The Fappening/Celebgate

Could thousands of people keep a secret? Common sense says no—secrets spread, and people talk. But for over a decade, from 2006 to 2017, a website managed to stay under law enforcement’s radar, despite the fact that its many users were participating in illegal activities. The website’s users managed to keep it a secret for such a long time, because they shared one thing in common: they were creeps who traded nude photos. Until one user, driven by simple greed, brought it all crashing down.

Hosted By

Ran Levi

Co-Founder @ PI Media

Born in Israel in 1975, Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast, Making History, with over 16 million downloads as of Nov 2023.
Author of 3 books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.

Reach out to me via ran@ranlevi.com.

The Fappening/Celebgate

Could thousands of people keep a secret? Common sense says no—secrets spread, and people talk. Add thousands of people, and it’s bound to get out sooner or later. But for over a decade, from 2006 to 2017, a website managed to stay under law enforcement’s radar, despite the fact that its many users were participating in illegal activities. It wasn’t an obscure site buried in a forgotten corner of the web, either—it was very popular, ranking among the top 6,000 websites in the world and attracting massive traffic.

The website’s users managed to keep it a secret for such a long time, because they shared one thing in common: they were creeps, feeding an insatiable appetite for some of the internet’s most vile content. Their shared obsession with secrecy and commitment to protecting each other formed a twisted bond that was difficult for outsiders to break.

Until one user, driven by simple greed, brought it all crashing down.

The Fappening

On August 31, 2014, a new post appeared on Reddit’s r/celebs – a forum dedicated to female celebrities. Most posts on r/celebs are photos of beautiful young models, singers and actresses, and this new post was no exception: it was a picture of Jennifer Lawrence, from The Hunger Games and X-Men fame. 

Except that where most photos shared on r/celebs are taken by professional photographers and show their subjects wearing sexy swimsuits or glamorous evening dresses – Lawrence’s photo was clearly taken in a private setting and showed her fully nude.  

A few minutes later, another post – yet another naked celebrity – this time of superstar model and actress Kate Upton. And then….another. And another. Scarlett Johansson, Christina Aguilera, Kim Kardashian – hundreds of selfies and short videos of scores of naked celebrities.

The responses to these posts were ecstatic: “I’m writing the OP [original poster] into my will. Well done, sir.” Wrote one redditor. Another referred to the flood of spicy photos as “The Fappening” – from the Internet slang term for masturbation. 

John Menese, a 33 year old salesman from Las Vegas, was an active member of Reddit: he frequented a variety of meme and pornography subreddits, and disseminated valuable advice to other redditors on how to find safe dealers and pass drug tests on Reddit’s cocaine forum. On that particular Saturday, Menese was sitting at home browsing Reddit, when he noticed the stream of unusual photos – and the interest building up around them. 

He then had an epiphany. As Menese explained in an interview to the Daily Mail –

“[The posts were] something like five or 10 pages deep in r/all, and I was seeing these pics over and over and over again. When I saw that ‘the fappening’ was what Reddit was calling it, I created the [subreddit r/Fappening].”

As more and more users started posting nude photos and videos to the new subreddit, r/Fappening began to take off. No – it exploded. In its first day, it amassed over 100,000 new subscribers and some 141 million page views. For comparison, that’s the amount of traffic that r/AskReddit, one of Reddit’s most popular forums, received in an entire month. 

Menese quickly recruited seven more veteran users to act as moderators, and the team worked around the clock to police the overwhelming flow of new posts to the subreddit, removing fake, photoshopped pictures and links to phishing scams. 

“We got thousands of submissions. We would clear out our mod queue, and there would be a full page when we refreshed it. And that would be with all mods working simultaneously.”

Due to Reddit’s popularity, its content often finds its way to mainstream media – and sure enough, The Fappening wasn’t left unnoticed by other media outlets. Celebrity gossip blogger Perez Hilton re-posted some of the photos on his blog (he later took them down, apologizing for “acting in bad taste”), followed by front page articles in dozens of mainstream news websites like The Guardian, Vanity Fair and Forbes – although some of them preferred calling the affair “Celebgate”, instead of the more vulgar “The Fappening”. Tens of new websites with names such as FappeningHub and FappeningBlog sprung up overnight. The internet was on fire.

iBrute

The question everyone was asking was, naturally – where did these photos come from?

Some of the pictures, like those of Nickelodeon actress Victoria Justice and singer Ariana Grande, were fakes – but most were authentic, taken by the subjects themselves. Jennifer Lawrence, for example, admitted that she took her photos for her then boyfriend. 

“I was in a loving, healthy, great relationship for four years. It was long distance, and either your boyfriend is going to look at porn or he’s going to look at you.”

