Acting Manhattan U.S. Attorney Announces Charges Against Iranian National For Conducting Cyber Attack And $6 Million Extortion Scheme Against HBO
Defendant Leaked Confidential Information Regarding HBO Original Series, “Game of Thrones,” and other Popular HBO Original Programming
Joon H. Kim, the Acting United States Attorney for the Southern District of New York, and William F. Sweeney Jr., the Assistant Director-in-Charge of the New York Field Division of the Federal Bureau of Investigation (“FBI”), announced today the unsealing of an indictment charging BEHZAD MESRI, a/k/a “Skote Vahshat,” for his involvement in a scheme to obtain unauthorized access to the computer systems of Home Box Office, Inc. (“HBO”), steal proprietary data from those systems, and obtain $6 million worth of Bitcoin from HBO through extortion by threatening to disseminate stolen content. Subsequently, MESRI leaked the stolen content on the Internet, including but not limited to confidential information about upcoming episodes of the popular television series, “Game of Thrones,” and video files containing unreleased episodes of other television series created by HBO.
Acting Manhattan U.S. Attorney Joon H. Kim said: “Behzad Mesri, an Iranian national who had previously hacked computer systems for the Iranian military, allegedly infiltrated HBO’s systems, stole proprietary data, including scripts and plot summaries for unaired episodes of Game of Thrones, and then sought to extort HBO of $6 million in Bitcoins. Mesri now stands charged with federal crimes, and although not arrested today, he will forever have to look over his shoulder until he is made to face justice. American ingenuity and creativity is to be cultivated and celebrated -- not hacked, stolen, and held for ransom. For hackers who test our resolve in protecting our intellectual property -- even those hiding behind keyboards in countries far away -- eventually, winter will come.”
FBI Assistant Director William F. Sweeney Jr. said: “In the simplest of terms, he lurked in the alleyways of the Internet, identified the vulnerabilities of his victim, and pickpocketed their information from thousands of miles away. After he had successfully identified their proprietary secrets, he held their future for ransom. Today’s charges show that international cybercriminals are never beyond the reach of U.S. laws. This indictment unsealed today is the product of the countless hours put in by investigators in the FBI’s Cyber Division working alongside our prosecutors at the Southern District of New York U.S. Attorney’s office.”
According to the allegations contained in the Indictment unsealed today in Manhattan federal court:
Background on Behzad Mesri
MESRI is an Iran-based computer hacker who had previously worked on behalf of the Iranian military to conduct computer network attacks that targeted military systems, nuclear software systems, and Israeli infrastructure. At certain times, MESRI has been a member of an Iran-based hacking group called the Turk Black Hat security team and, as a member of that group, conducted hundreds of website defacements using the online hacker pseudonym “Skote Vahshat” against websites in the United States and elsewhere.
Online Reconnaissance and Hack of HBO
Starting in approximately May 2017, MESRI conducted online reconnaissance of HBO’s computer networks and employees. Among other things, MESRI searched for access points to the network where employees and other authorized users could remotely access HBO’s computer systems.
From approximately May 2017 to July 2017, MESRI successfully compromised multiple user accounts belonging to HBO employees and other authorized users, and used those accounts to repeatedly obtain unauthorized access to HBO’s computer servers. Over the course of several months, MESRI used that unauthorized access to steal confidential and proprietary information belonging to HBO, which he then exfiltrated to servers under his control. Through the course of the intrusions into HBO’s systems, MESRI was responsible for stealing confidential and proprietary data belonging to HBO, including, but not limited to: (a) confidential video files containing unaired episodes of original HBO television programs, including episodes of “Barry,” “Ballers,” “Curb Your Enthusiasm,” “Room 104,” and “The Deuce;” (b) scripts and plot summaries for unaired programming, including but not limited to episodes of “Game of Thrones;”(c) confidential cast and crew contact lists; (d) emails belonging to at least one HBO employee; (e) financial documents; and (f) online credentials for HBO social media accounts (collectively, the “Stolen Data”).
Commencement of Extortion Scheme
Between approximately July 23, 2017, and July 29, 2017, MESRI engaged in a scheme to extort HBO by transmitting, or aiding and abetting the transmission of, the following email messages, each of which was sent to multiple HBO executives and employees:
- An email on July 23, 2017, that provided evidence of the hack and claimed, in substance and in part, that the sender had hacked into HBO’s computer systems and had stolen approximately 1.5 terabytes of HBO’s data.
- A second email on July 23, 2017, that claimed, in substance and in part, that the stolen data included full scripts and cast lists for the seventh season of the television series, “Game of Thrones,” and “precious data” for other shows, including shows that were as of that time unaired. The email further stated, in substance and in part, that HBO was a “difficult target” and that infiltration was accomplished through “a complex cyber operation[.]” The email included a threat to release the data publicly unless HBO paid a ransom of $5.5 million worth of Bitcoin. The email concluded with a custom image depicting the “Night King,” an undead character from “Game of Thrones,” and bearing the message, “Good luck to HBO.”
- An email on July 26, 2017, that stated, in substance and in part, that the ransom demand had been increased to $6 million worth of Bitcoin, and included additional threats to destroy data on HBO computer servers.
- An email on July 29, 2017, that included, among other things, information regarding Bitcoin addresses to which HBO should direct ransom payments, and provided a firm deadline of later that same day for HBO to begin making ransom payments if it wanted to prevent the public leak of the Stolen Data.
Release of Stolen Data
Starting on approximately July 30, 2017, and continuing through August 2017, MESRI caused portions of the Stolen Data to be publicly leaked over the Internet on websites that he controlled. Certain of the video materials that MESRI caused to be leaked included a graphic depicting the “Night King” that was superimposed at the bottom of the video. In addition, MESRI undertook efforts to promote the leaks of the Stolen Data on the Internet, including by, among other things, causing emails to be sent to members of the media regarding the leaks, and causing the creation of a Twitter profile to announce the leaks and provide evidence of the hack of HBO’s computer network.
* * *
MESRI, 29, a citizen and resident of Iran, is charged with one count of wire fraud, which carries a maximum sentence of 20 years in prison; one count of computer hacking, which carries a maximum sentence of five years in prison; three counts of threatening to impair the confidentiality of information, each of which carries a maximum sentence of five years in prison; one count of aggravated identity theft, which carries a mandatory sentence of two years in prison; and one count of interstate transmission of an extortionate communication, which carries a maximum sentence of two years in prison. The maximum potential sentences in this case are prescribed by Congress and are provided here for informational purposes only, as any sentencing of the defendant will be determined by the assigned judge.
Mr. Kim praised the outstanding investigative work of the FBI.
The case is being handled by the Office’s Complex Frauds and Cybercrime Unit. Assistant United States Attorneys Timothy T. Howard, Richard Cooper, and Jonathan Cohen are in charge of the prosecution, with assistance provided by Heather Alpino of the National Security Division’s Counterintelligence and Export Control Section.
The charges contained in the Indictment are merely accusations and the defendant is presumed innocent unless and until proven guilty.
 As the introductory phrase signifies, the entirety of the text of the Indictment, and the description of the Indictment set forth herein, constitute only allegations, and every fact described should be treated as an allegation.