Hunter Moore said he would set fire to the Voice‘s office if I wrote this. Actually, the 26-year-old’s exact words were, “Honestly, I will be fucking furious, and I will burn down fucking The Village Voice headquarters if you fucking write anything saying I have an FBI investigation.”
Some background: Hunter Moore is a self-made Internet villain. For more than a year, the Sacramento native published nude cell-phone photos of 18- to 30-year-olds, usually against their will, on his blog Is Anyone Up. Some of the people posted were publicly notable: pop-punk bassists, an Ultimate Frisbee champ, an American Idol finalist, the founder of Dream Water, Twilight star Kiowa Gordon. The majority of them were not: a Taco Bell employee from Orlando; a wheelchair-bound St. Louis community-college student; a high school English teacher in Hamilton City, California. What made these online betrayals even more vindictive was that they appeared alongside the unwitting model’s full name, social-media profile, and city of residence—private citizens in vulnerably explicit positions, just a Google search away from friends, enemies, parents, employers.
Just as troubling was that publishing these nudes was a legal act. Is Anyone Up branded itself as a “revenge porn” site, encouraging angry exes to send, anonymously, their former partners’ nudes. Many people did. So the breasts, penises, and asses on Hunter Moore’s site were, the story went, supplied by avenging cuckolds, embittered former friends, and other people with scores to settle. Because this content came from third-party users, Moore wasn’t legally held responsible, thanks to Section 230 of the Communications Decency Act of 1996, the same powerful shield that prevents Facebook (or the Voice, for that matter) from being sued for what users post.
Is Anyone Up quickly became a lurker’s paradise, a life-ruiner, and a public-shame catalog. As the site’s popularity spiked, Hunter Moore became a cult of personality, the anti–Mark Zuckerberg, a polarizing figure the BBC called “the Net’s most hated man.” He received countless death threats, cease-and-desist letters, and a Facebook ban. Last summer, a San Francisco woman he’d posted stabbed him in the shoulder. Infinitely quotable and ruthlessly unapologetic, Moore also drew an army of online supporters, kids who called him a devious genius, professed their love for him, and wanted to have sex with him, which he made a sport of publicly. Anderson Cooper tapped Moore as a guest, a Nightline crew came to his house, and I wrote a cover profile about him for this newspaper.
But along the way, as more unsuspecting subjects ended up on Is Anyone Up, more of them claimed that they’d been hacked—that someone had actually gained access to their e-mail accounts and stolen their images, which had not, in fact, been previously sent to people who later submitted them for publication after relationships soured.
Naturally, this excuse sounded flimsy, if not preposterous. “Everybody can claim they’re getting hacked,” Moore told me in April. “That’s the easiest way to fucking get out of it—’Oh, I fucking shoved my finger in my asshole, and I sent it to this dude who looked hella cute and had a face tattoo on Twitter. And I’m gonna say I got hacked.’ Let’s be real, you’re a fucking whore, and you just met the dude, and you thought he was cute.”
That conversation happened the same day as a stunning development: Moore suddenly sold his domain to an anti-bullying site, bullyville.com, and effectively shut down Is Anyone Up on April 19. “I’m fucking sick of looking at little kids naked, and I’m sick of my fucking site. I’m sick of fucking people calling me a ‘faggot’ and telling me to kill myself,” he told me. “I’m tired of fucking looking out the window and thinking somebody’s going to fucking come through and murder me in my sleep.” He insisted that his decision to shutter Is Anyone Up had nothing to do with law-enforcement pressure. “Fuck no, I would fucking literally murder somebody right now if I had a fucking gun and [that person] wanted to make those allegations.”
The Voice has learned that the FBI’s Los Angeles Internet Crime division has been actively investigating Hunter Moore and Is Anyone Up for months, according to four people who say they’ve been interviewed by the FBI about his now-shuttered site. The case’s focus, according to those familiar with the investigation, was Moore’s possible connection to a hacker who has repeatedly broken into the inboxes of countless victims, rifled through their attachments, and submitted the accompanying nudes to Is Anyone Up. (A Los Angeles FBI spokesperson would not confirm or deny such an investigation.)
“The FBI has been in contact with me,” Moore admitted during the same conversation in which he threatened to burn down the Voice. “I have nothing to hide.”
