Skip to content
Naked Security Naked Security

Apple iCloud “data dump” extortionist avoids prison

He claimed to have logins for millions of iCloud accounts, and told Apple he'd shut them all down unless he received a payoff.

A London man who tried to extort $100,000 from Apple by threatening to dump data from millions of iCloud accounts and then shut them down will be spending the holiday season at home, despite being sentenced in court last week.

Kerem Albayrak, 22, from North London, ended up pleading guilty to three offences – one charge of blackmail, and two charges of unauthorised access.

The UK’s National Crime Agency (NCA), which investigated the crime, reported last week that Albayrak was given a two year suspended jail term, 300 hours of unpaid work and a six month electronic curfew for threatening to delete 319 million iCloud accounts.

Albayrak had a month of fame back in March 2017, apparently using the Twitter handle “Turkish Crime Family”, where he claimed to have recovered passwords for an ever-increasing number of iCloud accounts that were his blackmail bargaining chip with Apple:

[2017-03-21] 200 Million iCloud accounts will be factory reset on April 7 

[2017-03-22] The number of Apple credentials have increased from 519m to 
             627m, we are convinced it will keep growing until 7 April 2017

[2017-03-22] Update: We are still strengthening our infrastructure and 
             acquiring more servers for 7 April 2017

[2017-03-22] If Apple does not figure out a way to stop us they'll be 
             facing serious server issues and customer complaints

According to the NCA, Albayrak first contacted Apple on 12 March 2017, presumably revealing that he had login details for at least some iCloud accounts, and demanded a “fee” for deleting his database instead of putting it up for sale online.

The hush money he wanted was $75,000 in cryptocurrency or $100,000 in the form of 1000 iTunes cards of $100 each.

A week later, says the NCA, Albayrak raised the $75,000 “fee” to $100,000 after posting a video on YouTube showing himself logging into and using two different iCloud accounts.

He also apparently told Apple he’d upped the ante: not only did he want more money, he was also planning to do a bulk “factory reset” of hundreds of millions of accounts.

(We’re guessing that the evidence in this video is why Albayrak faced two Computer Misuse charges of unauthorised access, given that he demonsrated himself not only possessing other people’s passwords but also actually using those passwords by logging in to further his crime.)

Apple contacted US and UK law enforcement following the blackmail demands, and the NCA took up the investigation from there, arresting Albayrak shortly afterwards.

NCA investigators say that Albayrak told them at the time:

[O]nce you get sucked into [cybercrime], it just escalates and it makes it interesting when it’s illegal. […] When you have power on the internet it’s like fame and everyone respects you, and everyone is chasing that right now.

What to do?

The NCA says that “the data Albayrak claimed to have was actually from previously compromised third-party services which were mostly inactive.”

In other words, it sounds very much as though Albayrak got a bunch of paswords from existing breaches, and tried those passwords on iCloud accounts in the same name.

That’s known in the trade as credential stuffing, and it’s a stark reminder why you should never use the same password on more than one account, no matter how inconsequential those accounts might seem.

So, our tips here boil down to the basics:

  • Pick proper passwords. Use a password manager to help you choose a different, randomly generated password for every account instead of using your cat’s name followed by fb for Facebook, tw for Twitter, ic for iCloud and so on. If there’s a pattern to your passwords, you can assume that the crooks will figure it out.
  • Use two-factor authentication (2FA). Those six-digit login codes that get texted your phone, or generated by a special app, are different every time. That means your password is no longer enough on its own for a crook to login to your account and mess around with it.
  • Don’t leave old accounts abandoned. If you stop using a service, shut down your account completely so that there’s no chance of a crook coming along later and apparently acting in your name. A password manager helps here – unlike you, it won’t forget how to login to accounts it hasn’t used for ages.

2 Comments

Yes, but the punishment should be impartial. I’m still fuming over 2008-2011. We (USA, certainly not the United Kingdom) have a corrupted system of legal loopholes only the rich can afford and politicians that only want money for reelection and revolving door jobs. Corruption is like cancer, it just spreads.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?