It's 9 a.m. in the western German city of Wesel, where Christian M. is still in bed, dozing in his room in the basement. It's a morning like every other, when getting out of bed doesn't seem worth the effort. There isn't anyone waiting for him in the outside world, where no one is interested in a young man who dropped out of vocational school and, at 22, is now unemployed and spends hours in front of his computer.
Except Lady Gaga, Mariah Carey and Leona Lewis, that is. It's August 26, 2010, in a residential area of red-brick duplexes in this city on the lower Rhine River, when the basement door opens and in bursts Lady Gaga, together with Mariah Carey and Leona Lewis. Actually, it's the police who are now standing in front of his bed, after Christian's sister let them into the house. Christian blinks as an officer shines a flashlight into his face. Then a male voice says: "You know why we're here."
Christian probably has a pretty good idea. Lady Gaga, Mariah Carey, Leona Lewis and a few other superstars have been hunting him down, along with their record companies, Universal and Sony, the American Federal Bureau of Investigation and its German counterpart, the Federal Office of Criminal Investigation (BKA). And now they've found him, a boy who looks closer to 17 than 22, who doesn't say more than a few sentences at a time and squints when he takes off his glasses.
The male voice belongs to a detective with the police criminal investigation division in nearby Duisburg. It doesn't take him long to secure a confession from Christian. Denying the charges wouldn't do him any good, anyway. The evidence is sitting on his desk: his mobile hard drive, which he usually hides in another room in the basement at night.
When they examine the drive, the police find a few thousand songs that Christian and other hackers have stolen from the computers of singers and music producers. They aren't just any old tracks, but a treasure trove for the music industry: songs that aren't even on the market yet.
Seven weeks earlier, the police had searched another room in Duisburg, the operations center of Deniz A., 17, who goes by the hacker name "DJ Stolen." Together, the two young men had been selling unreleased songs to buyers in Mexico and the United Arab Emirates.
'Shouts' and Possible Blackmail
There is even more at stake with Deniz, whose hard drive contains chat protocols that could be interpreted to suggest that he may have blackmailed international stars. Fearing that DJ Stolen could place their songs on the Internet, thereby destroying the marketing campaigns for their next hits, they would send Deniz a "shout," a few spoken sentences that make it sound as if they, the stars and the hacker, were buddies. A shout is the most valuable trophy after a successful attack, allowing someone like Deniz to show that he has the toughest gangsta rappers and the biggest soul divas in the palm of his hand.
Can this be true? Are the coolest glitz-and-glamour stars in an industry worth billions afraid of two young men in Germany, one in a basement in Wesel and the other in a teenager's room in Duisburg? The case, which is being investigated by the public prosecutor's office in Duisburg, leads into an unknown world created in only the last three years, a world with its own rules and a "modus operandi that is still largely unknown," according to a German police report.
Christian estimates that at least 100 young hackers in Germany are competing with each other to see who can crack the computers of the most famous pop stars, along with those of their managers, record companies, relatives and friends. Their goal is to place songs that no fans have heard yet online for other hackers. The bigger the star, the greater the hacker's fame and, of course, the greater the value of the songs. At least some of these Internet pirates, like Christian and Deniz, are believed to be selling the stolen songs.
Universal and Sony are so nervous that Rasch, their Hamburg law firm, isn't even willing to say whether it is connected with the case. The concern is that this could turn into a mass phenomenon, making the damage worse and worse.
American singer Usher, for example, reportedly discarded a fully produced album in 2009 because the songs were already circulating on the Internet. But even after the raids on Christian and Deniz, the hackers continue to hunt for fresh songs. Although United States authorities recently shut down their most important venue, the website rmx4u.com, a new one has already taken its place. The name is similar, except that this time the server is located in Tonga in the South Pacific.
