On April 12, the anonymous X account ImStillDissin shared a pair of minute-long snippets from what appeared to be the unreleased film Legend of Aang: The Last Airbender. He had said Nickelodeon “accidentally” emailed him the entire movie, which turned out not to be the case. More on that later. “I saw it’s just a Paramount+ thing, so I decided I’d troll a little bit” by posting the videos, he told The Hollywood Reporter at the time. A day later, a full-length version surfaced online.
From there, the situation metastasized into a crisis for Paramount. Its lawyers combed the internet to scrub clips and downloads of the film, though by then it was too late. The two initial X clips that sparked the saga racked up more than 100,000 likes in 12 hours before being taken down. Superfans hosted watch parties of the film, which appeared on Letterboxd’s “popular this week” list. To this day, counterfeit DVDs are still being hawked on eBay.
For Avatar: The Last Airbender fans, the movie was supposed to be a long-awaited return to the franchise. The original show, which ran from 2005 to 2008, had a dazzling Netflix run in 2020, when it topped the streamer’s daily chart for more than 60 days, and even last year, when it ranked as the third-most-streamed animated show on the platform. In some corners, it is regarded as Nickelodeon’s magnum opus and is among the most-beloved American animated shows. Twenty years later, Paramount sees value to be mined.
‘Avatar: The Last Airbender’ has spawned an ever-growing universe and is a major franchise on streaming platforms.
Courtesy of Nickelodeon
Avatar Studios was formed in 2021 as a division tasked with creating a universe based on the Avatar world, which will include upcoming series Seven Havens. The Legend of Aang was supposed to debut in theaters, but plans changed after David Ellison assumed control of the studio with the Skydance merger.
Paramount has conducted an investigation into the incident. As part of the probe, the company eliminated the possibility that it’s responsible, a source familiar with the situation tells THR. That would point to a hack of a third-party platform that had access to the movie, which cost Paramount tens of millions of dollars to produce.
Now, Vision Media, a screening company that handles awards promotion for studios like Disney, NBCUniversal, Netflix and Paramount, is investigating whether the leak can be traced back to security vulnerabilities in its platform. In a recording obtained by THR, Vision Media CEO Jason Deadrich is heard detailing to a gray-hat hacker, Jason Sawyer, that cybercriminals “seem to have access to content” on its servers, but that he “didn’t know how.”
“Our remediation plan is quite extensive,” Deadrich said in a discussion on April 22.
Gray-hat hackers, unlike white-hats, surreptitiously sneak into corporate systems to find security vulnerabilities. They then decide whether to notify the company and provide advice or go public with their findings. Sawyer got a tip about an exploit in Vision Media’s network that was being used to gain unauthorized access. “I validated the steps I had received from a threat actor and confirmed this was a real issue,” he says. “I took steps for reasonable disclosure and contacted the company.”
The investigation hasn’t definitively concluded that Vision Media is at fault. In the recording, Deadrich said he “can’t determine what specifically happened or how it happened.” Vision Media declined to comment, citing “ongoing investigative processes” involving third parties.
A post by the X account @ImStillDissin on April 12.
For years, at least since the devastating Sony Pictures hack in 2014, studios have been pouring big bucks into beefing up their online fences. Still, the system is only as strong as its weakest link. Several movie leaks have been found to have originated from awards screeners. Exhibit A: Piracy group Hive-CM8 in 2015 uploaded to the internet The Hateful Eight, The Revenant and Creed, among several other unreleased Oscar contenders that year, after physical copies of screeners sent to voters for awards consideration were stolen.
In the case of the Legend of Aang, hackers may have had access to Vision Media’s server, which houses catalogs of several movies watched by awards voters for an extended period. “They’ve been in your network for ages,” Sawyer told Deadrich. “They’ve been bouncing around into various different things.”
Later in the conversation, Deadrich said that Vision Media is conducting an internal probe and has been “cooperating in the external investigations with law enforcement and the groups effected.”
Days after the exchange, a 26-year-old man was arrested in Singapore for allegedly accessing a media server without authorization and leaking the movie online, per a report from the country’s major paper The Straits Times, which cites a police report that doesn’t name the individual.
