Aussie Hacker Made $500,000 by Finding and Reselling Netflix Credentials

A 23 year old Australian web developer has avoided prison after being found guilty of supplying at least 85,925 subscriptions to Netflix and other online services by identifying the passwords of legitimate customers and selling them to others, reports the Sydney Morning Herald. Evan McMahon (pictured) was sentenced to perform 200 hours of community service and had AUD460,000 (USD356,000) of cryptocurrency confiscated, though the subsequent cryptocurrency boom means that stash is now worth approximately AUD1.3mn (USD1mn). He is believed to have made about AUD680,000 (USD530,000) by selling ‘lifetime’ subscriptions for as little as 10 bucks a time.

McMahon ran programs between 2015 and 2019 that systematically identified the user details for accounts on Netflix, Spotify, Hulu, WWE Network, NordVPN, and the PlayStation Network. Court documents argued McMahon’s efforts were made more successful by the tendency for users to adopt the same passwords for multiple services. Four separate websites – HyperGen, WickedGen, Autoflix and AccountBot – were used to sell the credentials that McMahon cracked. The oldest of the websites was created soon after McMahon completed High School, and their sophistication increased over time, with the most recent offering discounts for new customer referrals. False identities were used to create 48 separate PayPal accounts in order to launder the criminal proceeds, much of which was invested in cryptocurrency.

McMahon potentially faced a 20-year prison sentence for the most serious crime he was charged with, but it appears the judge showed leniency because of McMahon’s youth and because he is autistic, and hence was said to not fully comprehend the seriousness of his actions. Without having heard all the details, this once again appears to be an example of courts being soft on online crime. Preventing and catching young internet fraudsters like McMahon is expensive and difficult, but courts rarely punish them with more than a sermon about their crimes not being victimless. If judges really believe what they say about the victims of crime then they should do more to deter a growing generation of online crooks by making an example of those few that are caught and brought to trial.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.