An Unassuming Teenager
Christian, who is short and thin, is sitting in his parents' living room. He doesn't like to talk -- and, in fact, would prefer not to say anything at all. One could easily overlook him. Apart from his frayed jeans and black Adidas tracksuit top, there isn't anything remarkable about this young man. There is no car or motorcycle in front of the house. He doesn't even have a license to drive a moped. Instead, he has spent some of the money he made with stolen songs to buy new glasses for €150, a laminate floor for his room and a Playstation -- nothing extravagant.
Christian's mother says her son never had it easy. He had surgery at the age of three because he was cross-eyed. It was the first of four operations. He was always the smallest among his peers, and for a while his parents thought that he might even be a dwarf. Christian quickly became resigned to the fact that he would always be a victim as a result. They called him "dwarf" in the soccer club, "fisheye" at judo and "four-eyed snake" in school. He withdrew a little bit more with each insult, but he also got into the habit of forgiving himself for everything that went wrong in his life. He didn't do well in school and barely managed to graduate from middle school. After that, he did little else but complete a few internships. When his mother complains that he has been "lazy as hell" all these years, Christian doesn't even defend himself.
"But all of this has nothing to do with hacking," he says. The investigators disagree. Someone who is unsuccessful in life and is unpopular as a result can find something on the computer that he has never had before: recognition.
'I'm Addicted to Music'
The teen was already 15 or 16 by the time his parents gave him his first PC. He had begged for it for a long time, and all he did at first was play games, like Counterstrike and FIFA World Cup. He would play all afternoon and into the evening, spending more and more time doing it. But that isn't unusual for an adolescent. He also downloaded music from file-sharing sites, which is illegal but not uncommon.
One day, when he was playing Counterstrike with his cousin, using a network, the cousin brought in a friend. He was only 13, but he had a few tricks up his sleeve, like how to hack into other computers without the users even noticing. "It took all of 10 minutes, and then I knew how to do it, too," he recalls.
At first they tested the waters, sending each other Trojans -- complete virus programs -- that they would download from the Internet and attach to e-mails. Christian realized that it was relatively easy. The way a Trojan works is that the clueless recipient merely has to click on the infected attachment, and already the hacker can search through his entire computer.
Then Christian began hacking into the computers of record-company executives and artists. He would find out whether the celebrities or their managers have a page on a social network like Myspace, and then he would write to them, attaching what he claimed was a picture or a song -- but was in fact a Trojan. Later on, he sent phishing e-mails designed to look like they were from companies like Yahoo or Apple. In the e-mails, users are told that they are being targeted in a hacker attack, and to enter their passwords to solve the problem. Of course, the passwords went directly to Christian.
'I Made a Huge Mistake'
He would jump from one computer to the next, hacking into the computer of Mark Pitts, a music executive at Sony. Then he would scan the e-mail addresses on Pitts' computer and write to other managers and artists, pretending to be Mark Pitts -- with his Trojans attached, of course. In this way, he could move from one target to the next, constantly searching for new, unreleased songs, preferably black music like R&B.
Christian wasn't alone, either. On one Internet forum, Black n Beatz (BnVZ), around 20 boys and young men post their hacked songs. Those who have nothing to offer are not given access. Christian, however, decided he had enough to offer to be given access. The police believe that "Cee," as Christian calls himself online, was probably the head of the BnVZ hacker crew, one of perhaps four or five such groups in Germany.
A couple of guys asked him if they could be part of the site, and he also brought in a few people on his own, Christian says today. "Of course, I know that I made a huge mistake and that I have to be punished," he says today. He claims that he was able to hack into 200 to 300 computers, but the police believe that the number is probably between 500 and 1,000. He also downloaded a few documents from one of these computers, one that belongs to Universal. The documents contain the "proposed most important projects for the music industry in 2010," as the investigators would later note. For the victims, the record companies, it was a disaster.
Christian also had to have been motivated by his love of the music, or else he could just as easily have hacked into the computers of book publishers. But he isn't interested in books. The search for music, on the other hand, is also an addiction of sorts, an addiction to collecting things. Of course he was afraid of being caught, he says, but the excitement of it all helped him ignore the fear. "I'm addicted to music," he says, "I know that."
