A Chicago man implicated in a phishing scheme targeting more than 300 iCloud and Google Gmail users, including the personal accounts of numerous Hollywood celebrities, faces up to five years in federal prison after signing a plea deal last week.
According to a statement from the U.S. Attorney's Office in California, Edward Majerczyk, 28, will plead guilty to violating the Computer Fraud and Abuse Act for his role in 2014's "Celebgate" phishing scheme. Majerczyk of Chicago and Orland Park, Ill., is charged with one count of unauthorized access to a protected computer, which carries a statutory maximum sentence of five years in prison.
In the phishing scheme, Majerczyk sent phony emails to victims requesting confirmation of user credentials. Appearing to be from legitimate security accounts operated by companies like Apple and Google, the messages instructed users to visit a nefarious website designed to gather logins and passwords.
Majerczyk used this information to illegally access victims' accounts, from which he harvested photographs, videos and other sensitive data, the plea agreement said. The assets circulated through the dark web before wide distribution via BitTorrent and other file sharing protocols.
"Hacking of online accounts to steal personal information is not merely an intrusion of an individual's privacy but is a serious violation of federal law," said U.S. Attorney Eileen M. Decker. "Defendant's conduct was a profound intrusion into the privacy of his victims and created vulnerabilities at multiple online service providers."
While phishing scams are a common occurrence, "Celebgate" gained notoriety for successfully targeting numerous A-list celebrities including Jennifer Lawrence and Kate Upton. When news of the leak first hit, reports incorrectly blamed the intrusion on a hack of Apple's iCloud, not clever social engineering. At the time, Apple denied those claims, saying its cloud services were safe and secure.
Majerczyk is the second person to enter a plea deal in connection with the scandal. In March, Ryan Collins, 36, pleaded guilty to illegally gaining access to at least 50 iCloud accounts and 72 Gmail accounts. Collins' crime carries an identical five-year maximum penalty, though prosecutors planned to recommend a term of 18 months.
Majerczyk's plea agreement was lodged in California District Court and will be executed when the case is transferred to the Northern District of Illinois.