Cyrus’ Gmail account pleaded guilty on Monday to other charges involving credit card fraud and hacking. Josh Holly, 21, pleaded guilty to possessing about 200 stolen credit card numbers, and to breaching celebrity MySpace pages in a spamming scheme that earned him at least $100,000.
Holly has never been charged with hacking Cyrus’s e-mail account, but after bragging online about this and other activity, and taunting authorities that they would never find him, his apartment in Murfreesboro, Tennessee, was raided in October 2007, at which point authorities found evidence of the cards and spamming scheme.
Holly, who went by the screen names “TrainReq,” “Rockz” and “h4x,” told Threat Level in 2008 that he had gained access to a Gmail account Cyrus had used (email@example.com) and found images the Hannah Montana actress had purportedly sent to singer Nick Jonas of the Jonas Brothers.
Holly claimed that he tried to sell the pictures to TMZ.com and other celebrity outlets, but no one would buy them, given the illegal manner by which he’d obtained them. He then posted some of them online at digitalgangster.com, after which numerous gossip and celebrity websites published them for free. More photos followed thereafter.
The images showed the then-15-year-old Cyrus in a wet T-shirt in the shower, baring her midriff while blowing a kiss to a mirror, and posing seductively in her underwear and bathing suit.
Holly told Threat Level he got access to Cyrus’s Gmail account after obtaining unauthorized access to a MySpace administrative panel where he found passwords for MySpace accounts stored in cleartext. Holly said he obtained access to the administrative panel by social engineering a MySpace employee. Once inside the panel, he found the password Cyrus used for her MySpace account — Loco92 — and tried it on a Gmail account she was known to use.
In addition to stealing Cyrus’s password, he reset MySpace account passwords for a number of other celebrity MySpace users, then used their accounts for a spamming scheme that he said netted him about $50,000.
According to an affidavit (.pdf), Holly admitted to the FBI that beginning in 2005 he had hijacked numerous celebrity internet accounts to conduct spamming. An investigation of his bank records showed that between November 2007 and July 2008, he received more than $110,000 from companies for spamming on their behalf. Holly told Threat Level that half of his illicit income went to an accomplice in Israel who used the online nickname elul21 (Elul is the Hebrew name of a month on the Jewish calendar).
Holly also said that the celebrity MySpace accounts he accessed to conduct his spamming activity belonged mainly to recording artists and groups — Chris Brown, Rihanna, Linkin Park, Fall Out Boy. He accessed about 20 accounts. Once he had passwords to the accounts, he used the accounts to send bulletins to all of the friends on the MySpace accounts advertising a ringtone or call service for the recording artist. For example, he’d send out a bulletin from Fall Out Boy’s MySpace account telling fans that the band would call their phone and send them a ringtone if they clicked on a link and entered their details.
Holly said the advertising affiliates he worked for paid him between $5 and $12 per person who responded to the ad. The affiliates didn’t know he was spamming customers, he said, and when they found out they terminated their work with him and refused to pay him outstanding earnings.
Asked at the time charges were filed against him if he was concerned about the repercussions of his actions, he replied, “There’s no way I can get out of this at all. Not even OJ’s lawyers or Michael Jackson’s lawyers can get me out of this. To be blunt, I was an idiot and I didn’t delete any of my [hard drives]. I never thought they would raid me. They’re going to get full proof evidence of everything that I’ve said I’ve done.”
Holly’s sentencing hearing is set for October 31.