TRANSCRIPTEnglish

The Hack That Exposed Every Celebrity’s Private Photos

24m 0s3,066 words555 segmentsEnglish

FULL TRANSCRIPT

0:00

August 31st, 2014. Jennifer Lawrence's

0:03

phone explodes with 847 missed calls.

0:07

Her agent screams through voicemail.

0:09

Don't go online. Do not go online. But

0:12

it's too late. She opens Twitter to see

0:14

her name trending worldwide next to a

0:16

photo of her naked body she took 3 years

0:18

ago. The image already has 14 million

0:22

views.

0:23

Across Hollywood, 100 other celebrities

0:26

discover their most private moments are

0:28

now public property. Kate Upton's

0:31

honeymoon videos. Scarlett Johansson's

0:33

bathroom selfies. Michaela Moron's

0:36

photos from when she was 17, making

0:38

millions of downloaders felons. Within

0:41

48 hours, the images spread to 17,000

0:45

websites and four victims attempt

0:47

suicide. But here's what makes this

0:49

horrifying.

0:51

The hackers were five nobbodyies who

0:53

simply sent fake Apple security emails.

0:56

So, who were these five ordinary men?

0:58

And what made them suddenly leak

1:00

everything?

1:03

November 2013.

1:06

Ryan Collins sits in his Lancaster

1:08

basement staring at code on his Dell

1:10

laptop. He's copying Apple's password

1:13

reset page pixel by pixel, changing one

1:16

line where legitimate resets send data

1:19

to Apple's servers. His version roots

1:21

passwords to Collins data@gmail.com.

1:25

He registers Apple Privacy Security at

1:27

icloud.com through a Romanian proxy.

1:30

Tests the fishing kit on his wife's

1:32

account thing that she will never

1:35

notice. then loads a CSV file containing

1:38

4,811

1:40

celebrity email addresses scraped from

1:43

IMDb Pro, talent agency leaks, and

1:46

paparazzi contact sheets. His first

1:49

target is Scarlett Johansson's

1:51

assistant, whose email was leaked in the

1:53

2011 Sony Pictures hack. 2,000 m away in

1:57

Chicago, Edward Mertic runs a parallel

2:00

operation from his childhood bedroom.

2:02

While his parents watch Jeopardy

2:04

downstairs, he sends 18 fishing emails

2:06

to addresses ending in unitedalent.com,

2:09

wmeenter entertainment.com,

2:12

and ca.com, Hollywood's biggest

2:14

agencies. His subject lines pull from

2:17

TMZ headlines. Urgent unauthorized

2:20

access detected from Moscow, Russia,

2:22

arrives hours after news breaks of

2:24

celebrity nude photo threats. Your

2:27

iCloud photos may be compromised, lands

2:29

during the Sony hack coverage. But

2:31

Mayerchic has done an innovation. He

2:34

times each fishing wave to coincide with

2:36

real security breaches, making paranoid

2:38

celebrities more likely to click.

2:40

Between November 2013 and April 2014, he

2:45

sends 4,729

2:48

emails and 312 people enter their

2:50

passwords. 30 are household names. The

2:54

hackers discovered Apple's fatal flaw.

2:57

The Find My iPhone feature allowed

2:59

unlimited password attempts through an

3:01

API endpoint. Christopher Brandon wrote

3:04

a Python script that tried 14,000 common

3:07

passwords against celebrity accounts in

3:09

rapid succession. When one password

3:11

failed, the script tried the next one in

3:14

the list and then the next one and so on

3:16

until he got the correct password. No

3:18

lockouts, no alerts, just infinite

3:22

attempts at 50 tries per second. Brandon

3:25

cracked Jennifer Lawrence's account

3:27

after 1,847

3:29

attempts. Her password was Nashville

3:33

2011, the city and year she filmed

3:35

Hunger Games. Rihanna fell after 3,221

3:40

tries. Barbados 88, her birthplace and

3:45

birth year. Avil Lavine used Skater Boy,

3:49

her own song title, but passwords were

3:52

just the first door. Security questions

3:54

provided access to the account. What

3:57

street did you grow up on? For

3:59

celebrities, Wikipedia knew the answer.

