DRAFT COPY
If you’re reading this, it’s because I’ve sent you this link to gather some feedback. I haven’t decided if, when, and how I will publish this story. Please do not share this link.
Welcome to Part One of a multi-part series exploring the underground Account Generating scene. This series will explore Account Generators from multiple angles – the technical, the logistical, and the legal. Part one looks into the humble beginnings of the operator of several of the most prominent account generating services.
Someone you may know
A few months ago, a colleague sent me a link to a news story.
“This is probably someone we know”.
I had a look. The headline reads that a young man is sentenced for his role in selling access to Netflix accounts. He was arrested in 2019 in Dee Why. The ‘Dee Why’ part in interesting to me – someone from my home town was tracked down by the FBI for cybercrime? Huh. His name is Evan McMahon, he’s nearly 10 years younger than me.
“Nah, I don’t think I know him”.
“Well someone in our circle would know him, maybe from one of the universities”.
Possibly. It’s a small enough industry with frequent job hopping. I check LinkedIn. No mutual contacts there. Nothing about working in information security here either – a few web development roles. Current position is the director of something called ‘Inver Digital’.
A few nights later I’m at a small rooftop party with in Pyrmont looking over Blackwattle Bay. I’m with several friends I know through Sydney’s information security community. Analysts and consultants from CyberCX, Mandiant, ParaFlare, and Triskele Labs are in attendance. It’s a chilly night in April, but gatherings don’t come easy in 2021 so we persevere. I bring up the news story and ask if anyone knows McMahon. No one does, but we collectively agree that it’s quite an amusing way of monetising stolen credentials.
When the story first made news outlets in 2019 after the arrest, specific details were scarce. An article by the Sydney Morning Herald incorrectly states that these websites were run on the Dark Web. The same article mentioned that McMahon had posted bail. Part of the bail conditions included no internet access and I’m reminded of the opening scene to Hackers. The article also mentioned that access to Netflix and other streaming services were harvested using a technique called credential stuffing. Many articles did not elaborate on this further, so let’s :
Credential Stuffing is a technique used to gain unauthorised access to accounts. It relies on the practice users having the same password for separate online services. When an online service suffers a data breach, such as LinkedIn in 2012, Dropbox in 2012, Adobe in 2013, or LiveJournal in 2019, at some point in time those credentials may appear for sale on the Dark Web. Sometime later, they will end up freely available on the public internet. Anyone with access to these so called “dumps” can search through the data for username and password pairs and attempt to use them to log into online services or networks.
Using this technique to gain unauthorised access into a Netflix account is pretty mild compared to what more nefarious actors may do. Hacking into company networks comes to mind. In fact, this is how entire companies are compromised. An employee signs up for LinkedIn. They reuse their LinkedIn password for the company VPN. LinkedIn gets compromised. An actor looking to breach said company searches through data breaches for any entries containing the company email – then use those credentials to log into the company network.
The Operation
On the surface, it’s a simple operation. Get your hands on data breaches as a result of someone else’s hard work compromising an online service. Check which credentials are valid for Netflix, Spotify, and other popular services, and then sell that username and password combo to someone wishing to gain access to that service at a discounted rate. It seemed to be a very profitable venture. It’s hard to say how profitable, as a lot of the proceeds seemed to be used to purchase cryptocurrency. Some outlets reported $300,000 AUD, others $500,000 AUD, and even 1.3 million AUD. The discrepancy in amounts is partly due to the fluctuation of cryptocurrency over the months and years that the story was being reported.
It was also reported that McMahon had used over 100 unverified PayPal accounts, 50 verified PayPal accounts, and 10 Australian Bank accounts to manage the proceeds from his services. An unverified PayPal account has limitations as to how much money can be withdrawn. Verifying a PayPal account requires identification. Verification was apparently done using forged identification documents. From there, the money was deposited into Australian Bank accounts.
The Investigation
In many cases where someone operating an illegal internet service has been caught, their downfall can be traced back to a breakdown in their operational security. Somewhere along the way, they’d misconfigured a service that leaked sensitive information, repeated a phrase or speech pattern that matched a public profile, or published something under their real name that eventually tied them to their operation.
The news articles didn’t reveal any information online on how McMahon was identified. I asked a friend of mine – a lawyer – if there I’d be able to find any of the case notes online. He explained that not all cases are made available, and it didn’t look like this case was. The only thing official I was able to find was from the Australian Federal Police website. An article from March 2019 details the arrest, and an article from April 2021 details the sentencing. Interestingly, the articles on the AFP don’t name McMahon, (as I found out, none of the AFP media releases include names of those arrested or sentenced), however all of the news publications do name McMahon, along the websites he operated: Hypergen, WickedGen, AccountBot, and Autoflix. They do not reveal any actual domain names.
From an operational perspective, it’s not easy to run a non-Dark Web marketplace if you’re trying to hide your identity. Domain names, servers, VPN’s, and internet connections all have to be paid for somehow, and not many of them accept cryptocurrency. Many domain registrars, ISPs, hosting providers, and VPN providers will work with law enforcement if requested – that is if they don’t ban you from using their services before you’re online long enough to get caught in the first instance. And then there is the monetisation – to lower the barrier of entry for someone simply trying to save a few dollars on a Netflix subscription, you can’t expect many user to pay in cryptocurrency, so PayPal was provided as an option – which would prove challenging as PayPal isn’t shy about banning accounts and would likely also work with law enforcement if asked.
