Last summer, stolen photos of dozens of famous women flooded the internet; eager pervs cheered it as “The Fappening,” a pornographic cataclysm without any clear cause or culprit. But even as the horny internet has (mostly) moved on, the feds have been working hard to identify the culprit or culprits—and they’ve narrowed in on the suspicious activity of at least one man.

A recently unsealed federal search warrant and related affidavit pertaining to the FBI’s investigation into the iCloud hacker ring shows the investigation moving offline. On October 15th, 2014, federal agents entered the neat, modest brick home of Emilio Herrera on the South Side of Chicago. According to a sworn affidavit by Special Agent Josh Sedowsky of the FBI’s Cybercrimes Unit, someone in this house had been on an iCloud hacking spree.

“Based on victim account records obtained from Apple,” Sedowsky wrote, “one or more computers used at [Herrera’s house] access or attempted to access without authorization multiple celebrities’ e-mail and iCloud accounts over the course of several months.”

The affidavit for the first time confirms the scope and authenticity of the picture leak—“female celebrities” are listed as victims, though by initials only: “A.S., C.H., H.S., J.M., O.W., A.K., E.B., and A.H.” These initials presumably refer to Abigail Spencer, Christina Hendricks Hope Solo, Jennette McCurdy, Olivia Wilde, Anna Kendrick, Emily Browning, and Amber Heard (though we could be incorrect). A still-sealed affidavit obtained and reported by the Chicago Sun-Times refers to a J.L., presumably Jennifer Lawrence, the breach’s highest-profile victim:

The agent described one interview with “J.L.” that he had to stop because she became “very distraught.”

“J.L. stated she was having an anxiety attack and was visibly shaken,” the agent wrote.

Herrera’s alleged iCloud cracking went way beyond that narrow list of celebs: between May 31, 2013, and August 31, 2014, his IP address “was used to access approximately 572 unique iCloud accounts,” and “in total, the unique iCloud accounts were accessed 3,263 times.” The FBI doesn’t disclose the exact number of famous accounts breached during this account, but notes that “a number” of them belonged to “celebrities” involved in the Fappening, and “the majority of the other accounts accessed from [Herrera’s home] were accounts of celebrities, models or their friends and families.” The affidavit cites an additional (perhaps unrelated) 4,980 attempted reset attempts against 1,987 different password. The sealed warrant reported by the Sun-Times reports an equally prolific iCloud hacker at another Chicago address:

The IP address on Narragansett accessed 330 unique iCloud accounts between May and August 2014, according to the other. Of those, 291 allegedly belonged to people who registered their accounts outside Illinois. Those 291 accounts were accessed more than 600 times, the agent wrote.

This was much more than a hobby.

In addition to the scope of the attack, the FBI affidavit offers new details of how the breach itself went down. In the case of A.S., she “recalled getting locked out of her online accounts” between April and May 2014—that’s several months before the leak. “All [stolen] photos were taken with her iPhone and sent through iMessage to her boyfriend”:

In the case of A.H., “some of the [stolen] photos were sent to her fiancé, [while] others were never sent and only stored on her phone.”

It’s clear now that the celebrity iCloud heist was done through the oldest (and most reliable) method of online malice: phishing emails and a password reset. Anything pertaining to password cracking and phishing is called out in a “list of items to be seized” on the FBI’s warrant:

The agents walked out of Herrera’s house with multiple computers, a cell phone, storage devices, and a Kindle Fire:

What remains unclear is how these people were caught. Calls to the Herrera residence went unanswered, as did a message to a personal email listed in the affidavit—my first question would’ve been how someone capable of a vast password hijacking operation would forego a VPN or other method of masking his IP address. That’s a rookie screwup.

It’s also unclear what the search of Hererra and the other Chicago address mean for the state of the investigation—the former has not yet been charged with any crime, nor is he even considered a suspect at this point, puzzlingly. An FBI spokesperson declined to comment on any particulars of this investigation beyond the fact that no charges have been filed yet.

You can read the search warrant application affidavit below:

Photo: Getty

Contact the author at biddle@gawker.com.
Public PGP key
PGP fingerprint: E93A 40D1 FA38 4B2B 1477 C855 3DEA F030 F340 E2C7