Bullyville.com is a month-old property run by former Marine James McGibney, another controversial website owner whose flagship property, cheaterville.com, asks for people to expose unfaithful scalawags. He also relies on the Communications Decency Act of 1996’s protections to run cheaterville.com. “Under no circumstances are any photos, posts, anything that was previously on Is Anyone Up servers ever allowed to be made into a public domain again,” he explained about his company’s purchase of Moore’s domain. “We could do this, and then maybe Hunter starts up another website two months from now and puts all this stuff back up, and we made sure that couldn’t happen.”
The Monday after his site shut down, Moore appeared as a guest on Dr. Drew’s HLN show. That’s when things got even weirder.
Charlotte Laws, the mother of a 24-year-old California-based actress whose naked body had appeared in January on Is Anyone Up, confronted Moore on the show. Laws told Dr. Drew that her daughter had taken nude self-portraits in her room with her cell phone, then e-mailed them to herself to store the images on her computer. The pictures had been in her e-mail account for months when her daughter was “criminally hacked.” Within days, the photos turned up on Moore’s site. Laws described it as a case of “cyber rape,” a term that Moore later mocked.
“Your daughter said she was hacked, correct?” Moore asked Laws over a split-screen. “Usually people who are embarrassed, who make mistakes, usually try and fall back on something else. I’m sure she sent the pictures to a million different guys and just ended up on my site, just like everybody else.” In other words: You’re in denial, and your daughter is lying.
Moore’s young fans mercilessly taunted Laws on Twitter and Tumblr. “The fact that @CharlotteLaws actually thinks her daughter took a nude picture just to send to HERSELF?” typed @KateyCanFlyy. “No wonder she was CYBER RAPED lol.” @NewYiddySports congratulated Moore on his prime-time guest spot but critiqued, “You should have referenced A.Weiner when the mom cried hacking.” They called her every name in the book and created animated GIFs of her face.
Even Moore, who had feigned an apology on camera, joined the online attack. “The cyber rape mom from dr. Phill [sic]”—wrong TV therapist, same difference—”made up the whole story,” he tweeted. “Real life troll.”
But Laws stood by her story, explaining on her personal blog that after her daughter’s photos were posted, she’d embarked on her own offline investigation. “I randomly chose 25 individuals who had been uploaded onto the site within a 14-day period,'” she recounted. “My findings were astonishing: A full 40 percent of the victims I located had been hacked only days before their photos were loaded onto the site. In most cases, the scam began through Facebook and ended when the thief gained access to the victim’s e-mail account. The hacker did not nab credit card information. He or she seemed to have only one goal: to steal images for Is Anyone Up?”
No one believed Kristen, the 19-year-old college sophomore who appeared in our original Hunter Moore profile under the same pseudonym, when she said she had also been the victim of that kind of attack. On Thursday, February 23, the Long Island native came home from soccer practice to discover she had been locked out of her online accounts. When she got into her Facebook account again, her chat icon was talking with someone she barely knew on her friend list, a New York DJ named Tanner Caldwell.
According to a screen grab of their chat, her avatar had asked for Caldwell’s phone number, with an urgency emphasized with 12 question marks, two exclamation points, and a photo of an adorable girl. He provided his number, but demanded to know why. “My Gmail needs to be reset, but I lost my phone,” her icon offered, “I think I just sent my verification code or whatever to your phone, lol, can you check to see if you just got a text, please?”
Caldwell was immediately suspicious. After some hesitant back-and-forth, he typed, “This seems mad fishy,” adding, “out of your 2,700 friends, you don’t know someone closer to you to send your verification code to?” The response was masterfully played. “I don’t know, you were on my top chat and cute, lol.”
He asked what she was doing Friday; she flirted back while begging for the code. Eventually, he gave it up, and she sent back a smiley face. Within minutes, he realized he’d been locked out of his e-mail. Then it occurred to him that the access code he’d just sent her icon was his own.
The same day they were hacked, Kristen’s nudes showed up on Is Anyone Up, photos she swears to this day were never sent to anybody. (They were tasteful self-portraits taken in the hopes that, when the time was right, they’d be gifts to a long-distance paramour who stopped talking with her once the photos showed up on Moore’s site.) The only thing she had in her defense was an e-mail address that she can’t dislodge from her Hotmail account to this day: firstname.lastname@example.org.
