Scammer Infiltrated Thousands of iCloud Accounts to Find Nude Photos
Hao Kuo Chi collected more than 620,000 private photos and videos by impersonating Apple customer support staff and sending out emails to trick his victims into providing Apple IDs and passwords. Chi used social engineering and phishing schemes to coerce his victims, and he did not breach Apple's iCloud protections.
Chi accessed photos and videos from at least 306 victims across the United States, and most of them were young women. Some of the victims were attacked at the request of people that Chi met online after he marketed himself as "icloudripper4you," a service that could break into iCloud accounts to steal photos and videos.
His unknown co-conspirators would ask Chi to hack a specific iCloud account, and he would respond with a Dropbox link. Chi operated two Gmail addresses "applebackupicloud" and "backupagenticloud," where the FBI found more than 500,000 emails with approximately 4,700 iCloud user IDs and passwords that he had been sent from his victims.
Chi's scam fell apart after he hacked the iCloud account of an unnamed public figure in March 2018 and the photos ended up on pornographic websites. The FBI launched an investigation, and found that a log-in to the victim's iCloud account had come from Chi's home.
Chi has pled guilty to one count of conspiracy and three counts of gaining unauthorized access to a protected computer, and he now faces up to five years in prison for each crime. In a phone call with The Los Angeles Times, Chi said that he was "remorseful" for what he did, but claimed he had a family to support. He said that he was afraid public exposure of his crimes would "ruin [his] whole life."
The unauthorized iCloud access perpetrated by Chi is similar to a 2014 attack that saw hackers gain access to celebrity iCloud accounts through their username and password.
After that incident, Apple bolstered iCloud account security, offering two-factor authentication and sending emails whenever there's a new login to an iCloud account. The people involved in Chi's attack likely did not have two-factor authentication enabled.
Apple recommends two-factor authentication for all Apple IDs to add extra security, and it offers a support document on how to avoid phishing schemes like the one used by Chi.