Earlier today, the Department of Justice announced charges against Behzad Mesri, a/k/a “Skote Vashat,” for allegedly hacking and attempting to extort HBO. I had covered the HBO hack and extortion attempt on this site over the summer, as this site was one of a few media outlets with whom the hacker(s) shared leaked data.
According to the indictment filed in the Southern District of New York, where HBO is headquartered, Mesri is an Iranian with an alleged history of hacking for the Iranian military and for the Turk Black Hat Security team. The latter had a web site that is no longer available but is archived in archive.org.
You can read the criminal indictment here. Of note, although Mesri has been charged, he is not yet arrested, it seems, and it is not clear exactly where he might be. The FBI has issued a wanted poster concerning him. Why the government unsealed the November 8 indictment now when Mesri hasn’t been arrested is unclear, but may be politically motivated if the government intends to argue that Mesri was hacking on behalf of the Iranian government. There is no evidence provided with the indictment that would speak to that possibility.
As “Skote Vashat,” Mesri had a fairly extensive history of identifying and disclosing vulnerabilities in sites (cf, his contributions on Packet Storm and Exploit Database. He was also an active defacer from 2009 – 2013. A simple search returns numerous hits showing his defacements and several email addresses. He does not appear to be a hacker who was trying to be a ghost or to hide himself.
In 2015, he opened a Twitter account, but never tweeted from it.
So … would Mesri, by himself, have hacked HBO and attempted to extort $6 million? The indictment doesn’t refer to any other co-conspirators, but the extortion demands and communications used “we” and not “I,” suggesting that Mesri was not the sole attacker or party involved in the attack and extortion attempt. Or perhaps that was intentional misinformation or misdirection.
Something does not feel quite right about this story… at least not yet. If “Kind Mr. Smith” is still around and reads this post, I’ve got a few questions I’d love to ask him. But then, I imagine the DOJ also has questions for him.