The Netflix Access Scam: How Did the Mastermind Do it?
A Sydney IT professional is facing prison time after pleading guilty to criminal charges involving a scam that made him almost a million dollars over a three-year period.
Software developer Evan McMahon’s sophisticated scheme was originally uncovered by the FBI, before being handed over to the Australian Federal Police.
At the time of his arrest, the 23-year old was serving tens of thousands of customers across the globe.
Cheap access to websites
His websites – HyperGen, WickedGen, Autoflix and AccountBot – offered subscribers a cheap way to access legitimate accounts for Netflix, Spotify, Hulu, WWE Network, NordVPN, PlayStation Network, as well as dozens of other subscription services.
After paying a small fee, Mr McMahon’s customers were given access to the “account generator” which allegedly revealed the username and password of a real subscriber.
Before the NSW District Court
According to documents tendered before the New South Wales District Court, Mr McMahon set up his first website HyperGen shortly after finishing his HSC.
AccountBot, the latest and most refined iteration of the business, offered customers discounts for referring new customers and a range of subscriber packages.
The agreed facts of the case state he had at least 152,863 registered customers and provided at least 85,925 subscriptions to a variety of streaming services.
Customers paid for the services via PayPal, and so Mr McMahon developed a way to avoid triggering PayPal’s money laundering alarms, by collecting fees through multiple accounts – more than 100 in fact – which were set up in false names.
He then funnelled funds into another 48 accounts which were verified using false IDs such as New South Wales Driver’s Licences and Australian Passports.
McMahon cashed the funds into bank accounts established in his own name across at least 10 financial institutions and converted some profits into cryptocurrency.
Cybercrime offences
Mr McMahon has been charged with multiple criminal offences, including dealing with suspected proceeds of crime and running a circumvention service.
Dealing with the proceeds of crime
Dealing with suspected proceeds of crime is an offence under section 193C of the Crimes Act 1900 which carries a maximum penalty of 3 years in prison
To establish the offence, the prosecution must prove beyond reasonable doubt that:
- The defendant dealt with property,
- There are reasonable grounds to suspect the property was the proceeds of crime, and
- The value of the property at the time of dealing was less than $100,000.
The maximum penalty increases to 5 years in prison where the value of the property at the time of dealing was $100,000 or more
‘Deal with’ includes:
- Receiving, possessing, concealing or disposing of,
- Bringing or causing to be brought into NSW, by electronic transfer, and
- Engaging directly or indirectly in a transaction, including receiving or giving a gift.
‘Proceeds of crime’ is defined as property that is substantially derived or realised, directly or indirectly, by any person from the commission of a serious offence.
‘Serious offence’ is defined as:
- Any offence that can be prosecuted ‘on indictment’ (ie in a higher court),
- Supplying a restricted substance, or
- An offence committed outside NSW that would constitute the above if it were committed within the state.
The section provides a list of situations which amount to ‘reasonable grounds’ for suspecting property is the proceeds of crime.
These include where:
- The dealing involves accounts in false names,
- You state the dealing was for another person but fail to give that person’s details, or
- There are several transactions that appear to be structured to avoid reporting requirements.
A person is not guilty of the offence if he or she is able to establish, ‘on the balance of probabilities’, that there was no reasonable grounds to suspect the property was derived from crime.
Duress is a defence to the charge.
Providing a circumvention service
Providing a circumvention service for a technological protection measure is an offence under the section 132APE of the Copyright Act 1968 which carries a maximum penalty of 5 years in prison.
A person commits an offence if he or she:
- provides a service to another person or offers a service to the public,
- does so with the intention of obtaining a commercial advantage or profit, and
- the service is a circumvention service for a technological protection measure.
Additional offences on a ‘Form 1’
Mr McMahon’s criminal defence lawyers asked the sentencing judge to take into account three additional offences relating to false ID information given to PayPal and the ‘credential stuffing he used to find and verify the compromised logins of legitimate users’.
Credential stuffing generally occurs where a hacker obtains another person’s login information and is able to successfully use it across multiple websites, because most people use the same password for several purposes.
The offences were placed on what is known as a ‘Form 1’; which is a mechanism by which a sentencing judge can take into account additional offences when considering the totality of the offending, without sentencing those additional offences separately.
Cybercrime is on the rise
According to the Australian Cyber Security Centre’s (ACSC) Annual Cyber Threat Report, cyber crime is reported, on average, every ten minutes in Australia.
The most common of these, according to the data, is scams: romance, investment, or shopping scams. Scamwatch reported that last year Australians lost over $634 million to scams – a figure that is considered likely to be underestimated due to the number of crimes that go unreported.
But there’s also concern that the figures will be higher for this year, specifically because of the Covid-19 pandemic which forced us to interact online in more ways than would otherwise be ‘normal’ for Australians and saw a spike in scams, relating in particular to the early release of superannuation.
As our online connectivity increases, the experts say that to protect ourselves we need to keep security settings up to date, be vigilant about any social media links or emails or website URLs that look ‘dodgy’ and avoid using the same password over and over.