HeHeStreams: Pirate IPTV Owner Admits Cybercrime, Forfeits $500K
The former operator of pirate IPTV service HeHeStreams has reached a plea agreement with the US government. After being indicted on several counts carrying sentences of up to 20 years each, Joshua Streit has admitted to a single cybercrime offense. In addition to a potential prison sentence, Streit will now forfeit $500K.
hackerThere are many options for those seeking a cheap pirate IPTV package but it’s rare for any single provider to offer consistently solid streams, in decent quality, and at a fair price. HeHeStreams was one of the few to exceed expectations.
With a focus on MLB, NBA, NFL, and NHL content, HeHeStreams built an enthusiastic customer base so when it disappeared last year following an investigation by the Alliance for Creativity (ACE) and Motion Picture Association (MPA), obvious replacements were in short supply.
The same couldn’t be said about the controversy that was about to engulf HeHeStream’s owner.
HeHeStreams Settled With Hollywood, But Not the US Govt.
Under pressure from the ACE anti-piracy coalition, HeHe’s owner Joshua Streit (aka Josh Brody) accepted an offer to settle his case and move on. That involved giving up his domain names to the MPA and shutting down his site. No cash settlement was mentioned publicly but it’s likely that ACE members received financial compensation.
In theory that should’ve ended Streit’s legal problems but that wasn’t how things panned out. More serious problems lay ahead and were directly connected to Streit’s skills and HeHe’s unique mode of operation.
Traditional IPTV suppliers provide access to pirate streams by rebroadcasting captured content from their own servers. It’s bandwidth-intensive, expensive, and prone to issues. HeHeStreams eliminated most of these additional costs by using techniques to connect customers to genuine streams, offered by the sports broadcasters themselves, directly from their own servers.
The upsides could be found in rock-solid streams, low server costs, and many happy customers. The downsides proved more complicated for Streit.
A Criminal Investigation Was Already Underway
There are two angles on what happened next, depending on the mood, tone and lighting. Ultimately, only one mattered.
According to the US government, Streit emailed an MLB (Major League Baseball) employee in March 2021 to explain that he’d previously disclosed a network vulnerability in their systems (i.e a way to get streaming content without paying for it) and was disappointed by the lack of gratitude.
The US government says that in a follow-up email, Streit complained to MLB that other vulnerabilities he’d disclosed hadn’t been given proper attention either. An MLB executive eventually telephoned Streit and informed him that the company operated no ‘bug bounty’ style programs.
According to the US government, Streit then indicated that financial compensation for his security work would be appropriate under the circumstances.
Placed in a deliberately more favorable light for a moment, Streit’s approach to MLB could’ve been seen as an opportunity to stop operations like his from accessing MLB content from company servers. With the benefit of the doubt and weighed against much bigger savings, $150,000 might even sound like a good security consultancy opportunity.
In the cold light of day, Streit’s comment about being chased down on the basis of his “unauthorized access to systems” was to prove prophetic. Both MLB and the FBI framed Streit’s conduct as extortion.
US Government Indicts Joshua Streit
In October 21, the Department of Justice announced that Streit had been charged with several crimes, including one under a new law designed to reduce illegal streaming. The 30-year-old from Minnesota was charged as follows:
One count of knowingly accessing a protected computer in furtherance of a criminal act and for purposes of commercial advantage and private financial gain (max five years in prison). One count of knowingly accessing a protected computer in furtherance of fraud (max five years in prison), one count of wire fraud (20 years), and one count of sending interstate threats with the intent to extort (20 years).
A final count of illicit digital transmission, carrying a potential five-year sentence, was added for good measure. The details of that count weren’t made public but could’ve been a reference to the Protecting Lawful Streaming Act (PLSA) signed into law late 2020.
With such a lot on the line, Streit entered into negotiations with the government. The ins and outs of those talks aren’t for public consumption but we can reveal that a deal has been reached. It’s hard to imagine Streit being pleased with the outcome but when stuck between a rock and a hard place, something had to give.
Streit Enters Guilty Plea on a Single Count
Around June 13, 2022, Streit pleaded guilty to one count of ‘Computer Fraud – Unauthorized Access to Obtain Information From a Protected Computer’.
According to the charge, from around July 2017 to around July 2021, Streit intentionally accessed and attempted to access computers without authorization. As a result, he obtained information from protected computers, for the purposes of commercial advantage and private financial gain.
Specifically, Streit obtained unauthorized access to the online accounts of users of a website belonging to Major League Baseball and used that access to “conduct illegal streaming of sporting events” that he sold to others for a profit.
In advance of his sentencing on that single count, the matter of forfeiture has been settled.
$500,000 to Be Forfeited to the United States
In a consent preliminary order of forfeiture submitted to a New York district court, the single count against Streit is repeated alongside details of forfeiture pursuant to 18 U.S. Code § 1030(i).
The forfeiture relates to “any and all property, real or personal, constituting or derived from, any proceeds that such person obtained, directly or indirectly, as a result of the offense,” plus “any and all personal property that was used or intended to be used to commit or to facilitate the commission of the offense.”
According to the plea agreement reached with the US government, Streit will forfeit $500,000, an amount said to represent “the amount of proceeds traceable to the commission of the offense.”
Streit will also forfeit a small mountain of computer and electronics hardware seized from him in October 2021. The haul includes six Apple MacBook Pro devices, several Apple, Google, and Samsung-branded smartphones, tablets, hard drives, and other assorted storage media.
Potentially Lengthy Prison Sentence Ahead
The specific charge Streit faces relates to an offense under 18 U.S. Code § 1030 (Fraud and related activity in connection with computers) where information valued at more than $5,000 was obtained.
At least potentially he could face up to five years in prison. If he’d previously been convicted of a crime under § 1030, the sentence could reach ten years but we understand that’s not the case here.