Why else would someone store 80,000 songs on his hard drive, a few thousand of them in a directory called "Unreleased?" Was it to listen to them all or just to have them? It wasn't until later that he tried making money with the songs. "I didn't have anything else," says Christian. He sold a few songs on his own, for a quick €50. Then he met another hacker on the rmx4u.com website, the marketplace for the entire music hacker scene. The hacker was Deniz A., aka DJ Stolen, a student at a vocational school who bragged about how much money could be made selling hacked songs.
A Dangerous Enemy
There is a photo online of Deniz and his mother. The caption reads: "Me and my mommy, mum I luv youuuuu." Deniz, a boy with brown, fawnlike eyes, still lives with his parents in an upscale neighborhood in Duisburg. But for the American music industry, Deniz isn't a momma's boy, he's the enemy. In fact, he is one of its most dangerous enemies worldwide.
They have been hunting him since January 2010. At the time, DJ Stolen was chatting with someone, not knowing that the person was actually an undercover FBI agent. The boy gave the agent an Internet address, and the BKA's Department SO 43 (SO stands for Serious and Organized Crime) gave the Americans the real name corresponding to the address. It was registered to Deniz's mother.
In April 2010, three months before the police raided the house in Duisburg, attorneys with the Rasch law firm filed a criminal complaint, charging that Deniz A., aka DJ Stolen, was constantly placing hacked songs on the Internet. The complaint also contains a list of 27 songs, including "No Way" by Lady Gaga, "Masquerade" by the Backstreet Boys, "Pulse" by Leona Lewis, "Rockbank" by Usher, as well as songs by R. Kelly, Snoop Dogg and Enrique Iglesias. All of these songs were new, and they were all on the Internet before the record companies had released them. Deniz had also hacked into Sony executive Pitts' computer. As indirect evidence, the lawyers cited a sentence they had found on rmx4u.com, in which Deniz had apparently written that there was one song he "didn't find in pit (sic) mail," but someplace else.
In addition to raiding the mailbox, DJ Stolen used Pitts' e-mail address to deceive other Sony employees. "The perpetrator stealing our music is causing real problems," a Sony executive complains after having lost three songs to the hacker.
Personal Greetings from Stars Were as Important as Money
In April, Deniz hacked into the computer of Jason Clarkson, the brother of American singer Kelly Clarkson. Using his computer, he managed to infiltrate the pop star's laptop and downloaded 19 new songs from the hard drive. He would have preferred Lady Gaga, he later told the police, but he couldn't get into her computer. Nevertheless, Kelly Clarkson wasn't half bad, he added. Soon afterwards, he sent an e-mail to a woman from the German Kelly Clarkson fan club, asking if she was interested in buying the next album -- the whole thing. The woman notified the star's management, negotiated a price with DJ Stolen and eventually got all the songs from him for €250. She also kept a copy of the entire chat.
But Deniz quickly became so sophisticated in his new venture that investigators could hardly keep up. "The suspect's methods are getting more and more audacious," the Rasch attorneys complained. Instead of selling songs to hand-picked fans, he had developed his own Internet shop, where anyone could click on a song and place it into a shopping cart. And now a hacked track no longer cost only €15, but was selling for $50 to $1,000. During a three-week period in May, $16,874 was paid into his PayPal account.
Deniz's site offered Shakira for $150, Leona Lewis for $50, Britney Spears for $750 and Lady Gaga's song "Then You Love Me" for $1,000. By now he had solved his Lady Gaga problem, because he had found a supplier: Christian, the young man from Wesel. "Cee" had sent him six songs by Lady Gaga, two by Mariah Carey, three or four by Leona Lewis -- songs Cee claimed had been a gift from another hacker. Cee and DJ Stolen divided up the proceeds, each earning a few thousand in the process.
The "shouts" and "drops," the personal greetings from the stars, were as important as the money. The boy from Wesel insists that he never blackmailed a star, and so does Deniz. But the police are looking into charges of coercion, at least in the case of DJ Stolen. After all, he once bragged online that he had "blackmailed" singer Marques Houston, just like all the others who "sent me a shout." Now Deniz has changed his tune, saying that he was just showing off, and that none of it was true.