4:02

Mother's maiden name. Ancestry.com

4:05

provided full family trees. First pet's

4:08

name. Old MySpace posts from 2004

4:12

contained gold mines of personal trivia.

4:15

George Gafano discovered Kate Upton's

4:17

high school mascot, the Rockets, from a

4:20

Melbourne Catholic School alumni page.

4:23

He found Kirsten Dun's first dog's name,

4:26

Biscuit, in a 1997 newspaper interview

4:29

about Interview with the Vampire.

4:32

Michaela Moron's favorite teacher

4:34

appeared in her hometown papers student

4:36

of the month feature from 2006.

4:40

Each answer unlocked another account,

4:42

another backup, another thousand photos

4:44

never meant for public eyes. The iCloud

4:47

backup system became their ATM.

4:50

When someone logs into iCloud from a new

4:53

device, Apple sends an alert unless

4:55

you're restoring from backup. The hacker

4:58

selected restore from iCloud backup on

5:00

iTunes, entered stolen credentials, and

5:03

downloaded the entire phone contents

5:05

without triggering notifications.

5:07

Ryan Collins downloaded Jennifer

5:09

Lawrence's 23 GB backup containing 1,789

5:13

photos and 94 videos spanning three

5:16

years. The download took 4 hours on his

5:19

Comcast connection. He watched Netflix

5:22

while photos never meant to be seen

5:24

transferred to his hard drive. No alerts

5:27

reached her phone. No emails warned of

5:30

access. Apple's logs showed a routine

5:32

backup restoration from an iPhone 5C,

5:35

the same model Lawrence owned. The best

5:38

part of this hack is that these weren't

5:40

master criminals. Collins forgot to use

5:42

a VPN for 12 downloads, leaving his real

5:45

IP address in server logs. Meerchic paid

5:48

for his fishing domains with a PayPal

5:50

account linked to his actual checking

5:51

account at Chase Bank. Gafano

5:54

screenshotted his trophy photos and

5:55

accidentally included his Windows

5:57

username, George G Dell, in the file

6:00

metadata. Brandon tested his password

6:03

cracker on his school district email,

6:04

leaving traces that led directly to his

6:06

teacher ID number. They made every

6:08

amateur mistake possible except getting

6:10

caught. For 18 months, nobody noticed

6:13

Hollywood stars were being

6:15

systematically attacked. But why did

6:17

four separate hackers suddenly start

6:20

hunting celebrity photos within weeks of

6:22

each other? And what made them risk

6:24

everything to release their collections?

6:29

August 30th, 2014, 9:30 p.m. On the

6:33

notorious Anonib forum, Foran's evil

6:37

twin dedicated to revenge porn, user

6:40

original guy posts 12 words that ignite

6:42

a frenzy. I have hundreds of celebrity

6:45

nudes. Bitcoin's welcome samples inside.

6:48

More coming. Attached. There is a

6:51

censored thumbnail of Jennifer Lawrence

6:53

that image reverse searches confirm

6:56

exists nowhere else online. The post

6:58

includes a Bitcoin address and within 10

7:01

minutes, blockchain records show 0.2847

7:04

Bitcoin, $147,

7:08

received from 16 different wallets.

7:10

original guy responds with a mega link

7:13

containing 43 uncensored photos. At that

7:16

exact moment, everything got

7:17

uncontrolled. By 10:30 p.m., the anonib

7:21

thread reaches $500 posts as users beg,

7:24

threaten, and bid for specific

7:27

celebrities.

7:28

Someone offers $1,000 Bitcoin for Emma

7:31

Watson photos. Another promises $500 for

7:35

Taylor Swift. Original guy stays silent

7:38

for 47 minutes, then drops the bomb, a

7:41

file containing 461 photos from 60

7:44

celebrities. The password, irony, it is

7:48

infected, a detail that would later help

7:51

FBI cryp analysts identify which

7:53

collections came from which hacker. At

7:56

11:47 p.m., an anonymous user, likely

8:00

original guy on a different IP, migrates

8:02

to Foreshan's higher traffic Bboard and

8:04

uploads everything for free. The

8:06

business model collapsed. The chaos

8:08

began. Forchan moderator M_L would later

8:12

testify he deleted over 10,000 posts

8:15

that night. For every thread removed,

8:17

users created five more. They switched

8:20

tactics, posting Imor albums, non-files

8:23

links, mega folders, media fire

8:26

archives. When those got DMCA, they used

8:30

Russian site RGHost, Chinese platform

8:33

BU, blockchain storage on Swarm. Even

8:36

someone uploaded the entire cache to the

8:38

pirate bay disguised as a Linux

8:40

distribution. Another user embedded

8:42

photos in a Minecraft world file that

8:44

went viral on gaming forums. By 2 a.m.

