The hacker who extorted HBO after stealing a host of files — including an unaired episode of Game of Thrones — is an Iranian who has hacked for his country’s government, the US says.
The US Attorney’s Office for the Southern District of New York on Tuesday charged Behzad Mesri with extortion, identity theft, and the rare charge of using a computer to threaten to impair the confidentiality of information.
Mesri, the indictment says, was part of a hacker group called Turk Black Hat Security team, which, despite its name, was based in Iran. Mesri, who went by the nickname Skote Vahshat, defaced hundreds of websites, leaving messages like “IN THE NAME OF GOD HACKED” and signing his pseudonym.
But Mesri also conducted a more sophisticated operation, according to the charges, by staking out the parts of HBO’s network that allowed employees to log in remotely, then gained access to several employees’ login credentials and spent months downloading company files, including unaired episodes of Ballers, Curb Your Enthusiasm, and The Deuce, as well as scripts and financial documents.
He demanded a payment of roughly $5.5 million in bitcoin to return the material.
The US only rarely issues formal charges against individual hackers who live in countries unlikely to extradite them. In most cases, like the one against five Chinese nationals accused of running an espionage campaign and another against four men accused of hacking Yahoo for Russia, those indictments accuse the defendants of working with their country’s government.
The indictment doesn’t formally accuse the Iranian government of supporting Mesri, and a spokesperson for the US Attorney's Office declined to comment on the subject, as did Acting US Attorney Joon Kim at a news conference announcing the charges. The indictment does note that Mesri previously had worked on behalf of the Iranian military, attacking other nations’ military and nuclear systems and targeting Israeli infrastructure.
Just because Mesri has conducted operations for the Iranian government before doesn’t mean that his government actually signed off on the HBO hack and subsequent extortion, said Adam Meyers, vice president of intelligence at cybersecurity firm CrowdStrike who formerly managed cyber threat analysis for the State Department.
The HBO hack and extortion “was probably not sanctioned by the Iranian government," Meyers told BuzzFeed News. "It may have used him as a resource, perhaps he was responsive to tasking. But given his pedigree as a script kiddie website defacer, it’s possible he got lucky with HBO and decided this was an opportunity to make some money.”
Iran and the US have a long history of escalating cyberattacks against each other, including the US destroying centrifuges with the Stuxnet worm and Iran probing the industrial controls of a dam in New York state. Those attacks stopped, however, when the countries began negotiating the deal that restricted Iran's nuclear deal.
In announcing the charges, Kim noted that while Mesri was likely safe in Iran, the charges mean that he faces extradition if he travels internationally.
“Winter has come for Behzad Mesri,” Kim said.
Kevin Collier is a cybersecurity correspondent for BuzzFeed News and is based in New York.
Contact Kevin Collier at email@example.com.
Got a confidential tip? Submit it here.