A local IT professional has faced court after joint FBI-AFP investigation brought down his ornate subscription-based scam, one that netted him almost a million dollars. 



A Sydney IT professional is facing prison time after pleading guilty to criminal charges involving a scam that made him almost a million dollars over a three-year period.

Software developer Evan McMahon’s sophisticated scheme was originally uncovered by the FBI, before being handed over to the Australian Federal Police.

At the time of his arrest, the 23-year old was serving tens of thousands of customers across the globe.


Cheap access to websites

His websites – HyperGen, WickedGen, Autoflix and AccountBot – offered subscribers a cheap way to access legitimate accounts for Netflix, Spotify, Hulu, WWE Network, NordVPN, PlayStation Network, as well as dozens of other subscription services.

After paying a small fee, Mr McMahon’s customers were given access to the “account generator” which allegedly revealed the username and password of a real subscriber.

According to documents tendered before the New South Wales District Court, Mr McMahon set up his first website, HyperGen, shortly after finishing his HSC.

AccountBot, the latest and most refined iteration of the business, offered customers discounts for referring new customers and a range of subscriber packages.

The agreed facts of the case state he had at least 152,863 registered customers and provided at least 85,925 subscriptions to a variety of streaming services.

Customers paid for the services via PayPal, and so Mr McMahon developed a way to avoid triggering PayPal’s money-laundering alarms, by collecting fees through multiple accounts – more than 100 in fact – which were set up in false names.

He then funnelled funds into another 48 accounts which were verified using false forms of identification such as New South Wales Driver’s Licences and Australian Passports.

McMahon cashed the funds into bank accounts established in his own name across at least ten financial institutions and converted some profits into cryptocurrency, he has been charged with multiple criminal offences.


His websites offered subscribers a cheap way to access legitimate accounts for Netflix, Spotify, Hulu, WWE Network, NordVPN, PlayStation Network, as well as dozens of other subscription services.


Mr McMahon’s criminal defence lawyers asked the sentencing judge to take into account three additional offences relating to false ID information given to PayPal and the ‘credential stuffing he used to find and verify the compromised logins of legitimate users’.

Credential stuffing generally occurs where a hacker obtains another person’s login information and is able to successfully use it across multiple websites. Usually, this is because most people use the same password for several purposes.

The offences were placed on what is known as a ‘Form 1’; which is a mechanism by which a sentencing judge can take into account additional offences when considering the totality of the offending, without sentencing those additional offences separately.


Cybercrime is on the rise

According to the Australian Cyber Security Centre’s (ACSC) Annual Cyber Threat Report, cybercrime is reported, on average, every ten minutes in Australia.

The most common of these, according to the data, is scams: romance, investment, or shopping scams. Scamwatch reported that last year Australians lost over $634 million to scams –  a figure that is considered likely to be underestimated due to the number of crimes that go unreported.

But there’s also concern that the figures will be higher for this year, specifically because of the Covid-19 pandemic which forced us to interact online in more ways than would otherwise be ‘normal’ for Australians and saw a spike in scams, relating in particular to the early release of superannuation.

As our online connectivity increases, the experts say that to protect ourselves we need to keep security settings up to date, be vigilant about any social media links or emails or website URLs that look ‘dodgy’ and avoid using the same password over and over.




Share via