The Hack That Exposed Every Celebrity’s Private Photos

August 31st, 2014. Jennifer Lawrence's

phone explodes with 847 missed calls.

Her agent screams through voicemail.

Don't go online. Do not go online. But

it's too late. She opens Twitter to see

her name trending worldwide next to a

photo of her naked body she took 3 years

ago. The image already has 14 million

views.

Across Hollywood, 100 other celebrities

discover their most private moments are

now public property. Kate Upton's

honeymoon videos. Scarlett Johansson's

bathroom selfies. Michaela Moron's

photos from when she was 17, making

millions of downloaders felons. Within

48 hours, the images spread to 17,000

websites and four victims attempt

suicide. But here's what makes this

horrifying.

The hackers were five nobbodyies who

simply sent fake Apple security emails.

So, who were these five ordinary men?

And what made them suddenly leak

everything?

November 2013.

Ryan Collins sits in his Lancaster

basement staring at code on his Dell

laptop. He's copying Apple's password

reset page pixel by pixel, changing one

line where legitimate resets send data

to Apple's servers. His version roots

passwords to Collins data@gmail.com.

He registers Apple Privacy Security at

icloud.com through a Romanian proxy.

Tests the fishing kit on his wife's

account thing that she will never

notice. then loads a CSV file containing

4,811

celebrity email addresses scraped from

IMDb Pro, talent agency leaks, and

paparazzi contact sheets. His first

target is Scarlett Johansson's

assistant, whose email was leaked in the

2011 Sony Pictures hack. 2,000 m away in

Chicago, Edward Mertic runs a parallel

operation from his childhood bedroom.

While his parents watch Jeopardy

downstairs, he sends 18 fishing emails

to addresses ending in unitedalent.com,

wmeenter entertainment.com,

and ca.com, Hollywood's biggest

agencies. His subject lines pull from

TMZ headlines. Urgent unauthorized

access detected from Moscow, Russia,

arrives hours after news breaks of

celebrity nude photo threats. Your

iCloud photos may be compromised, lands

during the Sony hack coverage. But

Mayerchic has done an innovation. He

times each fishing wave to coincide with

real security breaches, making paranoid

celebrities more likely to click.

Between November 2013 and April 2014, he

sends 4,729

emails and 312 people enter their

passwords. 30 are household names. The

hackers discovered Apple's fatal flaw.

The Find My iPhone feature allowed

unlimited password attempts through an

API endpoint. Christopher Brandon wrote

a Python script that tried 14,000 common

passwords against celebrity accounts in

rapid succession. When one password

failed, the script tried the next one in

the list and then the next one and so on

until he got the correct password. No

lockouts, no alerts, just infinite

attempts at 50 tries per second. Brandon

cracked Jennifer Lawrence's account

after 1,847

attempts. Her password was Nashville

2011, the city and year she filmed

Hunger Games. Rihanna fell after 3,221

tries. Barbados 88, her birthplace and

birth year. Avil Lavine used Skater Boy,

her own song title, but passwords were

just the first door. Security questions

provided access to the account. What

street did you grow up on? For

celebrities, Wikipedia knew the answer.

Mother's maiden name. Ancestry.com

provided full family trees. First pet's

name. Old MySpace posts from 2004

contained gold mines of personal trivia.

George Gafano discovered Kate Upton's

high school mascot, the Rockets, from a

Melbourne Catholic School alumni page.

He found Kirsten Dun's first dog's name,

Biscuit, in a 1997 newspaper interview

about Interview with the Vampire.

Michaela Moron's favorite teacher

appeared in her hometown papers student

of the month feature from 2006.

Each answer unlocked another account,

another backup, another thousand photos

never meant for public eyes. The iCloud

backup system became their ATM.

When someone logs into iCloud from a new

device, Apple sends an alert unless

you're restoring from backup. The hacker

selected restore from iCloud backup on

iTunes, entered stolen credentials, and

downloaded the entire phone contents

without triggering notifications.

Ryan Collins downloaded Jennifer

Lawrence's 23 GB backup containing 1,789

photos and 94 videos spanning three

years. The download took 4 hours on his

Comcast connection. He watched Netflix

while photos never meant to be seen

transferred to his hard drive. No alerts

reached her phone. No emails warned of

access. Apple's logs showed a routine

backup restoration from an iPhone 5C,

the same model Lawrence owned. The best

part of this hack is that these weren't

master criminals. Collins forgot to use

a VPN for 12 downloads, leaving his real

IP address in server logs. Meerchic paid

for his fishing domains with a PayPal

account linked to his actual checking

account at Chase Bank. Gafano

screenshotted his trophy photos and

accidentally included his Windows

username, George G Dell, in the file

metadata. Brandon tested his password

cracker on his school district email,

leaving traces that led directly to his

teacher ID number. They made every

amateur mistake possible except getting

caught. For 18 months, nobody noticed

Hollywood stars were being

systematically attacked. But why did

four separate hackers suddenly start

hunting celebrity photos within weeks of

each other? And what made them risk

everything to release their collections?