But how else is one to interpret what he wrote to US pop starlet Ke$ha? He also hacked into her computer, where he found photos of a breast operation, along with other photos that could destroy a career in the United States.
"Hey this is DJ Stolen from Germany. I just wanna let you know that i love you so fucking much," he wrote, adding that it would be nice to get a shout from her. Ke$ha apparently quickly understood how dangerous the situation was. This DJ Stolen had discovered her secret e-mail address, which meant that he might even have access to everything that was in her mailbox. Her response reflected her concern. Sure, she wrote, she would love to record a shout for him, as long as he didn't do anything with her private photos. "We should be friends," she wrote, adding: "i'll send you whatever drops as soon as you need em! What exactly do you want them to say?" Deniz A. replied: "Yo whatup you already know it's ya girl Kesha and I'm in love with my boy --- DJ Stolen." In return, he promised to keep her photos to himself. But just in case she tried to find him, he added, he had enough material to embarrass her in front of the whole world.
The Police Make their Move
When asked about the case today, Deniz says that he was merely trying to discourage Ke$ha from having people find him. The threat, he says, had nothing to do with the shout. He points out that Lady Gaga also sent him something voluntarily. But even though Ke$ha sent him a shout, Deniz published one of the photos, adding a few arrows and labels that left no room for doubt. Then another hacker retaliated for Ke$ha by putting Deniz's personal ID card, which he had apparently found on his computer, online. The police made their move immediately, to prevent Deniz from wiping his computer clean.
Christian spent years living his life on the Web, and now the police have deprived him of that existence. He is slowly realizing that it was better this way, and yet he still feels the addiction. His two lawyers, Essen attorneys Christian Nohr and Rudolf Esders, have now made it clear to him that he could get up to three years in prison for each of perhaps 500 or 1,000 hacker attacks, not to mention the possibility of being sued for millions by the record companies.
The public prosecutor's office could very well present its indictment this month. "I don't want to go to prison," says Christian. But if he wants to get off with probation, it will be time for him to find a different life, one outside the darkness of his basement room, outside the dark rooms of the Internet. He'll need time for that, and perhaps some therapy.
"It will be a long road out of addiction, and what he now needs are prospects for life," says attorney Nohr. Christian wants to go back to school and get a high-school diploma. Two weeks ago, he went to an adult education center to look into his options. This isn't much, and yet it's more than he would have been expected to do only a few months ago. On the other hand, sometimes he mourns the absence of his old life, and he asks himself why they searched his room and left so many others alone. Why is it over for him, while the others can keep on doing what he did -- perhaps with a new server, but with the same people, the same Trojans and the same trophies. In November, a boy from Hamburg offer to sell eight songs from the new Michael Jackson album for $1,000, promising top sound quality.
'I'm Incredibly Sorry'
Deniz has since apologized with a grand gesture. "I'm incredibly sorry about the whole thing," he told the German tabloid Bild, and he sent a letter to Lady Gaga, begging her forgiveness. He also wants to write to Ke$ha. Now he wants to start a new life, says Deniz, by launching a business to protect stars from hackers.
But his old life might catch up with him first. On Nov. 17, at 11:38 a.m., four months after the police raid on Deniz's house, Sony executive Peter Thea sent an e-mail to Mark Pitts. "Mark," he wrote, "here's the song by Chris Brown. Tell me what you think."
Someone else was also reading the same e-mail. His e-mail address was: firstname.lastname@example.org. It is one of the many addresses Deniz uses online. But that isn't everything. There is also a chat protocol, presumably from the same day, and a screenshot of the e-mail correspondence between the two Sony executives. One of the two chatters, calling himself "Deniz RnB," writes: "I'm in. He just bit."
Burkhard Benecken, the attorney for Deniz, says his client has absolutely nothing to do with it.