Do the feds really know who stole all those celebrity nudes?

Last summer, stolen nude photos of Jennifer Lawrence, Kate Upton, and other celebrities flooded the Internet in a grotesque invasion of privacy that 4Chan and Reddit gleefully named “the Fappening.” The perpetrator(s) appeared to have raided the celebs’ iCloud accounts where their photos were backed-up. The identity of the hacker(s) was unknown, despite attempts by vigilantes to collect metadata clues from the posted photos. Law enforcement, though, had access to far better data from Apple itself, and within two months of the crime, investigators had identified computers that appeared to have logged into hundreds of iCloud accounts, including those of affected celebrities. Last October, FBI agents raided two homes in Chicago that they thought were involved in the hack, as revealed this week by the Chicago Sun-Times and Gawker, which posted a search warrant for one of the homes.

The authorities raided a house and an apartment seven miles apart in the South Side of Chicago. Only one of the warrants is currently available on PACER — that to search the home of 30-year-old Emilio Herrera. After searching the two homes seven months ago, the FBI seized “several computers, cellphones, a Kindle, floppy disks, hard drives and thumb drives,” according to the Sun-Times, but, strangely, the feds haven’t yet filed criminal charges against anyone. Instead, for the last six months, prosecutors have been regularly filing motions asking the government to keep the search warrants under seal, so that the public (and journalists) wouldn’t find out the latest legal Fappening happenings.

There are some odd things about the evidence laid out by FBI agent Josh Sadowsky. Sadowsky says he and FBI agent Jeff Kirkpatrick were able to link two IP addresses to the iCloud accounts of a few of the celebrities that had their photos stolen. When the agents asked Apple to check the history of those IP addresses, the company found that one had logged into 572 unique iCloud accounts, and that it attempted to reset the passwords of nearly 2,000 other iCloud accounts, and that the other had accessed 330 people’s iCloud accounts.

At first scan, it’s disturbing that Apple didn’t flag these IP addresses as potential hackers. Apple’s security system may have thought that the IP addresses in question were rightfully used by lots of people — say, at a school or an office building — but the geolocation information associated with the IP addresses would likely have linked them to the Chicago area, meaning that it would have looked as if people in Chicago were poking into accounts of phones for lots of people not in Chicago. Plus, one of those IP addresses showed 4,980 attempts to reset the passwords of nearly 2,000 people. That seems like it should have set off alarm bells in the Apple security bat cave. (That said, this fishy activity did occur over a year-long period, so perhaps it wasn’t concentrated enough to raise concerns.)

After seeing this highly suspicious Apple activity, the agents went to the Internet provider(s) associated with the IP addresses and asked who they were assigned to. AT&T, the Internet provider for one of the addresses, said that it was assigned to Emilio Herrera and a house on South Washtenaw Avenue. (We tried to reach Herrera at email addresses listed in the warrant but we haven’t received a response.)

Now, what’s weird about this, if the people in these two homes are indeed responsible for hacking celebrity iCloud accounts, is that they apparently weren’t using anonymizing tools — such as a VPN or TOR — to mask their IP addresses. That is, as Sam Biddle at Gawker put it, “a rookie screwup.”

Yes, thanks to easy-to-use hacking tools, such as one of those suspected of being used in this case, the Elcomsoft Phone Password Breaker, you don’t have to be a computer genius to wreak havoc online. But if you’re successfully phishing people, stealing hundreds of passwords, and playing in the corners of the Web that would introduce you to that hacking tool, it seems likely you would have been exposed to the concept of IP-masking. Perhaps their IP addresses were co-opted by the true photo hackers, speculated one tech-minded Twitter user.

The last weird thing about the Fappening investigation is that nothing seems to have happened in the case since October. The arm of the law is long, and it can be slow, but this would be really slow. These search warrants may indicate that the feds are getting closer to slapping cuffs on the people responsible for the Fappening. But the mounting delays could also mean that the digital breadcrumb trail has run out — or runs to a different country where extradition issues arise. It’s possible these homes were unknowing fronts for the true hackers, who, for now, appear to remain at large.