Phishing for Photos

Man Tricked Women into Giving Him Passwords to Access Private Information


Many hackers use the Internet to swindle money or to get revenge on their adversaries. But an Alabama man’s online crime was stealing women’s personal photos simply for the thrill of invading their privacy.

In e-mails to prospective victims, Kevin Maldonado, 35, purported to be an administrator for their e-mail provider and requested that they change their passwords. He then captured those passwords and accessed their private information—a computer intrusion technique known as phishing.

More than 50 women fell for the scheme. And once Maldonado had their passwords, he could unlock his victims’ online lives, including pictures on their cell phones that were backed up to the cloud.

“Getting into these people’s personal lives in a deviant manner excited him,” said Special Agent Emily Celeste, who investigated the case out of the FBI’s Birmingham Division. Maldonado stole and downloaded thousands of photos from unsuspecting women for more than a year, and they never knew it until the FBI notified them.

The case came to the FBI’s attention when some of the recipients of Maldonado’s e-mail who were suspicious of the message notified their provider, who, in turn, alerted the Bureau. Working collaboratively with the company, the FBI was able to trace the e-mails back to Maldonado’s computer in Birmingham, Alabama.

While some of the photos Maldonado stole were explicit, others were simply everyday pictures of children, pets, and family get-togethers. Unlike some similar cases where stolen information is released to embarrass victims, Maldonado kept the photos on his own computer for his own use.

“You have pictures of your kids all over your phone, family moments, and he harvested them for himself,” Celeste said. “It was just disgusting.”

Given Maldonado’s random approach to finding his victims, there was minimal connection among them, although many were models or in the fitness industry. Some had been romantically involved with Maldonado, some he had found online, and others lived in his community. After Maldonado accessed one woman’s e-mail, he would then use her contacts list to identify future victims.

Maldonado pleaded guilty in federal court in Birmingham, Alabama in February 2017 to computer intrusion, and a judge later sentenced him to six months in prison and three years of supervised release.

The case is noteworthy because of the perpetrator’s motives and the randomness of the targets, but overall, phishing is a common crime. According to the FBI’s Internet Crime Complaint Center (IC3) 2016 Internet Crime Report, there were more than 19,000 victims of phishing and related scams last year.

“Number one is not to ever respond to any type of e-mail request with your username and password,” Celeste said. “Also, definitely be careful what you put out online, especially when it ties back to your security questions. Once somebody obtains your password or can answer your security questions, they’ve opened up your entire world.”

Celeste advises using a diverse array of passwords to protect yourself, so if one password is compromised, a thief cannot easily access other accounts.

“Connecting all of those accounts, like most people do, he was able to have control over their lives, and they didn’t know it,” Celeste said.