Brandon Bourret, age 41, of Colorado Springs, Colorado, was sentenced on Wednesday, November 2, to serve 29 months in federal prison, followed by 3 years on supervised release after previously pleading guilty to conspiracy to commit computer fraud and abuse, access device fraud, identification document fraud and wire fraud. He was also ordered the forfeiture of $49,153 cash plus a substantial amount of computer equipment. Bourret, who appeared at the sentencing hearing free on bond, was ordered to report to a Bureau of Prisons facility within 15 days of designation.
Co-defendant Athanasios Andrianakis previously was sentenced to serve 5 years on probation with the first 15 months in house confinement. While in house confinement Andrianakis is to work for no pay for the victim, Photobucket, as in-kind restitution. Further, Andrianakis was ordered to work 150 hours of community service. He also paid $35,000 to Photobucket, and forfeited cash proceeds of $14,962.22 plus a substantial amount of computer equipment.
Bourret and co-defendant Andrianakis were charged and arrested after breaching the computer services of Colorado-based Photobucket, a company that operates an image and video hosting website. According to court documents, including the stipulated facts contained in the plea agreement, in 2008 Bourret began selling a software application called “PhotoFucket.” The purpose of PhotoFucket was to allow its users to gain access illegally to the private or password protected photo albums of Photobucket’s customers without those customers’ knowledge or consent. As its name suggests, PhotoFucket’s users were primarily interested in finding and stealing nude or sexually-explicit images from those private and password protected albums.
Between July 12, 2012 and August 2, 2013, in response to increased security at Photobucket, Bourret and his co-defendant conspired to find and sell sophisticated ways to continue penetrating the password protections despite Photobucket’s attempts to block the intrusions. The co-conspirators also discussed ways to increase PhotoFucket sales and distribute money from the enterprise among the co-conspirators. Bourret promoted PhotoFucket on his websites, Photofucket.com and PhatThumbs.Photofucket.com, and he published private images that he illegally obtained on the PhatThumbs website.
Bourret also found a way to connect registration email addresses to stolen private images, and he sold those email addresses to PhotoFucket customers knowing that this posed a substantial risk of facilitating online extortion. He dismissed this risk in the interest of profits, saying in one email “I decided to go a little crazy and let PF output an email address for every rip it does . . . It’s better to burn out than to fade away.” Victims of the PhotoFucket scheme reported being extorted and harassed online with their private images.
On July 1, 2014, a search warrant was executed at Bourret’s residence in Colorado Springs, where he hosted the PhotoFucket.com website on a server in his bedroom. Over 9 terabytes of illicit data were seized from that server and the other storage devices recovered in Bourret’s house. Agents determined that the defendant recorded 18,557 instances of his targeting accounts with the PhotoFucket application, and he possessed at least 722 passwords that were associated with other Photobucket.com accountholders.
Photobucket first became aware of the PhotoFucket application in 2013. It immediately contacted the FBI and worked aggressively with law enforcement to fix the exploits, strengthen the security of their product, and bring the two individuals responsible for the violations to justice. The conspiracy ended and PhotoFucket was no longer capable of accessing private Photobucket.com content after July 31, 2013.
Victims of the breach were previously contacted by the government and Photobucket through email messages to their Photobucket.com registration email addresses. None of those victims submitted a restitution request to the court. However, to address the interests raised by some of those victims, the government and the co-defendants, with the assistance of Photobucket, entered into Consent Agreements that created a victims’ assistance fund. The fund is available for identified victims – ie, those who previously received a notification – to obtain services to mitigate the impact of the public disclosure of their private images. These services are to be paid for by the co-defendants according to the terms of the Consent Agreements.