“Celebgate” or “The Fappening,” the 2014 leak of hundreds of personal celebrity photos that began in late August of last year, may have been worse than originally imagined. Hackers could have gained access to nearly 600 online storage accounts of Hollywood A-list celebrities like Jennifer Lawrence, Kate Upton, Kirsten Dunst and Anna Kendrick, according to a new report.

NBC News reported on Wednesday that the FBI began its investigation in October 2014, focusing on a residence located on the South side of Chicago, according to an unsealed warrant affidavit in the U.S. District Court in the city. Investigators used phone records and computer identification data and found that the compromised accounts were hacked by a single computer linked to two email addresses belong to a man named Emilio Herrera, 30. Does this mean the FBI has captured its culprit? It’s not that simple.

E-mail or IP addresses can be faked or masked using different methods and technologies, and various forms of internet data can be routed using third-party computers without the knowledge of their owns. It’s entirely possible that Herrera was completely unaware he was being used as a scapegoat.

The first celebrity photo leak happened on Aug. 31, 2014, when a massive amount of personal photos surfaced showing more than 100 female celebrities. Among some of the victims were singer Ariana Grande, model Bar Rafaeli and actress Jennifer Lawrence. A second “fappening” took place in September 2014, revealing private snaps from actresses Amber Heard, Scarlett Johansson and Victoria’s Secret model Candice Swanepoel.

No documents have been publicly filed since the affidavit, so it’s unclear if any evidence was discovered at Herrera’s home. However, the warrant shows that up to 2,500 iCloud accounts were targeted, and that the computer address belonging to Herrera was used to infiltrate 572 iCloud accounts about six times. The address was also used in 5,000 attempts to alter 1,987 other iCloud passwords.

Apple denied that the leaks were caused by its own security flaws last September. The company claimed it spent 40 hours investigating the incident.

“None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved,” the Cupertino, California, company said in a statement last year.