Man Steals 620K Photos From iCloud Accounts Without Apple Noticing

An anonymous reader quotes a report from The Los Angeles Times: A Los Angeles County man broke into thousands of Apple iCloud accounts and collected more than 620,000 private photos and videos in a plot to steal and share images of nude young women, federal authorities say. Hao Kuo Chi, 40, of La Puente, has agreed to plead guilty to four felonies, including conspiracy to gain unauthorized access to a computer, court records show. Chi, who goes by David, admitted that he impersonated Apple customer support staff in emails that tricked unsuspecting victims into providing him with their Apple IDs and passwords, according to court records. He gained unauthorized access to photos and videos of at least 306 victims across the nation, most of them young women, he acknowledged in his plea agreement with federal prosecutors in Tampa, Fla.

Chi said he hacked into the accounts of about 200 of the victims at the request of people he met online. Using the moniker "icloudripper4you," Chi marketed himself as capable of breaking into iCloud accounts to steal photos and videos, he admitted in court papers. Chi acknowledged in court papers that he and his unnamed co-conspirators used a foreign encrypted email service to communicate with each other anonymously. When they came across nude photos and videos stored in victims' iCloud accounts, they called them "wins," which they collected and shared with one another. "I don't even know who was involved," Chi said Thursday in a brief phone conversation. He expressed fear that public exposure of his crimes would "ruin my whole life."

The scam started to unravel In March 2018. A California company that specializes in removing celebrity photos from the internet notified an unnamed public figure in Tampa, Fla., that nude photos of the person had been posted on pornographic websites, according to [FBI agent Anthony Bossone]. The victim had stored the nude photos on an iPhone and backed them up to iCloud. Investigators soon discovered that a log-in to the victim's iCloud account had come from an internet address at Chi's house in La Puente, Bossone said. The FBI got a search warrant and raided the house May 19. By then, agents had already gathered a clear picture of Chi's online life from a vast trove of records that they obtained from Dropbox, Google, Apple, Facebook and Charter Communications. On Aug. 5, Chi agreed to plead guilty to one count of conspiracy and three counts of gaining unauthorized access to a protected computer. He faces up to five years in prison for each of the four crimes.

Sort of makes sense

[Krishnoid]

If you wanted a bunch of photos of nube-ile youngsters, iCloud is probably the first place you'd think to look.

Re:

[dicobalt]

Wonder if this is why Apple recently started using AI to automatically scan for nude underage images. They will be notifying parents if their child's account contains them. I just wonder how many kids actually have their accounts linked to their parents and how many kids just made their own account and lied about their age.

Re: Sort of makes sense

[gnasher719]

That seems to be total nonsense. You are saying apple doesnâ(TM)t want you to upload kiddy porn so that miscreants stealing your password canâ(TM)t download it? In which alternative universe does that make sense?

hope you get the book throw at you

[bloodhawk]

He expressed fear that public exposure of his crimes would "ruin my whole life."

You mean like how you happily ruin others lives for profit by exposing nude photos. No matter big a moron they are for keeping that on a phone account you are filthy piece of shit that deserves to have their life ruined for the damage you do all in the name of personal profit.

Re:

[ShanghaiBill]

You mean like how you happily ruin others lives

I have no sympathy for this scumbag, but it is not true that he ruined the lives of others. The young women were blissfully unaware that their photos had been exposed until investigators informed them. Their lives were unaffected, not "ruined".

Re:

[Anonymous Coward]

The damage doesn't have to be now or even obvious. maybe in 5 years they go for a job yet mysteriously get rejected early in the process because someone in HR has found their nude photos, or perhaps it is their children at school in later years that finds it or worse the other children in the school their children go to. This is not something that can ever be undone and whether it causes damage now or later the potential is their for the rest of their lives.

Juat a giggle until rejected for a job

[aberglas]

Indeed. The problem is corporate reactions. And that person in HR used AI search to find the nudes.

Indeed, it may not even be a person in HR. The initial CV scan just automatically searched for nudes of applicants. And not even that. Corporate HR employs a background checking service that simply reports "bad character" with no further details, and the application is rejected.

While women would certainly be annoyed at having nudes they took published, it is most unlikely to directly ruin any lives. Even

Re:

[Anonymous Coward]

really depends on where you live, the community you are in and your employment. consequences range from a giggle to a potential death sentence and everything inbetween.

Re:Juat a giggle until rejected for a job

[AmiMoJo]

Most people would find it quite distressing to know that intimate photos of them were shared with strangers, and people they know and work with.

Re: Juat a giggle until rejected for a job

[reanjr]

Most people also shouldn't take nude photos of themselves and then sync it to iCloud.

