Image: Anthony Roberts

US authorities charged a Texas man this week for hacking into the cloud accounts of two music companies and the social media account of a high-profile music producer, from where he stole unreleased songs that he later published online for free on public internet forums.

When the man realized he could be caught, he contacted one of the hacked companies and tried to pin the blame on another individual.

Hacks targeted cloud accounts for music labels

According to court documents published on Monday by the Department of Justice, the suspect is a 27-year-old named Christian Erazo, from Austin, Texas.

US authorities say that Erazo worked with three other co-conspirators on a series of hacks that took place between late 2016 and April 2017.

The group’s primary targets were two music management companies, one located in New York, and the second in Los Angeles.

According to investigators, the four hackers obtained and used employee credentials to access the companies’ cloud storage accounts, from where they downloaded more than 100 unreleased music songs.

Most of the data came from the New York-based music label, from where the Erazo and co-conspirators stole more than 50 GBs of music. Erazo’s indictment claims the group accessed the company’s cloud storage account more than 2,300 times across several months.

Hackers also went after producers and artists

Erazo also allegedly hacked the “microblogging and social networking” account (very likely Twitter) of an LA-based musician and producer.

The suspect used the access to this hacked account to send private messages to other producers and music artists, asking them to send unreleased songs to an email address under Erazo’s control, investigators said.

Songs gathered through this scheme were later also leaked online on internet forums, damaging the producer’s reputation.

The attempted cover-up

US officials said that Erazo began discussing with his co-conspirators in December 2016 about the idea of pinning the hacks on someone else — referred in the indictment only as “Individual-1.”

The group went ahead with their plan on January 8, when one of the co-conspirators emailed the NY-based music label stating that Individual-1 had gained access to their cloud data and was currently selling their songs online for $300 per track.

The music label contacted authorities, and when Erazo and a co-conspirator called the music label ten days later on January 18, they talked on the phone with an undercover FBI agent posing as the label’s security staff.

Investigators say that during this conversation and later emails, Erazo and friends posed as do-gooders trying to help to company and its music artists.

According to statements quoted in the indictment, Erazo said he was “doing this for the love of the artists” and claiming they want no harm done to the producer — who, they were still actively hacking at the time.

US authorities said that Erazo offered to help the music company in its investigation into Individual-1.

“I’m happy to help out if you need any of the info or anything I could dig up for you guys just let me know and I’m more than happy to help you guys out with this,” Erazo was quoted in the indictment as saying.

“Yeah and another thing to why we are going to you guys is we just hate this fucking [person]. Bottom line. We aren’t even going to beat around the bush,” Erazo also allegedly said, also offering to play a double agent if the music company asked.

In addition, Erazo urged the music label to take legal action against this person, and also advised the company about improving the security of its cloud storage account.

A week after contacting the NY music company, investigators said that Erazo sent on online message to one of his co-conspirators saying that “this is the perf[ect] cover up.”

Charges and sentence

However, Erazo’s plans didn’t work. He was charged in a New York court on Monday under three counts.

Charges include one count of conspiracy to commit wire fraud, which carries a maximum sentence of 20 years; one count of conspiracy to commit computer intrusion, which carries a maximum sentence of five years; and one count of aggravated identity theft, which carries a mandatory minimum term of imprisonment of two years.

News of Erazo’s arrest comes after in mid-September UK police arrested two teens — one in London and one in Ipswich — for similar charges of stealing data from music artists. It is unclear if the two cases are related, however, the two UK teens were accused of selling the tracks online, rather than releasing them on forums.

Erazo’s case is not related to the Radiohead incident from March 2019 when a hacker gained access to unreleased Radiohead music and tried to extort the band for $150,000. In response to the ransom attempt, the band published the music on a Bandcamp account ahead of its planned release.

This is by no means the first incident of its kind, and hacks like these have been happening for years. For example, in 2012, hackers stole and published more than 50,000 songs from Sony Music, including unreleased Michael Jackson songs.