The immediate suspects were ex-partners and spouses who might have leaked the private photos after a breakup – but this explanation was quickly refuted: some of the victims said that they never sent the leaked photos to anyone, like an actress who took some 54 private photos of herself, but only sent some of them to her fiance, storing the rest on her phone. Others revealed that they were locked out of their iCloud and Gmail accounts shortly before their pictures surfaced on the web – a sure indication that some hacking was probably involved. 

As luck would have it, some 24 hours after the leak was exposed on Reddit, someone on Hacker News – a social news website – posted a link to a new hacking tool that was uploaded to GitHub on August 30th, two days earlier, by a Russian security company called HackApp. The software’s name was “ibrute”, and it was a proof of concept that exploited a previously unknown vulnerability in Apple’s Find My iPhone service. The said vulnerability allowed attackers to try as many different passwords as they wanted – that is, a “brute force” attack – without the system forcing a cooldown period after several failed attempts. Ibrute, wrote its developers on the repository’s Readme file –

“…uses Find My Iphone service API, where brute force protection was not implemented. Password list was generated from top 500 RockYou leaked passwords, which satisfy appleID password policy. Before you start, make sure it’s not illegal in your country.”

RockYou is a set of about 14 million unique passwords from a 2009 data breach of a software company by the same name. The top 500 passwords in the set represent the most commonly reused passwords, giving ibrute a decent chance of cracking a Find My iPhone login. From there, the attacker could easily access a user’s iCloud storage – which is why ibrute was immediately suspected of being used in the hacks that led to private photos being leaked online. Kirsten Dunst, another victim of the Fapenning, tweeted sarcastically “Thank you, iCloud.”, adding emojis of pizza and a pile of poo – which when read aloud sounds very much like “piece of shit”…

Reddit

Meanwhile, as The Fappening craze swept over Reddit, the website itself began crumbling under the weight of incoming traffic, and engineers at the company were struggling to keep the site afloat. They tried taking r/Fappening offline for short periods, but every time they did, redditors quickly created a slew of new subreddits to replace it. 

But at the same time, Reddit had a much bigger problem on its hands. 

Many of the women whose private pictures were leaked as part of The Fappening were understandably distraught. Jennifer Lawrence probably spoke for many of the other victims when she told Vanity Fair, quote – 

“Just because I’m a public figure, just because I’m an actress, does not mean that I asked for this. It does not mean that it comes with the territory. It’s my body, and it should be my choice, and the fact that it is not my choice is absolutely disgusting. I can’t believe that we even live in that kind of world.”

Actress Mary Winstead tweeted – 

“For those of you looking at photos I took with my husband years ago in the privacy of our home, [I] hope you feel great about yourselves.”

Naturally, many in the media sympathized with the pain and public humiliation these women were forced to endure, and demanded that Reddit take action against users who shared the leaked photos. 

This wasn’t a new thing for Reddit. From time to time, over most of Reddit’s existence, bitter arguments would flare up among users regarding subreddits dedicated to controversial or distasteful topics. These included subreddits like r/jailbait, which featured sexualized photos of teenagers, and r/creepshots, where members posted suggestive photos of women taken without their consent. Except for a few rare exceptions, Reddit’s senior management refused to ban such controversial subreddits, saying that tolerating morally questionable subreddits is the price users have to pay to enjoy free speech on a site like Reddit. 

A week after The Fappening exploded, Reddit’s then CEO Yishan Wong reiterated the company’s commitment to free speech. In a blog post titled “Every Man Is Responsible For His Own Soul”, Wong wrote that –

“While current US law does not prohibit linking to stolen materials, we deplore the theft of these images and we do not condone their widespread distribution. […]  Having said that, we are unlikely to make changes to our existing site content policies in response to this specific event.

The reason is because we consider ourselves not just a company running a website where one can post links and discuss them, but the government of a new type of community. The role and responsibility of a government differs from that of a private corporation, in that it exercises restraint in the usage of its powers.”

It’s a valid view, and one could even praise Wong for her determination to defend the right for free speech against such strong criticism…  if it weren’t for the fact that she didn’t. On September 7th, the very same day that the blog post was published, r/Fappening was shut down. 

Why? Because immediately following the leak, several of the more high-profile victims – including Victoria Justice, Kate Upton and Jennifer Lawrence herself – announced that they will be taking legal action against Reddit if the company does nothing to stop users from posting the leaked pictures, and their lawyers were quick to hit Reddit with multiple DMCA take down requests. Things got even worse for Reddit when it was discovered that one of the victims, gymnast McKayla Maroney, was underage – which could categorize her nude photos as child pornography. 

For some time, Reddit tried to walk between the raindrops and pacify both sides, as one employee of the company, a sysadmin, described in a post. 