Re:

[apocalyptic_mystic]

While women would certainly be annoyed at having nudes they took published, it is most unlikely to directly ruin any lives. Even if work colleagues found out about them, they would have a giggle at the woman's expense, but hardly ruinous.

Not necessarily. It depends on the person. Some people could shrug this sort of thing off and move on, other people could end up with PTSD over this and potentially end up committing suicide because of it. So yes, it could potentially be quite ruinous.

Re:hope you get the book throw at you

[stephanruby]

The young women were blissfully unaware that their photos had been exposed until investigators informed them. Their lives were unaffected, not "ruined".

Some were unaffected. The keyword here is "some".

Out of 306 victims, 200 of which were targeted because someone paid to have those accounts accessed. I'll bet some of those women were affected. After all, who would pay to access their account? Stalkers? Ex-boyfriends? Peeping toms? Celebrity stalkers? We don't know.

And then, there are women who may have shared some of those images with their significant other (or shared their PIN with them). That means that if they saw those images appear online, they might have suspected their partner, or ex-partner.

You really underestimate the impact to women

[Somervillain]

The young women were blissfully unaware that their photos had been exposed until investigators informed them. Their lives were unaffected, not "ruined".

As someone else already pointed out, what if the photos are shared with their kids' classmates? What if they were posted publicly and word go out around their office? Ask your wife or last girlfriend how she'd feel if photos were shared in her office of her blowing you?

It doesn't matter what you or I think. Their privacy was violated. I will bet the impact to them is much greater than you or I realize. I personally love my dick and think it looks nice. I wish I had more opportunity to show it off...maybe you feel the same way...but few women think like I do. No matter how harmless or hot you may think these photos are, these women are probably deeply embarrassed and feel vulnerability you and I will never understand.

There are also many famous news stories about women who were fired after nudes were leaked, often by exes without their consent. I remember stories about court cases involving this going back to the 90s and even a very recent one about a mechanic who was fired because a coworker discovered she had an OnlyFans page and the dealership thought she was "too distracting" and fired her...for what she does in her personal time and never mentioned once in the office, nor was linked to her employer in anyway...because her male coworkers couldn't stop sexually harassing her once they saw her tits online.

But even if your workplace is supportive, will this still be online in 5 years? What if she's a teacher? She has to wonder if every creepy smile from a student or even a dad is related to them seeing her naked. Same thing with any public-facing job: real estate, sales, just being a clerk at the store. I assure you that if your kid's teacher had nude pics online, a large percentage of the moms would get really angry. I am not sure why, but they're unusually threatened by that.

This happened to a friend of mine. She has a distinctive face and tattoos. Her boyfriend uploaded pics of her to a porn site blowing and fucking him and apparently she was pretty popular. She was only 18 when the pics were taken and they were uploaded without her consent, like a year after she broke up with him. She got harassed constantly, once even in front of me, like 3 years after they were taken down. It made her life miserable and the guy never faced any consequences...this was long before "revenge porn" was in the lexicon. I still see her pics sometimes in random searches, now 15 years later. The original site shut down long ago, but the pics live on in file sharing services or just various scam sites that redistribute porn without permission under sketchy URLs.

It's slut shaming, not cancel culture.

[Somervillain]

Violating the unwritten moral code of your employer has been well established as a cause for firing by the SJW left. It's just because she's a woman and one of the chosen victim groups that you're even defending her.

You're complaining about capitalism, comrade. Cancel culture isn't really a thing in the real world. The famous firings all involved actual written rules, in a contract. Lookup morality clause. However, the only question asked and that matters is "is he/she good for business?"

Most famous cases of "cancel culture" involve money. Kevin Spacey molesting underage boys...hurts ticket sales for your movies. Gina Carano thinking she's like a holocaust victim on Twitter, risks the future of a billion doll

and...

[fulldecent]

Meanwhile, 17 Apple employees that did the same exact thing were not found and did not get prosecuted.

And in other news, Apple tricks over one billion people to upload their private photos without encryption to Apple.

Re:

[ByTor-2112]

Yeah, really. And I guess I'm a dinosaur or something but 306 victims and 620k photos? Jeez, do people you photograph and save every single event in your life?

Also, awesome signature.

Re:

[Oligonicella]

Right in the summary:

A Los Angeles County man broke into thousands of Apple iCloud accounts and collected more than 620,000 private photos and videos in a plot to steal and share images of nude young women,

That 306 probably refers to the people with compromizing shots.

Re:

[ByTor-2112]

I guess, but the first "thousands" sounded like hyperbole to me.

Re:

[EvilSS]

Yeah, really. And I guess I'm a dinosaur or something but 306 victims and 620k photos? Jeez, do people you photograph and save every single event in your life? Also, awesome signature.

Well to be fair 310K of those were accidental screen shots.

