Self vs HeheStreams — Josh Brody
Back to my main sitejosh.mn
Josh Brody

Self vs HeheStreams

This page is the part the case doesn’t tell you.

The DOJ’s version of me is a composite: a fraud, an extortionist, a hacker in the most pejorative sense of the word. That composite makes sense if you only read the indictment. It makes less sense if you look at the rest of the record—what I was doing before HeheStreams, alongside it, and after. I don’t get to release every receipt I’d like to. But there’s enough in public to draw a real picture, and this page is my attempt at one.

There’s no redemption arc here. I don’t believe in those. I believe in track records.

The extortion thing

Foremost, I hate this reporting. It gives this idea that I’m a narcissist, have some sort of Machiavellianism stream, or a hint of psychopathy. Or little empathy. I don’t. I want to address this directly, because it’s the one piece of the case that produces a specific impression of who I am, and I think that impression is wrong.

The vulnerabilities I reported to a sports league could not be more unrelated to streaming and more unrelated to HeheStreams. Different work, found while looking at something else—something that I owned. There was no formal bug bounty program. They sent their red team to look at and address the vulnerabilities. Someone at the league asked what I valued the bugs at. Autistic, I treated that as a literal question, ran the numbers through Shopify’s public bug bounty calculator, which said that a few of them were worth $150k each; I then said the resulting figure was absurd given the effort involved, and that email thread later became the basis for two of the charges.

I’ve written more about the mechanics on the charges page. What I’ll say here is the part that’s about me rather than about the law: I have reported security bugs to a lot of companies and many have resulted in NDAs because of their severity, before this happened and after. I have disclosed critical-severity CVEs publicly with coordinated timelines. I still do. The pattern of behavior is documented, durable, and consistent, and it does not look like the pattern of behavior of someone who shakes companies down for money. One email thread, read through the lens of a prosecutor’s reconstruction, doesn’t override more than ten years of doing the thing the normal way.

Only a few people know of the severity of the bugs or the mechanics, but they rank near the top of my list.

  • Items at the top of my list include an IDOR at a major ticket reseller in 2012, resulting in the availability of every and any ticket;
  • Leaking of plain-text passwords at a major hosting provider
  • Admin registreation authentication at a major helpdesk software company

That’s the closest I’ll come to defending myself on this page. The rest of it is just describing who I actually am, and you can decide what to make of it.

What I was doing alongside it

I maintained, and still maintain, open-source Ruby libraries. Caffeinate is one of them; it came out of HeheStreams’ lifecycle-email system and is now the most popular package of its kind. I’ve disclosed critical-severity CVEs through coordinated processes. I wrote technical content under my own name the entire time. I held W-2 jobs at companies that vouched for my work after the charges came down. None of that is the profile of someone living a double life as a criminal mastermind of a criminal enterprise. I was running a piracy site, not hidden, while also being a normal software engineer whose colleagues mostly knew about it.

Prison

I served 18 months at FCI Thomson. I learned that I’m more socially capable than I gave myself credit for, more adaptable, and considerably more tolerant of different kinds of people than I’d been before. I also learned how badly the system fails the people in it. Most incarcerated people are not set up to succeed when they get out. I’m an outlier and I know it; I had a career and a network to come back to. Most people don’t.

I wrote a book on engineering career advancement on commissary paper because that’s what I had and that’s what my brain does when it’s bored. I’m bad at being bored. Prison doesn’t fix that; it just gives you fewer outlets.

After

I had six job offers within a few weeks of being released in the late summer of 2025. I don’t know what that speaks to—desperation (mine or theirs) or competence. I took the one where the founder showed up to the interview in a sports jersey having read everything. That seemed like the right signal.

I’m not “reformed.” Reformed implies the person who built HeheStreams is gone and a different person is sitting here. They’re not. I’m the same person with the same instincts—the same compulsion to take systems apart and figure out how they actually work, the same intolerance for things that should work and don’t, the same inability to leave an interesting problem alone. What changed is what I point those instincts at. I work on the other side of the same problem now: advising platforms on the abuse patterns I used to embody, writing and speaking about how the threat-intel pipeline characterizes operators like the one I was. The skills didn’t change. The targets did.

I’ve reported bugs to companies the entire time I’ve been out. I disclose them the way I always have, through whatever coordinated channel they offer, on whatever timeline they negotiate. None of those reports have become criminal cases. That’s also not part of the record, because the US Government isn’t incentivized to report it.

Now, maybe

If you came here from the headlines, the version of me you were handed is a caricature. It’s not made-up out of nothing—the underlying facts are real—but it’s been selected and framed to produce a specific impression, and the impression is wrong in important ways. The person who ran HeheStreams is the same person who maintains the open-source libraries, the same person who’s been disclosing CVEs the normal way for a decade and a half, the same person whose colleagues mostly knew and mostly didn’t care, the same person who served his time, the same person now advising platforms on the problem from the other side.

There’s no incentive to put that into headlines for anyone but me.