8:48

September 1st, Reddit user John's McJed

8:51

subreddit called the Fappening. Remember

8:54

this. His first post contains Jennifer

8:57

Lawrence, Kate Upton, Ariana Grande, and

9:00

hundreds of others. Reddit's

9:02

infrastructure buckled immediately. The

9:04

subreddit gained 10,000 subscribers per

9:07

hour for six consecutive hours, a rate

9:10

that exceeded Reddit's previous record,

9:12

Obama's 2012 AMA, by 400%.

9:17

Amazon Web Services, Reddit's host,

9:20

registered 7.2 2 terab of traffic to the

9:22

faff happening in its first day, more

9:24

data than Wikipedia transfers in a week.

9:27

Reddit's cisadmin blog later revealed

9:29

the subreddit consumed 141 GB of

9:32

bandwidth per second at peak, requiring

9:35

emergency server allocation that cost

9:37

$47,000.

9:39

The community developed its own

9:40

ecosystem within hours. The fappening

9:43

discussion for analysis. Faffening

9:45

archive for organization. The faffening

9:48

SFW for clothed photos that revealed

9:50

metadata.

9:51

Users created spreadsheets tracking

9:53

which celebrities had leaked, which were

9:55

confirmed fake, and which were coming

9:58

soon. They built browser extensions that

10:01

automatically downloaded new posts. They

10:03

programmed bots that scraped links and

10:05

reposted to backup sites. September 1st,

10:09

6:45 a.m. Michaela Moron's lawyer,

10:13

Jeffrey Steinberger, sends Reddit a

10:15

letter that changes everything. Multiple

10:17

images depict Ms. [ __ ] when she was

10:19

underage. Distribution constitutes a

10:22

federal crime. Remove immediately or you

10:25

will face prosecution. Reddit CEO Yishan

10:28

Wong convenes an emergency conference

10:30

call. The legal team confirms it. A

10:33

quick analysis shows photos dated to

10:36

2013 when [ __ ] was 17.

10:39

Anyone who downloaded, shared, or even

10:41

viewed those specific images technically

10:43

committed a felony. The Fappening had

10:46

become a child pornography distribution

10:48

network with 141,000 participants.

10:51

Within two hours, Reddit bans all Moroni

10:54

content and posts a stark warning

10:56

advising that any underage content would

10:59

result in a permanent ban and a quick

11:01

call to the FBI. But the damage was

11:04

done. Conservative estimates placed

11:06

total downloads at 100 million in the

11:09

first 48 hours. Google Trends showed

11:13

Jennifer Lawrence and leaked peaked at

11:15

100 the maximum score across 19

11:18

countries simultaneously.

11:21

Pornhub reported 41 million searches for

11:23

celebrity names that week, crashing

11:26

their search function. Even Twitter

11:28

suspended 3,847

11:30

accounts for sharing links. Yet, for

11:32

every deletion, users found workarounds,

11:35

spelling the names backwards, using

11:37

emoji codes or creating private Telegram

11:40

channels that grew to 50,000 members

11:42

each. The photos achieved true viral

11:45

permanence, replicated so widely that

11:47

complete removal became mathematically

11:49

impossible.

11:50

But who made the catastrophic decision

11:52

to dump everything free on Forchan? And

11:55

why did the other hackers stay silent as

11:58

their careful work exploded into chaos?

12:02

September 2nd, 2014.

12:05

FBI special agent Jeff Yasenski's phone

12:08

buzzes with an emergency directive from

12:10

the Los Angeles field office. Operation

12:13

Fappening is now classified as a

12:14

priority one cyber investigation

12:17

involving potential child pornography,

12:19

wire fraud, and violations of the

12:21

Computer Fraud and Abuse Act carrying

12:23

combined maximum sentences of 127 years.