Thinking about all of the challenges involved in running this type of operation got me interested in learning more about these websites. A quick search led to a post on the website mpgh.net – Multiplayer Game Hacking. This is exactly what it sounds like. A website dedicated to discussing how to cheat in online mulitplayer games. Ugh. The title of the post is
[LIFETIME] AutoFlix – GUARANTEED WORKING NETFLIX WITH 100% AUTO REPLACEMENT
The username is xeztac, and the date is the 28th of February, 2017. The user profile offers up some information: male, Australia.
Several posters are cautious about the legitimacy of the service. They’re afraid of getting ripped off. Others come in support of xeztac, vouching for the service, and the thread gains some traction, and many forum users become happy customers. About a year after the thread was created, users start complaining about the service not working, and asking if anyone knows how they can contact xeztac, but no one knows. At some point, someone reveals the domain name for the website: autoflix.pw. Eventually, one of the forum mods announces the closes the thread due to inactiveness.
In 1997, the country code top-level domain (ccTLD), .pw, was delegated by IANA to the island nation of Palau. Unlike .com.au, .pw is not a regulated namespace, meaning anyone can register a .pw domain name without the risk of dispute. That .pw is also shorthand for ‘password’ would likely make this an attractive namespace for a website dedicated to revealing a users password.
Autoflix
Autoflix.pw is currently available for 98 cents. The website seems to have gone offline at some point in 2019. The domain expired shortly after. A snapshot captured by the Internet Archive allows a peek into what was once a cheap way to watch Brooklyn Nine Nine in a pinch.
Further investigation into this domain did not uncover much – historical Whois doesn’t reveal anything. Historical SSL certificates and DNS records provided by VirusTotal shows that the webmaster may have leveraged Cloudflare to obscure the webserver IP addresses.
Hackforums dot net
Search engine hits for the same thread title as the one on MPGH leads me to a post on a website called hackforums. According to Alexa, Hackforums is the most popular hacking website on the internet. Hackforums has a colourful history, being infamous for enabling the sale of hacking tools, DDoS services, and malware. Hackforums has also had it’s own challenges, being the victim data breaches and website defacements.
The thread was published in February 2017 and authored by a user who went by ‘Xez. The opening post contains an infographic promoting the service and links to an unlisted YouTube video showing AutoFlix in action.
Another service, nflixer.stream (now defunct) is advertised in the same post. This is described as a reseller program where users of the service to charge what they wish to their own customers.
This thread goes on for 119 pages, so I skipped to the final page. It’s September 2018. Users are complaining that the service is not working. None of the account credentials are valid, or the website is displaying error messages. Some users come to his defence and explain that ‘We need to wait the return of Xez’. Users are getting frustrated. A forum moderator locks the thread.
This was interesting. The ‘Xez account had 2,911 posts and seemed to be very popular in the community with a large customer base, yet according to the ‘Xez’s profile page, was last seen online in July 2018, around the time when AutoFlix users started having issues.
Looking bit further back through’Xez’s posts history reveals some patterns. ‘Xez is confident and arrogant, speaking with authority and at times dismissing other users’ efforts.
There are a lot of posts asking for ‘SMS verification’ in exchange for a small payment. “nothing dodgy, I just need to create a new gmail account”. For some time now, creating a Google account requires a valid mobile phone number so that a user can recieve a verification token via SMS. Google limits how many times one phone number can be used for a different Google account. If I was someone who wished to create multiple PayPal accounts, I can see how an additional Gmail account would be handy.
One of ‘Xez’s more unusual idiosyncrasies was to purchase cryptocurrency directly from other forum users using PayPal. This happened often. Sometimes ‘Xez would get burned and make a post claiming that another user scammed them by not fulfilling their end of the deal. The risk was sometimes managed by having another forum user act as a third party facilitator. This was usually someone with a high ranking in the forum – someone everyone saw as trustworthy.
I travel further back in ‘Xez’s post history to the beginning. ‘Xez joined the forum in 2012. There difference in attitude is almost palpable. ‘Xez seems a lot more polite, offering to help other users with their ‘websites and building computers. ‘Xez often responds to threads offering guides to make extra cash.
“Can I have this ebook please? I would really like to make some extra money. :)”
In 2012, ‘Xez starts running a website: 48hrcodes.com. This website offers free 48 hour Xbox Live trial codes. Apparently the codes are legitimate – directly from Microsoft. in 2013, ‘Xez advertises the sale of the domain and the website the forums. It doesn’t appear to have ever changed hands, and likely because there isn’t a lot of profit in giving away free access to a service. This is noteworthy, however, as it doesn’t take a great deal of imagination to suggest that the lessons learned from developing 48hrcodes led to one of ‘Xez’s next big project – Hypergen.
Coming in Part Two:
- Hypergen is hacked. Usernames and passwords leaked online.
- Hypergen becomes WickedGen.
- WickedGen’s webhost terminate sevices.