August 30th, 2014, 9:30 p.m. On the

notorious Anonib forum, Foran's evil

twin dedicated to revenge porn, user

original guy posts 12 words that ignite

a frenzy. I have hundreds of celebrity

nudes. Bitcoin's welcome samples inside.

More coming. Attached. There is a

censored thumbnail of Jennifer Lawrence

that image reverse searches confirm

exists nowhere else online. The post

includes a Bitcoin address and within 10

minutes, blockchain records show 0.2847

Bitcoin, $147,

received from 16 different wallets.

original guy responds with a mega link

containing 43 uncensored photos. At that

exact moment, everything got

uncontrolled. By 10:30 p.m., the anonib

thread reaches $500 posts as users beg,

threaten, and bid for specific

celebrities.

Someone offers $1,000 Bitcoin for Emma

Watson photos. Another promises $500 for

Taylor Swift. Original guy stays silent

for 47 minutes, then drops the bomb, a

file containing 461 photos from 60

celebrities. The password, irony, it is

infected, a detail that would later help

FBI cryp analysts identify which

collections came from which hacker. At

11:47 p.m., an anonymous user, likely

original guy on a different IP, migrates

to Foreshan's higher traffic Bboard and

uploads everything for free. The

business model collapsed. The chaos

began. Forchan moderator M_L would later

testify he deleted over 10,000 posts

that night. For every thread removed,

users created five more. They switched

tactics, posting Imor albums, non-files

links, mega folders, media fire

archives. When those got DMCA, they used

Russian site RGHost, Chinese platform

BU, blockchain storage on Swarm. Even

someone uploaded the entire cache to the

pirate bay disguised as a Linux

distribution. Another user embedded

photos in a Minecraft world file that

went viral on gaming forums. By 2 a.m.

September 1st, Reddit user John's McJed

subreddit called the Fappening. Remember

this. His first post contains Jennifer

Lawrence, Kate Upton, Ariana Grande, and

hundreds of others. Reddit's

infrastructure buckled immediately. The

subreddit gained 10,000 subscribers per

hour for six consecutive hours, a rate

that exceeded Reddit's previous record,

Obama's 2012 AMA, by 400%.

Amazon Web Services, Reddit's host,

registered 7.2 2 terab of traffic to the

faff happening in its first day, more

data than Wikipedia transfers in a week.

Reddit's cisadmin blog later revealed

the subreddit consumed 141 GB of

bandwidth per second at peak, requiring

emergency server allocation that cost

$47,000.

The community developed its own

ecosystem within hours. The fappening

discussion for analysis. Faffening

archive for organization. The faffening

SFW for clothed photos that revealed

metadata.

Users created spreadsheets tracking

which celebrities had leaked, which were

confirmed fake, and which were coming

soon. They built browser extensions that

automatically downloaded new posts. They

programmed bots that scraped links and

reposted to backup sites. September 1st,

6:45 a.m. Michaela Moron's lawyer,

Jeffrey Steinberger, sends Reddit a

letter that changes everything. Multiple

images depict Ms. [ __ ] when she was

underage. Distribution constitutes a

federal crime. Remove immediately or you

will face prosecution. Reddit CEO Yishan

Wong convenes an emergency conference

call. The legal team confirms it. A

quick analysis shows photos dated to

2013 when [ __ ] was 17.

Anyone who downloaded, shared, or even

viewed those specific images technically

committed a felony. The Fappening had

become a child pornography distribution

network with 141,000 participants.

Within two hours, Reddit bans all Moroni

content and posts a stark warning

advising that any underage content would

result in a permanent ban and a quick

call to the FBI. But the damage was

done. Conservative estimates placed

total downloads at 100 million in the

first 48 hours. Google Trends showed

Jennifer Lawrence and leaked peaked at

100 the maximum score across 19

countries simultaneously.

Pornhub reported 41 million searches for

celebrity names that week, crashing

their search function. Even Twitter

suspended 3,847

accounts for sharing links. Yet, for

every deletion, users found workarounds,

spelling the names backwards, using

emoji codes or creating private Telegram

channels that grew to 50,000 members

each. The photos achieved true viral

permanence, replicated so widely that

complete removal became mathematically

impossible.

But who made the catastrophic decision

to dump everything free on Forchan? And

why did the other hackers stay silent as

their careful work exploded into chaos?

