Editor’s note: This story has been updated based on new information from federal authorities to clarify that the teacher named in the court documents is believed to be the victim of identity theft and not the hacker.
A hacker apparently stole a North Carolina teacher’s identity to hack into the email accounts of celebrities, journalists, executives, and athletes, and steal naked pictures from dozens of victims, federal officials said.
According to authorities, the hacker used the name of Edward Raff, a 29-year-old math teacher in Greenville, to subscribe to a massive database of leaked personal information that was then used to hack or attempt to access the Google and iCloud accounts of between 60 and 80 notable figures.
That database, found on the website weleakinfo.com, was seized by the FBI in January 2020, according to a search warrant affidavit unsealed on Monday. The website sold subscriptions to leaked and stolen information from more than 10,000 data breaches, information the feds described as “amounting to 12 billion indexed records,” according to the search warrant.
The affidavit dated Feb. 19 named Raff as the subject of the investigation, but the FBI later clarified that he is not the suspect.
“Based on the information currently available to federal criminal investigators, Mr. Raff appears to be the victim of identity theft by the true perpetrator of the offenses under investigation. Thus, he is being treated as a victim of these offenses by investigators at the FBI and the Justice Department,” a Justice Department spokesman said.
The hacker compiled the leaked and stolen records—email addresses, usernames, and passwords—in an over 400-page draft email, then used the information to gain entry to his victims’ accounts, the FBI alleged. The dossier includes the personal information of his unnamed celebrity victims and everyday people. Google tipped off the FBI to the alleged attacks.
The primary goal of the ruse appears to be sexual predation, according to the affidavit. The hacker used illegal account access to steal sexual selfies from women—naked photos, lingerie photos, photos of oral sex, photos of masturbation—by forwarding the material to his own email accounts, the affidavit states. At one point, the hacker allegedly used stolen credentials and an iPhone hacking tool to download the entire message history between two people, totaling more than 55,000 messages.
The hacker claimed to be the country singer Kenny Chesney to solicit naked photos from women, at one point going by “Bobby Crouton,” one of Chesney’s former aliases, in a ruse that required no stolen information, the papers state.
The feds say the perpetrator appears to have had little more knowledge of hacking than an average user with a credit card and access to search engines. He purchased a subscription to www.iphonebackupextractor.com to download copies of the information on his victims’ smartphones but complained to its customer service department that he couldn’t search the stolen backups, the feds say.
According to the affidavit, his search history included queries like “how to decipher hash,” “decipher hashed password,” “buy bitcoin with prepaid card,” and “sms verification online.”
Raff confirmed that someone stole his identity.
“Someone had my name and address, made a PayPal, and subscribed to this website. That’s why [the FBI] suspected that it could be me. They came to my house, took every device I own, and returned it two weeks later,” he said.
He couldn’t say who might want to impersonate him in such a wide-ranging scheme.
“It could’ve been anyone who got my information from an envelope or anybody who ever had my name and address,” he said.