DOJ: Pirated Sports Streamer Hacked Accounts, Extorted MLB

The U.S. Attorney’s Office for the Southern District of New York has charged a man for illegally streaming MLB, NBA, NFL, and NHL games via the web and hacking into sports leagues’ customer accounts.

Also Read: New Licensing Requirements For Cyber-Security Service Providers in 2022

The charged individual is Joshua Streit, 30, of Minnesota, who allegedly streamed illegal re-broadcasts of major American sports leagues, including the Major League Baseball (MLB), National Basketball Association (NBA), National Football League (NFL), and the National Hockey League (NHL).

The Department of Justice says that Streit operated a “live streaming” website for profit, offering access to the illegal sports content in exchange for subscription fees of $129.99 per season.

The website is ‘hehestreams.com,’ which is now under the control of ACE (Alliance for Creativity) and redirects visitors to legal channels of content distribution.

Prosecutors say that Streit gained access to the sports league’s content by hacking into the accounts of the league’s subscribers.

Also Read: A Closer Look: The Personal Information Protection Law in China

The site operated from 2017 to August 2021, during which Streit allegedly obtained at least $5,000 in subscription fees, but the actual amount may be higher.

Hehestreams offered multiple payment methods besides crypto, making it easier for law enforcement to trace payments and find out who was running the service.

The FBI states that at least one sports league suffered approximately $3,000,000 in damages, and they are still investigating the injuries to the other victims.

Extorting the MLB

In addition to streaming the MLB’s content illegally, Streit is also charged for attempting to extort the MLB for $150,000 by threatening to publish alleged platform access vulnerabilities that he abused to steal the streams.

“Furthermore, Streit allegedly hacked MLB’s computer systems and attempted to extort $150,000 from the league,” U.S. Attorney Damian Williams said in a press release.

Streit is alleged to have exploited a flaw in a third-party service’s access token system, allowing “hehestreams” users to access live sports streams by authenticating as legit users of the actual platforms.

MLB’s complaint to the law enforcement authorities presents Streit as frustrated for not finding a bug bounty program to report the network vulnerabilities, accusing MLB of “shocking lack of gratitude.”

You’d think that, upon disclosure of a vulnerability that directly impacts a multi-billion-dollar revenue stream, you’d at least receive a reply.— joshmn (@joshmn) March 18, 2021

Streit is now facing five counts, for computer intrusion, illicit digital transmission, wire fraud, and transmission of interstate communications with intent to extort, with the maximum penalty of 25 years in prison.