As reported Tuesday by Motherboard, hackers that go under the code-name “Turkish Crime Family” have allegedly obtained, through unknown means, access to hundreds of millions of Apple email accounts, including iCloud inboxes with email addresses on @icloud and @me domains.
They’re threatening to remotely wipe iOS devices unless Apple pays a laughable ransom. It’s notable that iCloud has never been hacked into directly and other reasons make this story hard to swallow.
They’re demanding that Apple pay a ransom by April 7 in the form of:
  • Either $75,000 in cryptocurrencies Bitcoin or Ethereum;
  • Or $100,000 in iTunes Gift Cards.
If the Cupertino company does not comply with the request, the group says it’s going to reset the accounts and effectively wipe all data on the associated Apple devices.
Trying to apply pressure from the media to coerce payment from Apple, one of the hackers said: “I just want my money and thought this would be an interesting report that a lot of Apple customers would be interested in reading and hearing.”
The group originally shared a YouTube video allegedly proving they did hack into an elderly woman’s iCloud account. The video also demonstrated the ability to remotely wipe the devices, which is trivial when you have access to the underlying Apple IDs.
It was subsequently removed after a member of Apple’s security team turned down the ransom and requested that the video be taken offline. Here’s what an unnamed member of Apple’s security team apparently wrote back to the hackers a week ago:
We firstly kindly request you to remove the video that you have uploaded on your YouTube channel as it’s seeking unwanted attention.
Second of all, we would like you to know that we do not reward cyber criminals for breaking the law.
The alleged Apple team member warned the group that archived communications with them will be sent to the authorities. The Cupertino company had not publicly commented on the situation at the time of this writing, its usual modus operandi.
This is a laughable story, in my personal opinion.
Firstly, there are the inconsistencies.
The hackers originally said they held 300 million accounts for ransom. The figure later changed to 559 million accounts. Importantly, they did not provide Motherboard with a data cache of the supposedly stolen iCloud accounts to verify the claims.
The only piece of evidence they provided came in the form of alleged screenshots (images are easily faked, mind you) of the purported emails between the group and members of Apple’s security team.
“Motherboard only saw a screenshot of this message, and not the original,” states the article. For what it’s worth, the group did gave Motherboard temporary access to an email account allegedly used for communicating with Apple as proof.
The same email account was featured in the now-removed YouTube video.
If you had access to 300 million iCloud accounts, would you request only $75,000?
It’s safe to assume that some of the claimed accounts would have Apple’s two-factor authentication feature turned on. The problem is, Apple’s two-factor authentication servers have never been hacked directly on a mass scale. Leaks of compromising photos of celebrities from iCloud accounts? That was just smart social engineering.
I mean, you look at me with a straight face and tell me they compromised hundreds of millions of iCloud accounts belonging to unknown users via social engineering alone.
The laughable request for iTunes Gift Cards is also notable here. You don’t just issue serious threat like this and ask for a small amount of money while potentially giving Apple ample time to fix any vulnerabilities in iCloud systems.
If I were “Turkish Crime Family,” I’d first take ten million accounts offline so that Apple took me seriously before trying to extort the company, not for a paltry $75,000 but for a seven-figure sum. On the other hand, the reason they asked for a small amount of money could be hope that Apple would pay quickly and quietly.
As Seb commented, start asking for millions and you run the risk of Apple looking more deeply into it, potentially contacting the FBI (case in point: Apple’s aggressive reaction to the stolen iPhone 4 prototype in 2010). I’m not sure why Motherboard deemed this newsworthy and reliable enough to publish, but I’m not buying this story at all.
Are you? And should Apple cave in and pay, just in case?