12:27

By Sunrise, 28 agents across six cities

12:30

are pulling server logs, ISP records,

12:34

and Bitcoin blockchain data. Apple

12:36

provides 487 GB of access logs. Google

12:41

surrenders email metadata for 1,847

12:44

accounts. Reddit delivers IP addresses

12:47

for every the fappening moderator and

12:49

power user. The digital dragnet deploys.

12:53

The Bitcoin trail leads nowhere. The

12:55

wallet owner used to tumbled coins

12:58

through three mixing services and

13:00

converted to Monero through shape shift.

13:02

But the fishing emails contain a

13:04

critical flaw. Email headers revealing

13:06

original SMTP servers. Apple privacy

13:10

security at icicloud.com routes through

13:13

smttp.mmail.ru

13:16

but the x originating IP header shows

13:18

74.96.184.42

13:23

a Comcast residential address in

13:24

Lancaster, Pennsylvania. Cross

13:27

referencing with Apple's logs shows the

13:29

same IP downloading Jennifer Lawrence's

13:31

iCloud backup on March 14th, 2014.

13:35

The subscriber is Ryan Collins, married

13:37

father of two, no criminal record, and

13:39

works IT support at Lancaster General

13:41

Hospital. October 7th, 2014. FBI agents

13:45

execute simultaneous raids in four

13:47

states. In Lancaster, they find

13:50

Collins's laptop still logged into 12

13:52

celebrity iCloud accounts. His external

13:55

drive contains 18 folders labeled Jaw,

13:58

Cupton, A Plaza, each with hundreds of

14:01

photos. browser history shows 14,000

14:04

visits to icloud.com using different

14:06

credentials. His Gmail drafts folder

14:09

contains template fishing emails with

14:10

subject lines like urgent security alert

14:13

and verify your account. When agents ask

14:16

why, Collins says, "I just wanted to see

14:19

them naked like everyone else." He

14:21

agrees to cooperate immediately,

14:23

providing passwords for encrypted

14:25

folders that reveal photos from another

14:27

52 victims never leaked publicly.

14:31

Chicago agents arrest Edward Meerchic at

14:33

his parents house during breakfast. His

14:36

setup is more sophisticated. Three

14:38

laptops, a VPN router, and custom

14:40

fishing software purchased on a Russian

14:42

hacking forum for $300.

14:45

His Dropbox contains 329 folders

14:48

organized by celebrity name, net worth,

14:51

and rating. 1 to 10 for attractiveness.

14:55

File timestamps show he accessed

14:57

Jennifer Lawrence's account 147 times

15:00

between March and August 2014.

15:04

Myeric's biggest mistake is clear. He

15:06

emailed himself zip files of stolen

15:09

photos, creating permanent Gmail records

15:12

that survived his attempts at deletion.

15:15

Under interrogation, he admits to

15:16

everything but insists, "I never posted

15:19

them online. I swear to God." George

15:23

Gafano's arrest comes with a twist.

15:25

Connecticut State Police find zero

15:27

leaked photos on his devices, but

15:30

discover 7.4 terabytes of stolen content

15:32

from 241 victims, including politicians

15:36

wives, Fortune 500 CEO's daughters, and

15:39

his own high school classmates. His

15:42

journal details 2 years of methodical

15:44

hacking.

15:46

Investigators realize Garafano

15:48

represents hundreds of unknown hackers

15:50

who learned fishing from the same

15:51

Russian forums targeted non-ceelebrities

15:54

and never got caught because their

15:56

victims never went public. The celebrity

15:58

hack wasn't unique. It was the visible

16:00

tip of a massive iceberg. Christopher

16:03

Bron nearly escapes. The former teacher

16:06

covered his tracks better, used public

16:08

Wi-Fi, paid for tools with stolen credit

16:10

cards, and communicated through

16:12

encrypted channels. But he made one

16:14

fatal error. He hacked his own

16:16

sister-in-law to test his methods, and

16:19

she reported the intrusion to police in

16:21

2013. That report sat unexamined until

16:24

FBY agents connected her case to the

16:27

celebrity hacks through matching fishing

16:29

templates. When arrested, Brandon's

16:31

classroom computer at Lee Davis High

16:33

School contains password lists for 200

16:35

accounts, including 15 current students.