“The images which were DMCAd were continually being reposted constantly on the subreddit. We would takedown images (thumbnails) in response to those DMCAs, but it quickly devolved into a game of whack-a-mole. We’d execute a takedown, someone would adjust, reupload, and then repeat. This same practice was occurring with the underage photos, requiring our constant intervention.[…] It became obvious that we were either going to have to watch these subreddits constantly, or shut them down. We chose the latter.”

In other words, Reddit’s ethical concerns about free speech—which it had used as an excuse for not taking down creepshots of victimized women—disappeared in the face of legal pressure from wealthy victims who had the means to take Reddit to court and threaten the company’s bottom line.

Many commentators were quick to point their finger at the obvious hypocrisy, noting that Reddit made more money from page views of r/Fappening in a week, than it did in a whole month. As one redditor wrote, 

“You guys are a bunch of hypocrites, and this post is bullshit. […] This is all about covering your ass, not about doing the right thing. […] Subreddits with compromising pictures of underage girls existed for years, probably still do, until the media made a stink, forcing the admins to act. So perhaps get off your high horse. Every man is responsible for his own soul, but that is not what this is about.”

Ultimately, some six months later, Reddit did change its rules and banned posting intimate photos without the subject’s consent. 

AnonIB

Contrary to the earlier suspicions, it turned out that ibrute – the hacking tool allegedly used by the hackers to break into the victim’s accounts – had nothing to do with the leak. Although Apple quickly fixed the vulnerability that ibrute exploited, its internal investigation concluded:

“[The] celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions. […] None of the cases we have investigated have resulted from any breach in any of Apple’s systems including iCloud or Find my iPhone.”

So it seemed that no sophisticated hacking tools were used in the attack. How, then, was someone able to break into the accounts of hundreds of A-list Hollywood celebrities? 

When the answer was finally revealed a few weeks later, it probably disappointed those who imagined the attack to be the work of a daring group of cyber criminals – but at the same time, it was much, much darker than that. 

In its heyday, AnonIB was a very popular website: according to Alexa, a web traffic and analysis service, it ranked among the top 6000 sites on the internet. Don’t feel too bad if you’ve never heard of it—its founders and members did everything they could to keep it under the radar, because AnonIB was an online meeting place for creeps. 

AnonIB’s anonymous users were collectors and traders of pictures and videos of nude women, like photos of drunken or passed out women found on the web, “creepshots” – up-skirt photos or pictures taken by candid cameras in public toilets – and private photos stolen by vindictive ex-boyfriends. To get in on the action and join the image board, a new user would need to bring his own novel material, new photos and videos. 

Many of the pictures were of ordinary women and girls – but the most highly prized “wins”, as AnonIB’s users called these nudes – were naturally those of famous celebrities. Nik Cubrilovic, an Australian security researcher who investigates the underground world of revenge porn, described the economics of AnonIB in his blog: 

“The economics are simple — the more famous a celebrity, or the more of a cult following they have, the higher the demand for their nudes. The less nude pictures there are available, the higher the asking price. Conversely, the more widely shared and distributed an image has become, the less valuable it is.”

Interestingly, says Nik, no money was involved in the trade of these images. 

“Most of the trading rings work not with cash payments for pictures, but through trading image sets. Users would compare their lists of sets and then come to an agreement to exchange one for another. This way the traders and collectors each build up their image sets over time and they have an incentive to go out and find new sources of rips.”

Why weren’t such “wins” being sold for money? After all, it’s pretty obvious that a rare nude of a pretty Hollywood celebrity could fetch at least a few hundred dollars, if not more. But AnonIB’s scumbags weren’t stupid: they knew that if enough victims learned about the illicit trade going on in their dark corner of the internet, authorities might get involved and shut down their operation. That’s why, for example, the site’s moderators prohibited the posting of last names or other identifying information about the women whose pictures were being traded: not to protect the women – but to prevent the activity from being discovered by a simple Google search. 

Selling the photos for money was prohibited for much the same reason: the only people who could be trusted to keep a low profile were those who actively participated in the trade and, therefore, had a vested interest in keeping AnonIB’s existence secret from the rest of the world. To quote Nik Cubrilovic again – 

“You need to be trustworthy, and money alone doesn’t buy that. In fact the perception is that if someone shows up and tries to make a lot of money, they are going to blow everything up.”

Which is exactly what happened. 

The Hackers

While the internet was blowing up over the Fappening, the FBI conducted its own quiet investigation. Usually, as with most of the stories we tell here in Malicious Life, such investigations take years and span continents – but not in this case. On October 16th, only about a month after the Fappening, FBI agents raided the Chicago home of 32-year-old Emilio Herrera and seized his computers and cell phone. Herrera was arrested for unauthorized access to no fewer than 550 Gmail and iCloud accounts.

