Josh Holly, 19, told Threat Level last October that he obtained access to Cyrus's Gmail account and stole personal photos from it, which he posted on the web. He also said he obtained access to MySpace's administrative panel by social engineering an employee, then reset account passwords for a number of MySpace users. He used the accounts for a spamming scheme that netted him about $50,000. Holly didn't provide details at the time.
But the newly released affidavit (.pdf) provides a few more hints about this activity. According to the document, Holly admitted to the FBI agent that since 2005 he had hijacked numerous celebrity internet accounts, which he used to conduct spamming. The affidavit doesn't mention MySpace specifically in connection with this activity. An investigation of Holly's bank records showed that between November 2007 and July 2008, Holly received more than $110,000 from companies for spamming on their behalf.
The affidavit also reveals that Holly spilled the names of associates to the FBI.
Additionally, Holly corresponded with MySpace's director of security over the course of several months and provided the company with information regarding "MySpace system weaknesses and potential intrustions," according to the document. In exchange for this information, Holly asked the security director to reactivate his MySpace account, which had been suspended for "suspicious or inappropriate behavior."
Holly made no attempt to hide his identity from MySpace. He gave the MySpace security director a Gmail address with his real name, and the MySpace account he wanted re-activated was under his real name. MySpace also had a photo of him, which he had used when he opened the account.
UPDATE: Holly called Threat Level and provided some clarification and additional details about the affidavit and the discrepancy regarding the amount of money he told me he earned from spamming and the amount the affidavit said he earned.
He said he received about $110,000 total, but half of that went to an accomplice in Israel who goes by the online nickname elul21 (which stands for the accomplice's birthdate -- Elul is the Hebrew name of a month on the Jewish calendar). The accomplice mostly provided Holly with marketing ideas.
Holly said the celebrity MySpace accounts he accessed to conduct his spamming activity belonged mainly to recording artists and groups -- Chris Brown, Rihanna, Linkin Park, Fall Out Boy. He accessed about 20 accounts but can't remember all of them. Once he had the password to the account -- which he obtained through the MySpace admin panel (the admin panel stored the passwords in cleartext) -- he used the accounts to send bulletins to all of the friends on a MySpace account advertising a ringtone or call service for the recording artist. For example, he'd send out a bulletin from Fall Out Boy's MySpace account telling fans that the band would call their phone and send them a ringtone if they clicked on a link and entered their details.
Holly says the advertising affiliates he worked for paid him between $5 and $12 per person who responded to the ad. The affiliates didn't know he was spamming customers, and when they found out he said they terminated their work with him and refused to pay him outstanding earnings.
Although Holly was raided last October, during which FBI agents seized his phone and computers, authorities only sought a search warrant last month to conduct a forensic examination of his hardware. I asked Holly if he's concerned that the investigation was heating up.
"A little bit," he said. "Once I go to court I can’t say 'not guilty'. There’s no way I can get out of this at all. Not even OJ's lawyers or Michael Jackson's lawyers can get me out of this. To be blunt, I was an idiot and I didn’t delete any of my [hard drives]. I never thought they would raid me. They’re going to get full proof evidence of everything that I’ve said I’ve done."
He said he's left Tennessee and has been lying low, trying to find a legitimate job to earn money.