Re:

[fulldecent]

Sadly, when you double-accidental screenshot, the second one doesn't include the pop-up on the first one.

I hope these words suffice for what I'm describing because I literally can't show you. lol

Re:

[fermion]

How does Apple trick people into taking off their clothes and taking pictures of each other? Does Apple trick people into using insecure password and avoid two factor authorization. I have to authorize login with another device. Did Apple trick people into supplying passwords to random people on the phone, or does every major corporations tell people not to do this. It is like every email says to ot to supply the code to anyone, even though we hear stories of all someoneâ(TM)s money being stolen beca

Re:

[fulldecent]

It tricks you by giving you a default "yes" button which it uses dark patterns to you trick you into pressing. And that button is iCloud and it uploads all your photos from past present and future for Apple to have in unencrypted format.

Yes, Apple tricks you into having an insecure password and not two-factor auth. It does this by A) requiring you to type in your password every time you buy something, rather than using autosave like every other app (unless using biometrics); B) by making two-factor auth ann

Re:

[Anonymous Coward]

you are so fucking stupid and nothing you wrote is correct or true.

Re:

[fulldecent]

So in your world:

- Constant nags to set up iCloud is not a dark pattern
- Apple encrypts your photos with end-to-end encryption (i.e. the Fappening didn't happen)
- Apple accounts are only secured with strong passkeys like your FileVault 2 key or your Bitcoin wallet
- Everybody poops without taking off their pants
- When people buy a phone they think "this is an 1984 device, I should never do anything private near it"

Re: and...

[VeryFluffyBunny]

Sensible caution & expectations of privacy on the part of users interferes with corporate profits. As long as this is true, we will continue to see stories like this. I think Apple's corporate lawyers are mostly worried about being properly regulated since they no doubt host a lot of pornographic material, including child porn made by school children.

Re: and...

[gnasher719]

Where does that information about 17 Apple engineers come from? The same source as your Covid vaccine information? Link to a reliable source or you made it up.

Re:

[fulldecent]

17 is an approximate figure.

My source is common sense and related facts.

NSA employees have access to most everybody's emails and phone records on Earth. And they admitted to several cases of employees snooping on lovers https://www.cnet.com/news/nsa-... [cnet.com]

Apple has much more private information available, unencrypted, in its iCloud system. So naturally there at least that many people at Apple tempted to spy on at least their lovers.

Re:

[Oligonicella]

Fraud leading to theft will net you theft charges as well as fraud.

Re:

[K. S. Kyosuke]

Technically it's not stealing/theft either unless he deleted the originals so that the original owners were deprived of their posession. It's copyright infringement.

Re:

[Oligonicella]

I doubt you're correct. I'll happily let a judge/jury decide his fate. It's also copyright infringement. Those are not mutually exclusive.

Re:

[Aighearach]

It is completely, absolutely correct that theft requires that the victim be deprived of something.

You can "steal" trade secrets, because after having done so, they no longer have their "secrets." The secrets are gone.

Here, it isn't theft, it is a bunch of other crimes with the main one being, "conspiracy to gain unauthorized access to a computer."

Re:

[Oligonicella]

Identity theft does not deprive the victim of their identity.

Re:

[Aighearach]

The term "identity theft" is hyperbole, though.

And you can think through each example to find out if deprived the victim of something. Only credit theft fits the definition of theft, because I will no longer have my credit score if you impersonate me to use that.

Usually, "identity theft" is actually fraud. Not theft. And theft of the items the person ends up with, because the store no longer has those items, and the payments are likely to be reversed.

Re:

[K. S. Kyosuke]

Theft is the taking of another person's property or services without that person's permission or consent with the intent to deprive the rightful owner of it. [wikipedia.org]

Re:

[K. S. Kyosuke]

No, not really.

Re: Technically he did not steal the photos

[gnasher719]

Technically punching you in the face and ripping your ears off is not stealing unless they take your ears away.

Re:

[MacMann]

...since they gave him their passwords.

When can we get beyond passwords for logging in so this ends? I know why we started with passwords but we can move beyond them now. Fingerprints, facial recognition, pseudorandom number generators, and so many other means to secure accounts are available now that stealing passwords should be history.

I've had people ask me why a high tech person like myself won't do online banking. I won't do it because I've seen how lax they are on security. When the banks start giving out pseudorandom number keychains

Start getting rid of passwords with WebAuthn

[raymorris]

> When can we get beyond passwords for logging in so this ends? I know why we started with passwords but we can move beyond them now.

You can begin the transition away from passwords right now.
Well, hopefully you've already switched to passphrases, but that's almost the same. There are two ways to start going password-free.