How was the FBI able to nail Herrera so quickly? Because Herrera wasn’t a hacker in any true sense of the word. Most of what he knew about hacking he learned on the AnonIB forums, where entire threads were dedicated to teaching users on how to use simple open source tools to craft phishing emails that pretended to come from Apple or Google, and tools to quickly siphon as much nude photos as possible from hacked accounts before their access is revoked. Being a “script kiddie,” Herrera knew nothing about covering his tracks: a simple scan of server logs revealed that his IP address accessed the hacked accounts no fewer than 3,263 times. 

Over the next few weeks four more suspects, members of the AnonIB trading ring, were arrested in quick succession: George Garofano, a 26 years old from North Branford, Connecticut. Ryan Collins, a 36 years old married father of Lancaster, Pennsylvania. Edward Majerczyk, 29 years old from Chigaco, and Christopher Brannan, a 31 years old special education teacher from Mechanicsville, Virgina. 

Although none of the five men knew each other, they all operated in much the same way. They sent phishing emails to their victims from addresses that appeared to come from Apple’s or Google’s security departments, such as email.protection318@icloud.com and secure.helpdesk0119@gmail.com. The links in these emails led to fake web pages that mimicked the service login screens. When needed, the men would scour their victims’ social media accounts to uncover publicly available information that allowed them to guess the answers to security questions.Their primary targets were celebrities, but many of them also targeted their neighbors and colleagues. Christopher Brannan, for example, hacked the accounts of fellow teachers and students at the school he was teaching at, and even targeted his underage sister-in-law. Once they had the “wins”, the men went on AnonIB, where they traded them with other like-minded creeps.

The Collector

Accept that one of these creeps wasn’t like the others.

He was probably a rookie, someone who relatively recently joined AnonIB and quickly amassed an impressive hoard of some 500 photos of very famous female celebrities. But then greed got the better of him: The Collector, as he called himself, decided to try selling the ill-gotten pictures on 4chan for Bitcoin. He posted several samples of his “wares” on 4chan’s image boards and waited for the money to start rolling in.

Had the Collector had a basic knowledge of economics, he could have guessed what would happen next. Other AnonIB users, who also had all or some of the same nudes in their collections, realized that once these pictures leaked out of AnonIB to 4chan and from there to the rest of the world, their value would quickly plummet to zero. Some of them decided to cash in while they still could and began offering their collections on 4chan at a lower cost—leading to a rapid race to the bottom. Other 4chan users decided to capitalize on the escalating feeding frenzy, and tried to scam other users by reselling the samples The Collector gave away for free. 

The Collector watched helplessly as his budding enterprise crashed. He later lamented this in a public post. 

“Sure, I got $120 with my bitcoin address, but when you consider how much time was put into acquiring this stuff (i’m not the hacker, just a collector), and the money (i paid a lot via bitcoin as well to get certain sets when this stuff was being privately traded Friday/Saturday) I really didn’t get close to what I was hoping. Mainly because of the extra bitcoin spammers spamming their own addresses.. taking my original posts and passing them off as their own to try and get bitcoin.”

And just as AnonIB’s more seasoned traders feared, the spillover from 4chan to Reddit and The Fappening that followed, eventually led to the arrest of the five men who stole the pictures – and ultimately to the downfall of AnonIB itself: Its founders were arrested in the Netherlands in 2017 by Dutch police, and the website was shut down.

Epilogue

All five men who were arrested for breaking into the celebrities cloud accounts and stealing their private photographs pleaded guilty in their trials, and were sentenced for periods between 8 and 18 months, except for Chrisopher Brannen whose sentence was particularly harsh – 34 months – likely because he targeted his students and his teenage sister-in-law. Brannen publicly apologized for his deeds: “I let [my porn] addiction take control of me and I deeply regret that.” 

Jennifer Lawrence, for her part, wasn’t content with mere apologies. 

“It is not a scandal. It is a sex crime […] The law needs to be changed, and we need to change. That’s why these Websites are responsible.”

Could changing the law in any way solve the problem of private photos and videos being stolen and shared on the internet, either for money or any other reason? To be honest – I doubt it. One only needs to recall the identities of both the people who stole and traded the photos: none of them had a criminal record prior to their arrests. The same is true for the millions of Reddit users who gleefully viewed the nude photos: ordinary, mostly normative men. Heck, I’m a long time Reddit user myself: Could I have resisted the temptation to sneak a peek at a nude of a pretty celebrity?… I’d be a hypocrite if I said that I could, one hundred percent. As one commentator wrote on Reddit –

“On one hand I feel absolutely terrible for these people having it done to them. Buuuut on the other hand… I still looked and 10/10 would look again. I’m a terrible person, I know.”

Perhaps the most compelling evidence for the above argument is that in 2020, AnonIB was resurrected – probably under a new management – offering its members over 3 TB of photos and videos that “you will not see or find anywhere else on the internet.” 

Maybe it’s not a cyber security problem at all, nor some loop hole in the law books. As sad as it is to acknowledge, maybe it’s just… human nature.