16:38

His teaching career ends with federal

16:40

charges that ultimately result in the

16:42

harshest sentence. 34 months in federal

16:45

prison, plus lifetime registration as a

16:47

sex offender due to the underage

16:49

content. By 2019, five men serve a

16:53

combined 96 months in federal prison for

16:55

the celebrity hacks. Collins gets 18

16:58

months and pays $75,000 restitution.

17:02

Mayeric serves 9 months and underos

17:05

courtordered therapy for internet

17:07

addiction. Garafano receives 8 months

17:10

and lifetime ban from social media.

17:12

Herrera, caught later, gets 16 months

17:15

after agents discover he accessed his

17:18

neighbor's Gmail 495 times out of

17:20

obsession. Yet, the original original

17:23

guy who posted everything on Foreshan

17:26

remains unidentified.

17:28

FBI analysis suggests he wasn't one of

17:30

the arrested hackers, but someone who

17:32

obtained the photos through trading

17:34

rings, then destroyed all evidence after

17:37

the leak. His Bitcoin wallet sits

17:40

untouched, $4,731

17:43

in cryptocurrency that nobody has

17:45

claimed in 10 years. How did a simple

17:48

fishing scam expose the deeper nightmare

17:50

of mass surveillance? And what happened

17:52

to the victims forced to live with

17:53

permanent digital violation?

17:57

Jennifer Lawrence cancels 3 days of

17:59

X-Men promotion. Her publicist's phone

18:02

receives 847 media requests in 72 hours.

18:07

During her FBI interview at the Los

18:09

Angeles field office, security footage

18:11

shows her shaking uncontrollably,

18:13

requiring two breaks to manage panic

18:15

attacks. Agent Yasenski's report

18:18

describes, "Subject became extremely

18:20

distressed when shown evidence photos

18:23

required medical attention for

18:24

hyperventilation."

18:27

Later, she tells Vanity Fair,

18:29

"I can't really describe the feeling.

18:32

It's like being stripped naked in a

18:34

stadium filled with people who hate you,

18:37

except the stadium is Planet Earth, and

18:39

it never ends." Her words capture what

18:42

104 confirmed victims experienced.

18:45

Digital rape that continues every time

18:47

someone searches their name on Russian

18:49

forums where the photos still circulate.

18:53

Apple's damage control begins September

18:55

2nd with Tim Cook's emergency statement

18:58

claiming no iCloud breach occurred.

19:00

Technically true, but deliberately

19:02

misleading. Internal emails leaked in

19:05

2021 reveal Apple knew about the Find My

19:08

iPhone vulnerability since 2012, but

19:10

deemed fixing it low priority because it

19:13

hadn't been exploited yet. Within 96

19:16

hours of the fappening, Apple patches 14

19:19

security holes, enforced rate limiting

19:21

on password attempts, mandatory

19:23

two-factor authentication for iCloud

19:25

backups, email alerts for any backup

19:28

download, IP logging for all access

19:30

attempts, automatic account locks after

19:33

five failed attempts, capture

19:35

requirements for password resets, and

19:38

inability to restore backups without

19:40

confirming via trusted device. The

19:42

company never admits these changes

19:44

relate to the celebrity hacks, calling

19:46

them routine security enhancements.

19:50

The legal aftermath reshapes revenge

19:52

porn legislation nationwide.

19:55

Before 2014, only three states had

19:58

specific laws against non-consentual

20:00

pornography distribution. By 2019, 46

20:04

states passed criminal statutes with

20:06

penalties ranging from misdemeanors to

20:08

5-year felonies.

20:10

California's SB1255

20:13

specifically criminalizes hacking to

20:16

obtain intimate images directly inspired

20:19

by the fappity with mandatory minimum

20:22

sentences.

20:23

The Shield Act passes Congress, making

20:25

image-based sexual abuse a federal

20:27

crime. Platform liability changes, too.

20:32

Section 230 gets carved out for

20:34

non-consentual pornography, making sites

20:36

legally responsible for hosting stolen

20:38

intimate content. Reddit, Twitter, and

20:42

Facebook implement photo DNA hashing to

20:45

automatically detect and block

20:47

previously identified intimate images,

20:49

technology originally developed for

20:51

child abuse material now repurposed for

20:53

adult revenge porn. Yet, the internet's

20:56

memory proves permanent. Security

20:59

researcher Troy Hunt's analysis finds

21:00

faffing photos on 17,000 distinct

21:03

domains as of 2024.

