A young Sydney software developer brought down by an FBI-initiated investigation raked in more than $500,000 in three years selling access to compromised accounts on Netflix, Spotify and other subscription services, court documents show.
By the time of his arrest in March 2019, Evan Leslie McMahon was employing assistants and juggling more than 150 fake identities in order to profit from his bootleg operation serving tens of thousands of customers.
The developer, who turned 23 on Friday, is due to be sentenced in February after pleading guilty to two offences related to the elaborate ‘account generator’ operation.
The most serious offence carries a maximum penalty of 20 years in prison.
Court documents filed in the NSW District Court detail how the Mosman High School graduate was able to avoid detection for years.
His websites – HyperGen, WickedGen, Autoflix and AccountBot – offered paying subscribers a cheap, illegal way to access legitimate accounts for Netflix, Spotify, Hulu, WWE Network, NordVPN, PlayStation Network and dozens of other subscription services.
The FBI began probing WickedGen in late 2017 before referring the matter to Australian Federal Police who uncovered McMahon’s other operations.
After making a small fee via PayPal, clients gained access to the “account generator” which revealed a username and password combination for a real subscriber.
HyperGen, which McMahon was running shortly after finishing his HSC, charged $US10.97 for a lifetime subscription.
AccountBot, McMahon’s last and most sophisticated iteration of the businesses, offered discounts for referring new customers and a variety of subscriber packages.
In the 11 months from its February 2018 creation, AccountBot generated $US335,823 in revenue – worth $A472,000 in early 2019.
“Across the four subscription services the offender had at least 152,863 registered users and provided at least 85,925 subscriptions to illegally access legitimate streaming services,” an agreed facts document, tendered to the NSW District Court, states.
McMahon avoided triggering PayPal’s money-laundering alarms by collecting fees through 102 unverified accounts he’d established in fake names.
He then funnelled the funds into another 48 PayPal accounts he’d “verified” with false identity documents, including NSW licences and Australian passports.
Every PayPal account and account generator website was registered with a separate email address, with McMahon also running 134 different Mozilla Firefox profiles and a bespoke operating system on his Macbook that was protected by an encrypted partition.
He cashed the funds into bank accounts established in his own name across at least 10 financial institutions and converted some profits into cryptocurrency.
In June 2020, the 23-year-old by agreement transferred cryptocurrency worth $A450,000 into a police-controlled wallet.
He later admitted making at least $US485,154, $A40,248 and Stg5067 through the four websites, worth $717,000 in November 2020.
As well as pleading guilty to running a circumvention service and dealing with crime proceeds, McMahon has asked the sentencing judge take into account three other offences.
They relate to the false identity information given to PayPal and the credential stuffing he used to find and verify the compromised logins of legitimate users.
“This credential stuffing … was made possible due to most users re-using the same password across multiple websites/services,” the agreed facts state.