Australian IT Worker Arrested for Allegedly Selling $300K in Streaming Logins

The Australian Federal Police recently announced the arrest of Evan Leslie McMahon, a 21-year-old IT professional, for selling login details obtained from various streaming services.

According to investigators, McMahon allegedly sold stolen data from major sites including Netflix, Hulu and Spotify.

The Australian authorities received a tip-off from the U.S. Federal Bureau of Investigation.

McMahon, a resident of the Northern Beaches suburb of Sydney, reportedly made AUD 300,000 from the sale.

Based on the FBI’s report, he sold the data through the website WickedGen, which the authorities later shut down.

Before its closure, WickedGen reportedly had more than 120,000 users and circulated around 1 million login details for a variety of streaming services on offer.

Australian Federal Police Informed By FBI Tip

The FBI began investigating McMahon’s activities after receiving information that there were victims in the U.S. affected by his operations.

The FBI worked with Netflix and Spotify to distinguish real users from fake users.

The FBI informed the AFP of the existence of WickedGen in 2018.

The two teams conducted a joint international cybercrime probe with the aim to find the person behind the sale of the stolen data.

Credential Stuffing

According to the AFP, McMahon had been collecting the login details for over two years before his arrest.

The suspect engaged in credential stuffing, whereby a user collects previously stolen or leaked login details, emails and passwords of unsuspecting victims, and then sells this information via the dark web for a fee.

McMahon sourced these login details from the dark web, where he found multiple leaked logins from other hackers.

McMahon sold the streaming logins on WickedGen for as low as $2 a month, which is just a fraction of the monthly $13 and $13.99 fees charged by Spotify and Netflix (respectively) in Australia.

The low fees enticed numerous buyers, allowing the suspect to amass a large amount of cash.

McMahon’s Arrest and Court Appearance

Last month, the AFP acquired a warrant to search McMahon’s house in Dee Why, a coastal suburb.

During the bust, agents confiscated cryptocurrency funds and electronic materials. They arrested McMahon on the same day.

According to a news release from the AFP, McMahon faces several cybercrime charges including identity theft and the sale of private login details to the public.

The Sydney Central Local Court arraigned McMahon, who appeared for the case via an audio-video link.

McMahon made bail but under strict conditions. His parents were ordered to put up an AUD 200,000 surety.

Additionally, the court allowed him access to only one mobile device with no internet connectivity.

Also read: Operation SaboTor Leads to 61 Arrests 


McMahon’s LinkedIn profile indicated that he was an employee at, in addition to being a web developer and owning a web developing firm.

A spokesperson from confirmed that McMahon did work for the company, but they terminated his employment following the arrest.

Reportedly, the company was not aware of McMahon’s alleged criminal activities, as they reportedly began before his employment.

McMahon had only worked at the company for 14 months, which is shorter than the period during which his business had run.

The company condemned McMahon’s alleged operation, claiming that it was an inappropriate use of online subscription credentials from other websites.

Since there was no evidence linking the company to collaborating with the suspect, the investigators exonerated from any wrongdoing.

The suspect is set for arraignment in the Downing Centre Local Court on May 7, where he will submit a plea.

Leave a Reply

Your email address will not be published. Required fields are marked *