Caldwell confirms that email@example.com was his infiltrator’s address, too. “It was definitely the same guy,” he says.
Is it really so easy to hack a Gmail account? See for yourself: Go to the Gmail login screen and click on the frequently ignored link underneath the sign-in menu, “Can’t access your account?” Three options appear; choose “I forgot my password.” Type in a Gmail address—any active Gmail address—and if there’s a phone number associated with the account, you’re given three more options, one of which is “Get a verification code on my phone.” You don’t even need to know the phone number. Just hit “continue” and an unrelated six-digit code will appear in a text to the account owner’s phone. Type in that verification code—a number easily obtained by a masquerading e-impostor—and you’re in. The first thing you’re prompted to do is immediately change your password, thereby blocking out the original owner.
In other words, if a hacker knows only your Gmail address and can figure out how to access your phone, he’s already most of the way into your shit.
That’s what happened to a twentysomething woman from the Northern California we’ll call Tanya, who has never met or spoken with Kristen. Over Facebook chat, a panicked friend typed that she’d lost her phone and asked Tanya for help. Tanya reflexively sent her e-mail address and phone number, and almost immediately, she got an alert that the password on her Yahoo account had been changed. She was momentarily confused. When she finally fought back into the account, her profile information was replaced with an e-mail address: firstname.lastname@example.org.
That was January 7, 2012. “Two days later around midnight, I got weird messages from people, and I ignored them,” Tanya recalls over the phone. “When I woke up the next morning, I had over 30 phone calls from people and over 400 friend requests from Facebook, and I had no idea what was going on.” She’d been posted to Is Anyone Up, with her name, hometown, face—and someone else’s nude body. Tanya had a shock of recognition: The photos of her breasts were actually those of her friend, pictures Tanya had taken during an exercising spell to help visually track her process. “When I actually looked at my e-mail, I didn’t even remember having those.”
Tanya is not the sort of person who takes nudes. She is extremely modest—and this was one of the most emotionally damaging scenarios she could imagine. “I didn’t even leave my house for a week.” When she finally gathered the courage to do an errand, something awful happened. “I went to Taco Bell, and someone came up to me and was like, ‘Oh, I’ve seen you naked.'”
Tanya took no solace in the fact that the site’s characteristically crude comments were flattering. (“Does this girl have any flaws?” was a stark contrast to the usual “Jesus, someone call Greenpeace and get her back in the water.”) The fact that it wasn’t her body didn’t make it better; in some ways, the misunderstanding made the situation feel worse. She tried to get the photos down by e-mailing the site to no avail. Eventually, she started talking with other women who had been posted and discovered she wasn’t the only one. “Everyone I talked with, we were all hacked by Gary Jones.”
More than a month later, Tanya wrote to Jones and said that she knew he had hacked other people for the same reason.
On Monday, February 20, at 12:52 p.m., Tanya wrote, in part: “Do you know how much damage you are doing to people. . . . I have a question why?”
Almost four hours later, she got a reply.
All I can say is I’m sorry. Really. If it makes you feel better, I did nothing other then look at your pictures. Nothing financial or medical, I promise. I truly wish there was something I could do to make it up to you. I’m having a hard time, too. Please feel better and know that nothing else will come from this.
A hacker with a conscience. Also, a hacker who wasn’t denying anything. A few hours later, Tanya wrote: “You and Hunter are invading my privacy. . . . I’m sorry, but I don’t get how you can be having a hard time. “
He wrote back:
Actually, I just got my 3rd DUI and lost my job last week. . . . I’m 6 days sober. But I get it, that was my choice as opposed to you who did nothing wrong. If it’s any comfort, you are absolutely beautiful, and that gives you a leg up on almost every other woman. Hopefully, in the next month, it will fade away, and you’ll feel happy again. Want me to send your parents an e-mail for you explaining it to them?
That’s the last message in the thread.
“Gary Jones,” as it turns out, has been at this for a while. Google “email@example.com,” and three anonymous forum posts—two from March 2011 and one from December 9, 2011—single out the address. “I recently got my e-mail password stolen from another account,” reads a panicked message from March 15, 2011. “The person who has my account is firstname.lastname@example.org.”