But there are several clues that point to the hacker’s identity. Gray-hat hacker Sawyer says he ID’d the person behind the ImStillDissin account as Devesh Logendran, a cyber whiz who was charged in 2018 for hacking the NFL’s X account as an 18-year-old student in Singapore when he was affiliated with PeggleCrew, a hacker collective best known for its 2016 infiltration of download hosting site FossHub to distribute malware.
There are other clues in a second X account from ImStillDissin named IDISSEVERYTHING. The biggest breadcrumb: Accounts registered under that name on PayPal, Discord and Telegram, among other platforms, can be traced back to Logendran, says Sawyer, who used open source intelligence tools from OSINT Industries to check online accounts linked to a name, email address or, in this case, user name.
On X, IDISSEVERYTHING has also hinted that his first name is Devesh and that he lives in Singapore. Indeed, when ImStillDissin called THR on Signal for the earlier report in April, his caller ID name appeared as Devesh. THR has reached out to Logendran and IDISSEVERYTHING for comment.
On 4Chan and other online communities, superfan hackers discuss trading movies and TV shows they’ve illicitly attained among themselves and, at times, sell their hauls. Before the film became widely available for download, an account that appeared to belong to someone in Singapore that ultimately leaked the entire movie tried to ignite a bidding war. (The account also discussed Singaporean copyright law and whether the country extradites to the U.S.) “I have it,” the account posted. “Looking [for] highest bidder with actual interest in buying it. no trolling whatsoever.”
“There are a lot of vulnerabilities that a lot of people know about and, by and large, there are private communities that swap files and do all this kind of stuff,” ImStillDissin told THR in April. “There are several leaks within this pipeline.”
“Multiple people had access,” he stressed.
Aidan Rainey, cofounder of cybersecurity firm Alerts Bar, says that most signs indicate the leak originating from Vision Media. He explains that hackers gained access to the company’s server either through a flaw in its application programming interface or, more likely, pilfered login credentials.
“In this world, this sort of stuff happens when credentials get leaked online,” Rainey says. “That data is floating around in the internet, but the fact we haven’t picked anything else up means that it’s still in private hands. That would make sense because they wouldn’t want to share that information and give out that resource.”
When Logendran was charged in 2018, prosecutors detailed a sophisticated scheme in which he used publicly available information to work his way into the NFL’s Twitter account. He started by finding the social media director’s Twitter account, which was linked to her email address — and that email was tied to a phone number belonging to her husband, registered through the Canadian media company Rogers Communications.
Armed with those details, Logendran contacted Rogers’ online support team and impersonated the husband, claiming he had been locked out of his work account. The support team issued him a temporary username and password. He then located the social media director’s phone number and arranged for messages to be forwarded to his own device — meaning any texts sent to her phone would also land on his. That gave him the final piece he needed: after he triggered a password reset on her email account, the temporary password she received was also forwarded to him. With access to her email, obtaining the NFL’s Twitter password was straightforward.
“What I did was kind of unprecedented,” ImStillDissin said, referring to the Avatar leak. “I didn’t really register the consequences.” Some of those consequences will be borne by the production’s cast and crew, with the leak possibly cannibalizing viewership when the movie officially premieres on Paramount+ in October.
Amid the fallout, a common refrain has emerged from backseat CEOs that the studio left money on the table by bypassing a traditional theatrical release. When it was announced last year that the film would premiere exclusively on Paramount+, a petition to reverse the decision racked up nearly 100,000 signatures. “The animation looks amazing, and the movie deserved to be in theaters,” posted an account on 4Chan, where fans discussed the leak. “Yet instead, they sent it to die on streaming.”
For Paramount, the saga may not be over. ImStillDissin said hackers have the upcoming Avatar series Seven Havens in their crosshairs next and are hungrier than ever for fresh content. “There are a substantial number of people who have access to internal stuff like this,” ImStillDissin claimed. “There’s more under the tip of the iceberg.”
Leave a Reply