Self-proclaimed Miley Cyrus hacker Josh Holly was sentenced on Monday to three years probation for computer crimes — though not for the Cyrus hack that was his claim to fame.
Holly, 22, pleaded guilty last April to possessing about 200 stolen credit card numbers, and to breaching celebrity MySpace pages in a spamming scheme that earned him at least $100,000.
Holly was sentenced in Tennessee and was spared jail time, even though he apparently violated his pre-sentencing terms that banned him from accessing the Internet. In a July 4 post to Facebook, Holly allegedly wrote, “I’m having these strong urges to start playing around and hacking shit again, there’s so much new stuff on the net. I can’t stop these urges. Am I a bad person?”
In October, Holly’s attorney argued against jail time, asserting that his client should get credit for cooperating with the FBI by providing “information about others that he was aware were involved in illegal computer-related activities.”
He also argued that probation would be “sufficiently onerous punishment for a first-time offender of immature mental age,” and asserted that the youth should be spared prison because of his diminutive height. Holly stands 5′ 6″.
Prosecutors responded that they would not challenge the assertions about Holly’s “youth, mental and emotional issues and physical stature,” but noted that Assistant U.S. Attorney Hilliard Hester was the same height as Holly, and therefore Holly was “not so remarkably short” that his height should be a factor for leniency.
Holly boasted in 2008 that he was responsible for stealing and posting provocative pictures stolen from Miley Cyrus’ Gmail.
He has never been charged with hacking Cyrus’ e-mail account, however, but after bragging online about this and other activity, and taunting authorities that they would never find him, his apartment in Murfreesboro, Tennessee, was raided in October 2008, at which point authorities found evidence of the cards and spamming scheme.
Holly, who went by the screen names “TrainReq,” “Rockz” and “h4x,” told Threat Level in 2008 that he had gained access to a Gmail account Cyrus had used ([email protected]) and found images the Hannah Montana actress had purportedly sent to singer Nick Jonas of the Jonas Brothers.
He claimed that he tried to sell the pictures to TMZ.com and other celebrity outlets, but no one would buy them, given the illegal manner by which he’d obtained them. He then posted some of them online at digitalgangster.com, after which numerous gossip and celebrity websites published them for free. More photos followed thereafter.
The images showed the then-15-year-old Cyrus in a wet T-shirt in the shower, baring her midriff while blowing a kiss to a mirror, and posing seductively in her underwear and bathing suit.
Holly told Threat Level he got access to Cyrus’ Gmail account after obtaining unauthorized access to a MySpace administrative panel where he found passwords for MySpace accounts stored in cleartext. Holly said he obtained access to the administrative panel by social engineering a MySpace employee. Once inside the panel, he found the password Cyrus used for her MySpace account — Loco92 — and tried it on a Gmail account she was known to use.
In addition to stealing Cyrus’ password, he reset MySpace account passwords for a number of other celebrity MySpace users, then used their accounts for a spamming scheme that he said netted him about $50,000.
According to an affidavit, Holly admitted to the FBI that beginning in 2005 he had hijacked numerous celebrity internet accounts to conduct spamming. An investigation of his bank records showed that between November 2007 and July 2008, he received more than $110,000 from companies for spamming on their behalf. Holly told Threat Level that half of his illicit income went to an accomplice in Israel who used the online nickname elul21 (Elul is the Hebrew name of a month on the Jewish calendar).
Holly also said that the celebrity MySpace accounts he accessed to conduct his spamming activity belonged mainly to recording artists and groups — Chris Brown, Rihanna, Linkin Park, Fall Out Boy. He accessed about 20 accounts. Once he had passwords to the accounts, he used the accounts to send bulletins to all of the friends on the MySpace accounts advertising a ringtone or call service for the recording artist. For example, he’d send out a bulletin from Fall Out Boy’s MySpace account telling fans that the band would call their phone and send them a ringtone if they clicked on a link and entered their details.
Holly said the advertising affiliates he worked for paid him between $5 and $12 per person who responded to the ad. The affiliates didn’t know he was spamming customers, he said, and, when they found out, they terminated their work with him and refused to pay him outstanding earnings.
Photo: Mug shot of Josh Holly courtesy of The Smoking Gun