United States vs HeheStreams — Josh Brody
Back to my main sitejosh.mn
Josh Brody

United States vs HeheStreams

In October 2021 the U.S. Government charged me with five federal counts related to HeheStreams and to my piss-poor handling of disclosing bugs to a sports league. I pled in 2023, served 18 months, was released in 2025.

This page is the legal side of it: what the charges were, what they actually mean, and where the official narrative and the operational reality didn’t line up.

The charges

Illicit digital transmission

The easy one. I transmitted digital content I wasn’t licensed to transmit. No footnotes, no irony—I absolutely did it. HeheStreams ran for five years against MLB, NBA, NFL, NHL, and a dozen other platforms. The statute exists for exactly this.

Protecting Lawful Streaming Act (PSLA)

The PSLA is where the law stems from. The PSLA was snuck into the COVID relief bill in December of 2020. It was introduced by Thom Tillis.

CFAA

The fraud-in-connection-with-computers charge boiled down to “accessed a computer without authorization.” That phrase is broad enough to cover SQL injection, credential stuffing, and checking your ex’s Spotify.

In my case it was the mechanism HeheStreams used to deliver streams, which is the part that’s actually worth talking about.

HeheStreams had no encoding farms. No re-streams. No middleman transcoders. The streams users watched came directly from the platforms’ own infrastructure, delivered by the platforms’ own CDNs, authenticated against the platforms’ own identity systems. It’s a weekend project until you try to do it with 10 users who don’t care about downtime. Doing it against a dozen platforms simultaneously and surviving five years of active countermeasures is something else.

I had my own anti-abuse layer modeled after what I was doing to power my site. I think it might have been the most sophisticated engineering done. The architecture had to look like a CDN edge because that’s what it was competing with on latency. A minute-long outage during the SuperBowl was not survivable.

The interesting question for a platform security audience isn’t whether I had authorization. I obviously didn’t. The interesting question is how a platform distinguishes authorized from unauthorized session use when the sessions are valid and the credentials are honest. That’s not a question the CFAA answers. It’s the question the controls have to answer, and most of them don’t—or at least good enough to thwart me.

Wire fraud

Wire fraud requires the use of interstate wire communications in furtherance of a scheme to defraud. In practice that means: if you used the internet, you used the wires. Every API request crossed a state line. It’s the charge prosecutors attach to almost anything online because it’s almost free to prove the wire element. The substantive question is the underlying scheme; the wire part is procedural.

Wire fraud is typically thought of as a financial wire transfer; it has nothing to do with money.

Interstate threats and extortion

These are the charges the press latched onto, and they’re the ones with the most daylight between the headline and what happened.

I’d found a handful of bugs on a sports league’s systems that impacted 100% of their customers—unrelated to streaming, unrelated to HeheStreams. Different attack surface, different work, found while looking at something else—something I, in fact, had authorization to look at. I reported them in a panic because of their severity. It took a month to get it to a person that found it “interesting” enough to take my phone call.

There was no formal bug bounty program. Someone at the league asked what I “valued” the bugs at. I treated that as a literal question and ran the numbers through Shopify’s public bug bounty calculator, which returned a figure in the six figures. I said immediately that the number was absurd given the effort involved. I had spent no more than an hour finding and documenting the bugs.

That email thread became the basis for the extortion and interstate-threats counts.

There’s a real CTI lesson in this and it isn’t about me. Researchers report into enterprises without formal programs constantly. The path from “what do you value this at” to “demand for payment under implied threat” is short, retroactive, and gets walked entirely by the recipient’s interpretation and the prosecutor’s reconstruction. Intent gets assigned after the fact, and the government nor the victims have any incentive to downplay this. If you’re reporting bugs to a company without a published program, scope, and safe-harbor language, you are negotiating the framing of your own conduct with someone whose job is to make the framing favorable to them.

The fine line between bug bounty and extortion is fine enough that it’s worth advocating for clearer protections. Whistleblowers have them. Security researchers operating in good faith mostly don’t.

As for the bugs themselves, I know that if I had a platform I would have been beyond elated that someone reported them responsibly, and terrified that someone reported them at all.

Coverage

Most outlets ran the extortion angle because “hacker extorts baseball” headlines better than “guy builds a better version of the platforms.” Fair enough; that was the sport I was forced to play.

TorrentFreak was the most accurate. The rest mostly copied each other.

What this case is useful for

The DOJ filings called HeheStreams “sophisticated, calculated, and brazen” and asked for 72 months. The sophistication framing is the part of the case worth understanding from a threat-intelligence perspective, and I’ve written about it elsewhere—how that label gets attached, what it does to enforcement priorities, and why the operational details that earned it are more useful as a case study than as a charging document.

The bug-reporting half of the case is useful for different reasons: it’s a near-textbook example of how researcher intent gets reconstructed against the researcher when there’s no formal program in place.

Both halves are why I do the work I do now.