Skip to content
Naked Security Naked Security

iCloud-hacking politician to be sentenced on Christmas eve

Former Dutch city council member Mitchel van der K invaded hundreds of iCloud accounts “frequently and repeatedly”.

Dutch police have turned up yet another iCloud-hacking Celebgate drooler/crook/nudie-stealing/doxing creep who decided to use women’s privacy as his personal doormat. This time around, it’s a politician, and he’s no longer on the city council: instead, he’s looking at up to three years in prison.

Make that a wannabe politician: Mitchel Van der K, a copywriter who was running for city council (and who had been voted in) in the Dutch town of Almere, withdrew from politics after an investigation led to his iCloud password-cracking escapades. His problems began after he leaked nude images and a sex tape from Dutch vlogger star Laura Ponticorvo in March 2017 – a leak that sparked both media attention and an investigation.

According to prosecutors, the extent of Van der K’s data theft is “unprecedented.” He invaded hundreds of accounts, “frequently and repeatedly” violating his victims’ privacy. The prosecutor’s office cited victims’ statements such as these:

It feels like someone has broken into me.

It feels like a digital assault.

I feel dirty and I feel watched.

I also have a private life and I am very careful with that.

A month after Dutch investigators tracked him down, raided his home, and arrested him, Van der K was publicly outted by the famous Dutch crime journalist, television presenter, and former police officer John van den Heuvel.

On Tuesday, the public prosecutor of the North Holland Public Prosecution Service asked that Van der K – a member of the VVD political party in the Netherlands – be sentenced to three years in prison for hacking into the cloud storage accounts of both celebrities and people he actually knows.

The content he stole from his victims’ iCloud accounts included financial data such as insurance documents, family photos, and, of course, the material that so many crooks have been groping for in the multiyear crime spree that is Celebgate – nude photos and videos.

Besides, Ponticorvo, Van der K’s local victims included another celeb: Dutch field hockey star Fatima Moreira de Melo.

Where’s the “allegedly”?

No need to couch this in “the accused is innocent until proven guilty” language, because Van der K straight-up admits that he frequently hacked – or tried to hack – iCloud accounts.

Van der K claims that he did so because he was being extorted. His story goes like this: he was forced to hack women’s personal accounts and steal their personal data because some other, mysterious, unknown extortionist was threatening to reveal revealing footage of him.

The public prosecutor’s response: Seriously? That makes no sense. Most of the victims – more than half – were non-celebs. They were women Van der K knew from work or his personal life. Why would somebody force Van der K to go after the intimate photos of women whom (relatively) nobody knows? From a translation of the prosecutor’s public statement:

Why an unknown extortioner would have forced the suspect to browse their accounts for photos and videos, I completely miss.

They just can’t stop mugging women

The first wave of celebs who suffered this kind of hacking and nudie larceny came in 2014 with Celebgate 1.0. In v1, thieves and many equally scumbaggy photo-sharers trampled over the privacy of Jennifer Lawrence, Kate Upton, Kirsten Dunst, Selena Gomez, Kim Kardashian, Vanessa Hudgens, Lea Michele, Winona Ryder, and Hillary Duff, among dozens of other women celebrities.

In 2017, we got another sad sequel in Celebgate 2.0, starring the victimized celebs Emma Watson and Amanda Seyfried, among others … followed a few months later by Celebgate 3.0, in which photos were gang-grabbed from Miley Cyrus, Stella Maxwell, Kristen Stewart, Tiger Woods, Lindsey Vonn and Katharine McPhee.

Here’s wishing his victims a nice Christmas gift

According to the prosecution, the Dutch court is expected to rule on Van der K’s case on 24 December – as in, Christmas eve.

Culprits can’t seem to get it through their skulls that they might get caught, thanks to investigators’ skill at tracking them down. We’ve seen a slew of them get busted and sentenced.

We’ve also seen their methods revealed. One of them, Edward Majerczyk, got to his victims by sending messages doctored to look like security notices from ISPs. Another Celebgate convict, Ryan Collins, chose to make his phishing messages look like they came from Apple or Google.

These guys’ pawing was persistent: the IP address of one of the Celebgate convicts, Emilio Herrera, was used to access about 572 unique iCloud accounts. Herrera, who was sentenced to eight months in prison, went after some of those accounts numerous times: in total, he tried to access 572 iCloud accounts 3,263 times. Prosecutors said that he also tried to reset 1,987 unique iCloud account passwords approximately 4,980 times.

Some of them used a password breaker tool to crack accounts: a tool that doesn’t require special tech skills to use. In fact, anybody can purchase one of them online and use it to download a victim’s iCloud account if they know his or her login credentials.

To get those credentials, crooks break into a target’s iCloud account by phishing, be it by email, text message or iMessage…

What to do

…All of which points to how scams that seem as old as the hills – like phishing – are still very much a viable threat.

Anybody who owns an email account and a body they don’t want to see parading around the internet without their permission should be on the lookout, though telling the difference between legitimate and illegitimate messages can be tough.

Here are some ways to keep your private images from winding up in the thieves’ sweaty palms:

  • Don’t click on links in email and thus get your login credentials phished away. If you really think your ISP, for example, might be trying to contact you, instead of clicking on the email link, get in touch by typing in the URL for its website and contacting it via a phone number or email you find there.
  • Use strong passwords.
  • Lock down privacy settings on social media (here’s how to do it on Facebook, for example).
  • Don’t friend people you haven’t met on Facebook, and don’t share photos with people you don’t know and trust. For that matter, be careful of those who you consider your “friends”. One example of creeps posing as friends can be found on the creepshot sharing site Anon-IB, where users have posted images they say they took from Instagram feeds of “a friend”.
  • Use multifactor authentication (MFA) whenever possible. MFA means you need a one-time login code, as well as your username and password, every time you log in. That’s one more thing the scumbags need to figure out every time they try to phish you.


Glad they caught’im. But just one question. Why are people uploading their nudes to cloud storage?


This isn’t “posting on a public forum and wondering how people found it.” This is “uploaded it to a private storage location that is locked.” That’s absolutely not the same thing. And as for the upload itself? A lot of phones will now automatically do so out of the box, if you follow through the entire account process. I generally recommend it to people with Google Photos, for example, thanks to the free storage tier and some people taking TONS of photos. Regardless, the expectation is of privacy, not public display. The guy getting into the accounts here wasn’t just randomly browsing a search engine that came up with an open directory – it was active targeting to steal credentials.


I hear you. But the expectation should not be privacy. If you’re going to take nudes, delete them when you’re done.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!