WebAuthn is the new suite of protocols to get rid of passwords. It allows you to choose your authenticator, so you can use biometric + a hardware key or whatever you choose.

Currently, W

I feel like

[dicobalt]

All users should be required to take a best practices security test before being allowed to use an internet connected device. Sort of like a driver's license. A car being driven incorrectly can cause significant damage, but the same goes for internet connected devices. Simple things like never ever ever tell anyone your password. Don't open attachments unless you expected to receive them or if they have multiple file type extensions. Simple stuff, and users should also demonstrate a knowledge of the consequ

A solution exists: ICDL

[Qbertino]

International Certification of Digital Literacy (ICDL) [icdleurope.org]

Should be a basic requirement for non-trivial use of digital devices and services.

oh noez

[backslashdot]

Why should anyone care about his life getting ruined when he tried to or succeeded in ruining other people's lives? He has no empathy for others, yet expects a bunch when he's in a predicament.

It's the 'Murikan way!

[Thud457]

this perp doesn't want empathy, he wants to be shielded from the consequences of his bad actions.

Sigh! Hackers these days . . .

[godel_56]

Investigators soon discovered that a log-in to the victim's iCloud account had come from an internet address at Chi's house in La Puente, Bossone said.

Smart enough to rip people off, not smart enough to use a VPN or Tor.

620K

[Anachronous Coward]

should be enough for anyone.

I guess Apple really only cares what you upload.

[bobstreo]

Downloads, not so much.

Downloads probably aren't "scanned" for "inappropriate" content either.

So it goes.

"Without Apple Noticing"?

[Petersko]

He didn't break in. He phished his way in on such a small scale I wouldn't expect Apple to notice. If they had, and had initiated any response, the false positives would be incredibly annoying for the innocent.

Re:

[AmiMoJo]

Apple seems to make very little effort to secure customer accounts. If you don't have 2FA set up on Google they bug you about it until you relent, and you get multiple notifications (every Android device and email and SMS if you registered your number) when a new machine logs in for the first time.

Apple seems happy with just an email address and password, and doesn't even seem to enforce minimum standards for password complexity.

Re:

[LenKagetsu]

Minimum password complexity is the responsibility of the user.

Re:

[AmiMoJo]

I'm sure Apple would agree, which is the problem. They built a service that contains all your private data, heavily marketed it, and then made only the most superficial attempt to secure it.

Re:

[Petersko]

You hypothesize a sub-scenario based on an assumption, and then ask me to defeat it ("He probably"), as if that would defeat the whole argument.

https://en.wikipedia.org/wiki/... [wikipedia.org]

fear exposure of crimes would ruin his whole life

[Oligonicella]

I hope it does fucker.

Re:

[Ostracus]

Wasn't the wide availability of porn suppose to reduce stuff like this from happening?

Re:

[K. S. Kyosuke]

Yes, but he's clearly just prepping for the upcoming demise of OnlyFans.

Re:

[Aighearach]

They're not getting rid of nudity.

Re:

[Oligonicella]

These types have more at work than just wanting to see titties. My guess is they were searching for underage nudes.

Re:

[ByTor-2112]

Apple will soon fix all that.

620K?

[ItsJustAPseudonym]

620K ought to be enough for anybody.

nude young women? yeah, right.

[PinkyGigglebrain]

"... in a plot to steal and share images of nude young women,

That was what he told the police.

What he really wanted was to find images of nude old men.

Can we get a drill sgt in here?

[LenKagetsu]

Apple customer support staff in emails that tricked unsuspecting victims into providing him with their Apple IDs and passwords

People are told, repeatedly, "We will not ask for your password", everyone is told "Do not give out your password". It says on the fucking site "Never provide your password, security questions, verification codes, recovery key, or any other account security details to anyone else. Apple will never ask you for this information." [apple.com]

People who give out their passwords should be treated to a recreation of the footlocker scene from Full Metal Jacket and the subsequent ass-beating.

Nothing to see here...

[ZorinLynx]

>he impersonated Apple customer support staff in emails that tricked unsuspecting victims into providing him with their Apple IDs and passwords

All the security in the world won't help if you hand your keys to the first moron who comes along claiming he's a locksmith.

Re:

[Solandri]

While I agree people need to be careful, user vigilance is not sufficient.

• You know those phishing emails which say there's a problem with your eBay account, please click this link and login to fix it? Only an idiot would fall for those, right? Well I'm pretty vigilant, and I fell for it. How? Because I got one of them within minutes of winning a bid on eBay, and it blended in with the other eBay notifications I got saying I'd won, and what I had to do next. The phishing email said there was a problem wit

Repeat offender

[wildazndude]

It appears this isn't Hao Kuo Chi's first time with committing a computer-related crime. https://www.latimes.com/archiv... [latimes.com]