September 2nd, 2014.

FBI special agent Jeff Yasenski's phone

buzzes with an emergency directive from

the Los Angeles field office. Operation

Fappening is now classified as a

priority one cyber investigation

involving potential child pornography,

wire fraud, and violations of the

Computer Fraud and Abuse Act carrying

combined maximum sentences of 127 years.

By Sunrise, 28 agents across six cities

are pulling server logs, ISP records,

and Bitcoin blockchain data. Apple

provides 487 GB of access logs. Google

surrenders email metadata for 1,847

accounts. Reddit delivers IP addresses

for every the fappening moderator and

power user. The digital dragnet deploys.

The Bitcoin trail leads nowhere. The

wallet owner used to tumbled coins

through three mixing services and

converted to Monero through shape shift.

But the fishing emails contain a

critical flaw. Email headers revealing

original SMTP servers. Apple privacy

security at icicloud.com routes through

smttp.mmail.ru

but the x originating IP header shows

74.96.184.42

a Comcast residential address in

Lancaster, Pennsylvania. Cross

referencing with Apple's logs shows the

same IP downloading Jennifer Lawrence's

iCloud backup on March 14th, 2014.

The subscriber is Ryan Collins, married

father of two, no criminal record, and

works IT support at Lancaster General

Hospital. October 7th, 2014. FBI agents

execute simultaneous raids in four

states. In Lancaster, they find

Collins's laptop still logged into 12

celebrity iCloud accounts. His external

drive contains 18 folders labeled Jaw,

Cupton, A Plaza, each with hundreds of

photos. browser history shows 14,000

visits to icloud.com using different

credentials. His Gmail drafts folder

contains template fishing emails with

subject lines like urgent security alert

and verify your account. When agents ask

why, Collins says, "I just wanted to see

them naked like everyone else." He

agrees to cooperate immediately,

providing passwords for encrypted

folders that reveal photos from another

52 victims never leaked publicly.

Chicago agents arrest Edward Meerchic at

his parents house during breakfast. His

setup is more sophisticated. Three

laptops, a VPN router, and custom

fishing software purchased on a Russian

hacking forum for $300.

His Dropbox contains 329 folders

organized by celebrity name, net worth,

and rating. 1 to 10 for attractiveness.

File timestamps show he accessed

Jennifer Lawrence's account 147 times

between March and August 2014.

Myeric's biggest mistake is clear. He

emailed himself zip files of stolen

photos, creating permanent Gmail records

that survived his attempts at deletion.

Under interrogation, he admits to

everything but insists, "I never posted

them online. I swear to God." George

Gafano's arrest comes with a twist.

Connecticut State Police find zero

leaked photos on his devices, but

discover 7.4 terabytes of stolen content

from 241 victims, including politicians

wives, Fortune 500 CEO's daughters, and

his own high school classmates. His

journal details 2 years of methodical

hacking.

Investigators realize Garafano

represents hundreds of unknown hackers

who learned fishing from the same

Russian forums targeted non-ceelebrities

and never got caught because their

victims never went public. The celebrity

hack wasn't unique. It was the visible

tip of a massive iceberg. Christopher

Bron nearly escapes. The former teacher

covered his tracks better, used public

Wi-Fi, paid for tools with stolen credit

cards, and communicated through

encrypted channels. But he made one

fatal error. He hacked his own

sister-in-law to test his methods, and

she reported the intrusion to police in

2013. That report sat unexamined until

FBY agents connected her case to the

celebrity hacks through matching fishing

templates. When arrested, Brandon's

classroom computer at Lee Davis High

School contains password lists for 200

accounts, including 15 current students.

His teaching career ends with federal

charges that ultimately result in the

harshest sentence. 34 months in federal

prison, plus lifetime registration as a

sex offender due to the underage

content. By 2019, five men serve a

combined 96 months in federal prison for

the celebrity hacks. Collins gets 18

months and pays $75,000 restitution.

Mayeric serves 9 months and underos

courtordered therapy for internet

addiction. Garafano receives 8 months

and lifetime ban from social media.

Herrera, caught later, gets 16 months

after agents discover he accessed his

neighbor's Gmail 495 times out of

obsession. Yet, the original original

guy who posted everything on Foreshan

remains unidentified.

FBI analysis suggests he wasn't one of

the arrested hackers, but someone who

obtained the photos through trading

rings, then destroyed all evidence after

the leak. His Bitcoin wallet sits

untouched, $4,731

in cryptocurrency that nobody has

claimed in 10 years. How did a simple

fishing scam expose the deeper nightmare

of mass surveillance? And what happened

to the victims forced to live with

permanent digital violation?

