U.S. Officials Charge Iranian Hacker with HBO Server Attack, $6 Million Extortion Scheme

The U.S. Attorney’s Office for the Southern District of New York on Tuesday announced charges against an Iranian national who allegedly hacked HBO’s servers and attempted to extort $6 million from the premium cable programmer, Variety reports.

Federal authorities charged Behzad Mesri, a 29-year-old citizen and resident of Iran, with seven criminal counts including computer hacking and fraud; wire fraud; interstate transmission of an extortionate communication; and aggravated identity theft.

According to the U.S. Attorney’s Office, Mesri (a.k.a. “Skote Vashat”) broke into HBO computers and stole data — including unaired episodes of “Game of Thrones” and financial data — and then threatened to release the info unless HBO paid $6 million in Bitcoin. Mesri is currently in Iran, and “we are unfortunately unable to arrest him today,” Joon Kim, acting U.S. Attorney for the Southern District of New York, told reporters at a press conference. But, Kim added:

“He will never be able to travel outside of Iran without fear that he will be arrested on these charges. The memory of American law enforcement is very long”

Behzad Mesri is a member of the Turk Black Hat Security hacking team and has worked for the Iranian military on computer attacks against Israel, according to an indictment filed Tuesday in U.S. District Court in Manhattan.

The court papers do not accuse Mesri of working on behalf of the Iranian government when he allegedly infiltrated HBO’s networks. The indictment, however, appears to be part of a “name and shame” strategy the U.S. has used in the past to quell interference by foreign hackers it doesn’t expect to be turned over.

According to the indictment, Mesri launched a campaign this past May to gain access to HBO’s servers through employee user accounts — and succeeded, even though the entertainment giant has sophisticated computer defenses. In July, he began sending taunting emails to HBO executives, using “Game of Thrones” imagery and slogans, prosecutors said.

“Hi to all losers!” one said. “Yes it’s true! HBO is hacked…Beware of heart attacks.”

Mesri said he would release the material and destroy data unless he was paid $5.5 million in Bitcoin currency. He later upped the price to $6 million. Soon after, he began leaking portions of the cache over the internet and to media outlets.

If convicted, Mesri faces a maximum sentence of 20 years in prison for wire fraud; up to five years for each of the four charges related to computer fraud; a two-year mandatory sentence for aggravated identity theft; and up to two years in prison for the extortion charge. Mesri was indicted by a federal grand jury on November 8 and a warrant was issued for his arrest.

The United States, however, has no extradition treaty with Iran. And even as it announced those charges, the Justice Department seemed to admit that it would likely never actually lay hands on Mesri.

“Because Mesri is in Iran we are unfortunately unable to arrest him,” Kim said flatly. The feds could have strategically kept the charges against Mesri sealed until he could be lured out of Iran, detained, and extradited, but apparently viewed that scenario as a long shot.

“We made the determination we were not likely to get him,” Kim said. “We weighed that against sending a message. That was the balancing we did, and we decided now was the right time to do it.”

Despite Mesri’s ties to the Iranian government, the indictment doesn’t include any claim that the HBO extortion was a state-sponsored campaign. But by publicly linking Mesri’s past hacking to the Iranian government, the Justice Department may have made it even less likely that Tehran will cooperate with U.S. law enforcement, or prosecute him in Iran for his alleged criminal hacking.

“I suspect that the Iranian government wouldn’t want to lend credence to anything the U.S. government has said,” says J. Michael Daniel, who served as the Obama administration’s cybersecurity coordinate when the Justice Department indicted seven Iranians for cyberattacks on U.S. banks and a New York dam. None of those hackers ever faced trial in the U.S. Will Mesri?

“I wouldn’t expect it to be overly likely,” Daniel says.