That same month, an Australian woman named Danni Suriano alerted her Facebook friends that she’d been hacked in a frantic status update. (“HACKER!!! ON MY PROFILE RIGHT NOW!! do not tell him anything about your contact info!! email@example.com.”) On October 18, 2011, Suriano was posted on Is Anyone Up. (She didn’t respond to our request for comment.)
“Gary Jones” has a Facebook profile; it doesn’t mention his interest in nude photos. Instead, the page identifies him as a 32-year-old who hails from Belize, lives in Australia, and works for the plus-size agency BELLA Model Management. (Reached by e-mail, the director of BELLA Model Management told the Voice, “We don’t have a Gary here.”) The accompanying photo shows him as a beefy bodybuilder with a bad dragon tattoo, sunglasses on his head, and cartoon-hyena smile.
It’s actually a circa-2008 Wikipedia image of Matthew Rush, a gay-porn megastar known for such titles as Splash Shots III and “the first 3-D gay porn feature film,” Whorrey Potter and the Sorcerer’s Balls. (Rush plays Voldemorecock—it’s available on Blu-ray.) Rush’s birth name is Gregory Grove, not Gary Jones. (Reached by e-mail, Grove said, “I have no idea who this person is.”)
I e-mailed firstname.lastname@example.org, told him I’d heard a lot about him, and asked if he’d be willing to talk with me, even anonymously. There has been no response.
Hunter Moore never denied to reporters that Is Anyone Up received hacker submissions while it was active. “I’m sure there have been times that people have been hacked and ended up on the site,” he told The Daily Beast in March. “But as far as Hunter Moore doing the hacking, that hasn’t happened.”
By April 19, the same day isanyoneup.com morphed into a bullyville.com ad, Moore was more definitive about the connection. “I’ve had tons of hackers give me shit,” he told me over the phone, insisting that Section 230 of the Communications Decency Act of 1996, the same federal law that has shielded his site from prosecution all along, absolves him of legal responsibility. (Legal experts, however, tell us that isn’t the case.) “It’s the same thing as Scarlett Johansson getting hacked. It always comes back on the hacker. I’m not gonna lie. I’ve paid people for content. I don’t give a fuck. You can say that. If I’ve paid for content, they have to submit the same [way] as the user. It would all fall back on the user.” Scarlett Johansson’s hacker, Chris Chaney, faces 60 years in prison and $2.25 million in fines.
That said, even if Moore’s money somehow found its way to a hacker, he insists he’s not responsible. “If I paid for content, it wouldn’t matter because they submitted it. It wouldn’t matter. It would be like me leaving a fucking $100 bill on the sidewalk and somebody coming and picking that up and fucking throwing a picture on my lawn—it would be the same exact thing. It still comes back on that person who walked by my driveway.”
One provision of Moore’s deal with isanyoneup.com‘s new owners, CheaterVille Inc., is that the business is not responsible for anything previously posted on the domain or its affiliated servers. “We bought the URL,” says CheaterVille’s James McGibney. “I do not own the content—I have nothing to do with it.” If there are legal issues with anything that did appear on Moore’s site, McGibney confirms that his company is not responsible. “Part of the contract is he’s 100 percent liable for it. It’s clearly outlined in the agreement. I had lawyers watching lawyers on this deal.”
Acknowledging that he and his lawyer had been fielding requests from the FBI throughout the site’s existence—something Moore consistently discussed with me while the site was still active—Moore continued to defend himself: “We’re going to work with every agency that we have pending investigations with. Really, [shutting down the site] comes down to never having to deal with this question, or anything like it, ever fucking again.”
We were having the conversation on the day his site had been taken down. “No, I don’t have hackers,” he said. “I’m half-retarded. Where would I find hackers? It’s not like I posted on a message board, ‘Friendly hackers, hey, can you get me nude pictures?’ It doesn’t work like that.”
Moore later demanded to know where I had heard that the FBI was looking into him, but I didn’t tell him.
He didn’t react well. “I will literally fucking buy a first-class fucking plane ticket right now, eat an amazing meal, buy a gun in New York, and fucking kill whoever said that. I’m that pissed over it. I’m actually mad right now.”
Moore is apparently not used to his own privacy being violated.
Were you hacked by “email@example.com”? Email firstname.lastname@example.org.