Pirate-site operator hacked MLB and tried to extort $150,000, feds say
A pirate-website operator named Joshua Streit was charged with hacking into Major League Baseball (MLB) computer systems and trying to extort $150,000 from the league by threatening to publicize security vulnerabilities, the US Department of Justice announced yesterday.
Streit also “is alleged to have illegally streamed sports content online from MLB, the NHL, the NBA, and the NFL for his own personal profit,” the announcement said. Streit was charged in US District Court for the Southern District of New York with wire fraud, illicit digital transmission, sending interstate threats with the intent to extort, and two counts of computer intrusion. The maximum possible sentences for these counts add up to 37 years in prison, including 20 years for wire fraud, though the press release noted that “maximum potential sentences in this case are prescribed by Congress and are provided here for informational purposes only, as any sentencing of the defendant will be determined by the judge.”
Streit is a 30-year-old from Minnesota who is also known as Josh Brody. The pirate streaming website that he allegedly ran was called HeheStreams and operated from approximately 2017 to August 2021.
“We allege Mr. Brody hacked into the systems of several of our country’s biggest professional sports leagues and illegally streamed copyrighted live games,” FBI Assistant Director Michael Driscoll said. “Instead of quitting while he was ahead, he allegedly decided to continue the game by extorting one of the leagues, threatening to expose the very vulnerability he used to hack them.”
Streit allegedly sought $150,000 bug bounty
In March 2021, Streit emailed an MLB employee, according to the complaint. Streit “noted that he had earlier notified MLB of a particular network vulnerability and complained that the ‘lack of gratitude [from MLB] is frankly shocking,'” FBI Special Agent Joshua Williams wrote. Streit asked to be put in touch with senior IT personnel and subsequently told an MLB executive referred to as “MLB Executive-1” in a phone call “that he wanted to be financially compensated for reporting the network vulnerability,” the agent wrote.
The executive “informed Streit that MLB does not have a ‘bug bounty’ program but that MLB appreciated Streit’s efforts. Streit then told MLB Executive-1 that MLB should have a bug bounty program for situations like this and that it would be bad if the media found out about the network vulnerability and embarrassed MLB,” Williams wrote.
Streit apparently refrained from contacting news reporters about the vulnerability at the executive’s request but again asked for money in an email to the executive on or around September 28, 2021. “MLB Executive-1 replied, and among other things, noted that ‘people here are concerned about this as unauthorized access to our systems,'” the agent wrote. “MLB Executive-1 also asked, ‘Can you let me know the specific amount of money that you want?'”
Streit asked for $150,000 in his response and told the executive “that when disclosing a network vulnerability ‘there should be at least some sort of mutual understanding that acting in good faith is encouraged, not discouraged,'” the FBI agent wrote. Streit ended his email by writing that “the idea of MLB coming after me for ‘unauthorized access to systems’ is going to make me lose sleep when it’s already at a premium.”
Although Streit “approached MLB in the guise of being helpful to MLB, his simultaneous intrusion into MLB accounts and illegal streaming of MLB content on the illicit streaming website indicates that Streit acted knowingly and with the intent to extort MLB,” Williams wrote. The email in late September was made “shortly before the beginning of the MLB playoffs, and thus at a time when MLB was under increased media scrutiny and public interest,” he wrote.