21:06

Russian forum deep webporn.ru hosts

21:09

complete archives behind seven proxies

21:11

and three jurisdictions. Telegram

21:13

channels with 400,000 plus members share

21:16

vintage leaks daily. AI face swap

21:19

technology makes verification

21:21

impossible. Any photo could be real or

21:23

generated. Jennifer Lawrence's stolen

21:26

images appear in deep fake porn videos

21:28

with 50 million combined views. Kate

21:31

Upton discovers her leaked photos

21:33

printed in a Serbian magazine. Michaela

21:36

[ __ ] finds her underage images on a

21:38

Brazilian revenge porn site that

21:39

operates openly despite international

21:41

warrants. The hackers went to prison,

21:44

but their theft achieved digital

21:45

immortality. The psychological scars run

21:48

deeper than any sentence. Therapy bills

21:51

from 37 victims total $3.7 million. Four

21:55

celebrities attempt suicide in the year

21:58

following the leak. Their names sealed

22:00

in court documents.

22:02

12 quit entertainment permanently.

22:04

Aubrey Plaza develops agorophobia,

22:06

unable to leave her house for 3 months.

22:09

Gabrielle Union suffers PTSD flashbacks

22:12

triggered by camera phones. Mary

22:15

Elizabeth Winstead describes feeling

22:17

murdered but still walking around. These

22:19

women didn't just lose privacy. They

22:21

lost the ability to exist in public

22:23

without wondering who had seen them

22:25

naked, who had saved those photos, who

22:28

was looking at them right now while

22:29

talking to them at Starbucks or their

22:30

kids' school or the grocery store. The

22:33

hack exposed Silicon Valley's biggest

22:35

lie that our data is safe in the clouds.

22:39

Every major platform suffered breaches

22:41

postfappening.

22:43

Yahoo lost 3 billion accounts. Equifax

22:46

exposed 147 million social security

22:49

numbers. Facebook leaked 533 million

22:53

phone numbers. Twitch dumped its entire

22:55

source code. LinkedIn, Adobe, My Fitness

22:58

Pal, Marriott, Twitter, all hemorrhaged

23:01

data affecting billions. The Celebrity

23:04

hack wasn't an anomaly, but a preview.

23:07

Today, darknet markets sell cloud

23:09

ripping tools for $50, automated fishing

23:12

kits for $200, and step-by-step video

23:15

tutorials on hacking iCloud accounts

23:17

that rack up millions of views before

23:19

removal. The fappening didn't end. It

23:22

evolved into an industry. But here's the

23:25

question nobody asks. If the faff

23:27

happening was just five amateurs who got

23:29

caught, how many professionals never

23:31

did? While you were watching celebrities

23:34

lose everything to fake emails,

23:36

something far worse was happening. The

23:39

same year these hackers went to prison,

23:41

professionals breached a database

23:43

containing passport numbers, credit

23:45

cards, and home addresses of 500 million

23:48

travelers, including yours if you stayed

23:50

at a Marriott between 2014 and 2018.

23:55

Watch what happened in this video.

UNLOCK MORE

Sign up free to access premium features

INTERACTIVE VIEWER

Watch the video with synced subtitles, adjustable overlay, and full playback control.

SIGN UP FREE TO UNLOCK

AI SUMMARY

Get an instant AI-generated summary of the video content, key points, and takeaways.

SIGN UP FREE TO UNLOCK

TRANSLATE

Translate the transcript to 100+ languages with one click. Download in any format.

SIGN UP FREE TO UNLOCK

MIND MAP

Visualize the transcript as an interactive mind map. Understand structure at a glance.

SIGN UP FREE TO UNLOCK

CHAT WITH TRANSCRIPT

Ask questions about the video content. Get answers powered by AI directly from the transcript.

SIGN UP FREE TO UNLOCK

GET MORE FROM YOUR TRANSCRIPTS

Sign up for free and unlock interactive viewer, AI summaries, translations, mind maps, and more. No credit card required.