Jennifer Lawrence cancels 3 days of

X-Men promotion. Her publicist's phone

receives 847 media requests in 72 hours.

During her FBI interview at the Los

Angeles field office, security footage

shows her shaking uncontrollably,

requiring two breaks to manage panic

attacks. Agent Yasenski's report

describes, "Subject became extremely

distressed when shown evidence photos

required medical attention for

hyperventilation."

Later, she tells Vanity Fair,

"I can't really describe the feeling.

It's like being stripped naked in a

stadium filled with people who hate you,

except the stadium is Planet Earth, and

it never ends." Her words capture what

104 confirmed victims experienced.

Digital rape that continues every time

someone searches their name on Russian

forums where the photos still circulate.

Apple's damage control begins September

2nd with Tim Cook's emergency statement

claiming no iCloud breach occurred.

Technically true, but deliberately

misleading. Internal emails leaked in

2021 reveal Apple knew about the Find My

iPhone vulnerability since 2012, but

deemed fixing it low priority because it

hadn't been exploited yet. Within 96

hours of the fappening, Apple patches 14

security holes, enforced rate limiting

on password attempts, mandatory

two-factor authentication for iCloud

backups, email alerts for any backup

download, IP logging for all access

attempts, automatic account locks after

five failed attempts, capture

requirements for password resets, and

inability to restore backups without

confirming via trusted device. The

company never admits these changes

relate to the celebrity hacks, calling

them routine security enhancements.

The legal aftermath reshapes revenge

porn legislation nationwide.

Before 2014, only three states had

specific laws against non-consentual

pornography distribution. By 2019, 46

states passed criminal statutes with

penalties ranging from misdemeanors to

5-year felonies.

California's SB1255

specifically criminalizes hacking to

obtain intimate images directly inspired

by the fappity with mandatory minimum

sentences.

The Shield Act passes Congress, making

image-based sexual abuse a federal

crime. Platform liability changes, too.

Section 230 gets carved out for

non-consentual pornography, making sites

legally responsible for hosting stolen

intimate content. Reddit, Twitter, and

Facebook implement photo DNA hashing to

automatically detect and block

previously identified intimate images,

technology originally developed for

child abuse material now repurposed for

adult revenge porn. Yet, the internet's

memory proves permanent. Security

researcher Troy Hunt's analysis finds

faffing photos on 17,000 distinct

domains as of 2024.

Russian forum deep webporn.ru hosts

complete archives behind seven proxies

and three jurisdictions. Telegram

channels with 400,000 plus members share

vintage leaks daily. AI face swap

technology makes verification

impossible. Any photo could be real or

generated. Jennifer Lawrence's stolen

images appear in deep fake porn videos

with 50 million combined views. Kate

Upton discovers her leaked photos

printed in a Serbian magazine. Michaela

[ __ ] finds her underage images on a

Brazilian revenge porn site that

operates openly despite international

warrants. The hackers went to prison,

but their theft achieved digital

immortality. The psychological scars run

deeper than any sentence. Therapy bills

from 37 victims total $3.7 million. Four

celebrities attempt suicide in the year

following the leak. Their names sealed

in court documents.

12 quit entertainment permanently.

Aubrey Plaza develops agorophobia,

unable to leave her house for 3 months.

Gabrielle Union suffers PTSD flashbacks

triggered by camera phones. Mary

Elizabeth Winstead describes feeling

murdered but still walking around. These

women didn't just lose privacy. They

lost the ability to exist in public

without wondering who had seen them

naked, who had saved those photos, who

was looking at them right now while

talking to them at Starbucks or their

kids' school or the grocery store. The

hack exposed Silicon Valley's biggest

lie that our data is safe in the clouds.

Every major platform suffered breaches

postfappening.

Yahoo lost 3 billion accounts. Equifax

exposed 147 million social security

numbers. Facebook leaked 533 million

phone numbers. Twitch dumped its entire

source code. LinkedIn, Adobe, My Fitness

Pal, Marriott, Twitter, all hemorrhaged

data affecting billions. The Celebrity

hack wasn't an anomaly, but a preview.

Today, darknet markets sell cloud

ripping tools for $50, automated fishing

kits for $200, and step-by-step video

tutorials on hacking iCloud accounts

that rack up millions of views before

removal. The fappening didn't end. It

evolved into an industry. But here's the

question nobody asks. If the faff

happening was just five amateurs who got

caught, how many professionals never

did? While you were watching celebrities

lose everything to fake emails,

something far worse was happening. The

same year these hackers went to prison,

professionals breached a database

containing passport numbers, credit

cards, and home addresses of 500 million

travelers, including yours if you stayed

at a Marriott between 2014 and 2018.

Watch what happened in this video.