Second hacker pleads guilty to role in celebrity iCloud, Gmail phishing scheme

A Chicago man implicated in a phishing scheme targeting more than 300 iCloud and Google Gmail users, including the personal accounts of numerous Hollywood celebrities, faces up to five years in federal prison after signing a plea deal last week.

According to a statement from the U.S. Attorney's Office in California, Edward Majerczyk, 28, will plead guilty to violating the Computer Fraud and Abuse Act for his role in 2014's "Celebgate" phishing scheme. Majerczyk of Chicago and Orland Park, Ill., is charged with one count of unauthorized access to a protected computer, which carries a statutory maximum sentence of five years in prison.

In the phishing scheme, Majerczyk sent phony emails to victims requesting confirmation of user credentials. Appearing to be from legitimate security accounts operated by companies like Apple and Google, the messages instructed users to visit a nefarious website designed to gather logins and passwords.

Majerczyk used this information to illegally access victims' accounts, from which he harvested photographs, videos and other sensitive data, the plea agreement said. The assets circulated through the dark web before wide distribution via BitTorrent and other file sharing protocols.

"Hacking of online accounts to steal personal information is not merely an intrusion of an individual's privacy but is a serious violation of federal law," said U.S. Attorney Eileen M. Decker. "Defendant's conduct was a profound intrusion into the privacy of his victims and created vulnerabilities at multiple online service providers."

While phishing scams are a common occurrence, "Celebgate" gained notoriety for successfully targeting numerous A-list celebrities including Jennifer Lawrence and Kate Upton. When news of the leak first hit, reports incorrectly blamed the intrusion on a hack of Apple's iCloud, not clever social engineering. At the time, Apple denied those claims, saying its cloud services were safe and secure.

Majerczyk is the second person to enter a plea deal in connection with the scandal. In March, Ryan Collins, 36, pleaded guilty to illegally gaining access to at least 50 iCloud accounts and 72 Gmail accounts. Collins' crime carries an identical five-year maximum penalty, though prosecutors planned to recommend a term of 18 months.

Majerczyk's plea agreement was lodged in California District Court and will be executed when the case is transferred to the Northern District of Illinois.

Latest Exclusives

Latest comparisons

18 Comments

☕️

ericthehalfbee 13 Years · 4489 comments

About 8 years ago

Yes, let's not forget that this attack also compromised Gmail accounts. And that iCloud has never been hacked and this was just a routine phishing expedition.

🎁

nolamacguy 10 Years · 4750 comments

nonsense. this was routine, standard, run of the mill phishing. Apple carries no blame for it; there is no perception that Apple's customers are immune from phishing attacks as you dubiously claim. put that back in your FUD locker, dear sir.

🎅

foggyhill 10 Years · 4767 comments

poffin77 said:

ericthehalfbee said:

Yes, let's not forget that this attack also compromised Gmail accounts. And that iCloud has never been hacked and this was just a routine phishing expedition.

While true it does not mean a whole lot. It was Apple who marketed the combination of security, privacy and ease of use a key differentiator between its products/services and those offered by such competitors as Google, Microsoft, Samsung etc. And after this scandal broke, Apple quickly pivoted to the position that it was the user's responsibility - not Apple's' - to protect user data and privacy by using the same two-factor authentication and other measures and precautions recommended for the competing, less secure and less user-friendly platforms. Before this incident, the it was commonly thought that the average (meaning someone not skilled or interested in tech) could just buy an Apple product, use it as is and be protected. Apple didn't create this misconception ... but they were perfectly happy to benefit from it, including but not limited through their own advertising campaigns. Which is why fans of the competing platforms were more than willing to do some finger-pointing of their own when this happened, even as they acknowledged that Apple was never actually at fault here.

Total bullshit. Seriously, read on posts. It's a phishing expedition and people gave up their own passwords.
Next thing you'll be doing is claiming someone responding to nigerian scams on Iphones are somehow's Apple fault too.

In fact, most of the Icloud account that were compromised were NOT ICLOUD ACCOUNTS,
even those that were compromised through phishing were often done by compromising a second account that's even less secure (that's why you should not reuse passwords). They didn't talk about that here, but that is used very often.

The only way to mitigate it is to use two factor and that's an inconvenience to many and they STILL won't do it after this hack on Android or IOS.

🌟

apple ][ 13 Years · 9225 comments

Hopefully the criminals and hackers will get sodomized in prison, at least a few times a week, so that they too will know how it feels to be "violated". :#

dasanman69 15 Years · 12999 comments

poffin77 said:

ericthehalfbee said:

Yes, let's not forget that this attack also compromised Gmail accounts. And that iCloud has never been hacked and this was just a routine phishing expedition.

While true it does not mean a whole lot. It was Apple who marketed the combination of security, privacy and ease of use a key differentiator between its products/services and those offered by such competitors as Google, Microsoft, Samsung etc. And after this scandal broke, Apple quickly pivoted to the position that it was the user's responsibility - not Apple's' - to protect user data and privacy by using the same two-factor authentication and other measures and precautions recommended for the competing, less secure and less user-friendly platforms. Before this incident, the it was commonly thought that the average (meaning someone not skilled or interested in tech) could just buy an Apple product, use it as is and be protected. Apple didn't create this misconception ... but they were perfectly happy to benefit from it, including but not limited through their own advertising campaigns. Which is why fans of the competing platforms were more than willing to do some finger-pointing of their own when this happened, even as they acknowledged that Apple was never actually at fault here.

Of course Apple created that misconception, what did you think those advertising campaigns accomplished? For the most part celebrities aren't tech savvy and have no idea what a phishing scheme is, not ever heard of social engineering.