Man pleads guilty to stealing naked photos from iCloud accounts

Posted:
in iCloud edited August 2021
A man in Los Angeles County stole more than 620,000 photographs and videos from thousands of iCloud accounts with the intent to steal nudes -- some of which ultimately ended up on porn websites.




Hao Ku Chi of La Puente, California, agreed to plead guilty to a total of four felonies, relating to intrusions into thousands of iCloud accounts owned by victims. The plot was to acquire images of naked women to share with co-conspirators.

The man impersonated a member of Apple customer support staff in emails, The Los Angeles Times reports, in a bid to trick victims into handing over their Apple IDs and passwords.

The plan worked for at least 306 victims across the United States. Chi performed around 200 of the hacks at the request of others, as he marketed himself in forums as someone who could get into iCloud accounts under the name "icloudripper4you."

Chi used a pair of Gmail addresses used against victims, including "applebackupicloud" and "backupagenticloud." Those accounts contained more than 500,000 emails, complete with 4,700 user IDs and passwords.

Requests made to Chi stated the name of an iCloud account to hack, which he would respond using a Dropbox link. The online storage was said to include 620,000 photographs and 9,000 videos organized based on whether they contained a "win," namely nude images.

The activity was discovered in March 2018, after a company that specializes in removing celebrity photographs from adult websites advised an unknown public figure of the presence of the images. The photos were stored on an iPhone and backed up to iCloud, but not distributed.

The incident resulted in a police investigation, determining a log-in to the account had been made at Chi's house. A search warrant on May 19 resulted in a large collection of other items acquired by Chi from various services.

Chi agreed to plead guilty on August 5 to one count of conspiracy and three counts of gaining unauthorized access to a protected computer. For each count, he faces up to five years in prison.

"I don't even know who was involved," said Chi in a brief phone interview.

He was also worried the publication of his crimes would "ruin my whole life," claiming "I'm remorseful for what I did, but I have a family"

This is not the first time that nude photographs have been illegally pulled from iCloud. In 2016, a man was charged for hacking iCloud and Google storage accounts owned by dozens of celebrities, via an elaborate phishing scheme.

In 2019, a hacker who took part in the "Celebgate" hack, again using phishing to access online accounts of celebrities, was sentenced to almost three years in prison.

Read on AppleInsider

Comments

  • Reply 1 of 15
    crowleycrowley Posts: 10,453member
    I think anyone who responds to being held to account for their wrongdoing with "but I have a family" should get a charge of emotional blackmail added to their rap sheet and have an extra 5 years added to their sentence.  Utter scumbag.
    slow n easylkruppbuttesilverronnllamarandominternetpersonwatto_cobra
  • Reply 2 of 15
    So we have proof that iCloud accounts can and have been hacked.

    I suppose if someone hacked an iCloud account they could easily put illegal material in that hacked account too… 
  • Reply 3 of 15
    No. We have confirmation people aren’t careful enough about who they hand over their iCloud login info to. This isn’t hacking. It’s phishing. 
    joltguyslow n easypulseimagesStrangeDaysurashidbuttesilverronngregoriusmllamarandominternetperson
  • Reply 4 of 15
    crowleycrowley Posts: 10,453member
    aderutter said:
    So we have proof that iCloud accounts can and have been hacked.

    I suppose if someone hacked an iCloud account they could easily put illegal material in that hacked account too… 
    This was phishing, not hacking.  And I assume Apple would keep a record of what device a photo was uploaded from and had performed the CSAM check, so it would be easy to prove that it wasn't you.

    Plus, it's a pretty ridiculous length for a person to go to, to phish your password, set up a new iPhone using those credentials (which I believe sends an alert to your other devices anyway), and then add bunch of child abuse photos, which they'd have to source from somewhere.  All for something which is easily disprovable.  

    Your enemies would have to be both very determined and a bit dim.
    StrangeDaysbuttesilverronnllamarandominternetpersonFileMakerFellerwatto_cobra
  • Reply 5 of 15
    Too bad most of the media tends to report phishing and stolen passwords as hacks. It is very, very different: this here is password hijacking, and not breaking and entering.

    ronnbaconstangwatto_cobra
  • Reply 6 of 15
    "I'm remorseful for what I did, but I have a family" 

    Gee. What a Karen. Steals peoples intimate photos, but he's the victim. 

    I totally read this in R Slash's Karen Voice. 

    StrangeDaysbuttesilverwatto_cobra
  • Reply 7 of 15
    Technically it's phishing but in reality there is a better word: stupidity. These days everybody needs to know that no legitimate business representative would ever ask for your password, especially via email.

    Now I need to get back to work, there is a Nigerian Prince that needs a small favor...
    tokyojimuFileMakerFellerbaconstangwatto_cobra
  • Reply 8 of 15
    sflocalsflocal Posts: 6,123member
    aderutter said:
    So we have proof that iCloud accounts can and have been hacked.

    I suppose if someone hacked an iCloud account they could easily put illegal material in that hacked account too… 
    Stop making stuff up.  There is zero proof.

    This was social engineering.  Individuals were tricked into giving up their passwords.  There was no systemic breach of Apple's servers.
    Phishing is a problem that is prevalent regardless of platform.
    buttesilverronngregoriusmfastasleepwatto_cobra
  • Reply 9 of 15
    aderutter said:
    So we have proof that iCloud accounts can and have been hacked.

    I suppose if someone hacked an iCloud account they could easily put illegal material in that hacked account too… 
    He used a spear phishing attack which will work with any service, given a gullible enough user.
    edited August 2021 ronnfastasleepwatto_cobra
  • Reply 10 of 15
    What if he had done the opposite and uploaded illegal photos to those iCloud accounts? Would Apple's new warrantless searches get those users in trouble with law enforcement? You know it would. Any kind of automated system implemented by a company with zero experience implementing such a system will have unintended consequences. Apple is not competent to implement a terrible idea like this one.
    baconstang
  • Reply 11 of 15
    What if he had done the opposite and uploaded illegal photos to those iCloud accounts? Would Apple's new warrantless searches get those users in trouble with law enforcement? You know it would. Any kind of automated system implemented by a company with zero experience implementing such a system will have unintended consequences. Apple is not competent to implement a terrible idea like this one.
    And anyone making blanket comments about a system he clearly misunderstands will post false information on Internet forums.  Go read the part where the scanning would be done on the device, not on the server. Then think about what such an alert would look like if a single device were used to access dozens (or more) iCloud accounts. The person owning the iCloud accounts with no association with the device in question or the phone number or the IP address would not be the one "in trouble."
    FileMakerFellerronnwatto_cobra
  • Reply 12 of 15
    mcdavemcdave Posts: 1,927member
    Let’s hope unstealing CSAM images isn’t so easy.
    baconstang
  • Reply 13 of 15
    Many web sites ask user to change password after a certain period of time. Apple iCloud does not do this. Apple should institute a program to monitor iCloud activity, If it detects some activity is suspicious, Apple should ask user to change password. Many celebrity will not change password frequently. They may not aware what iCloud is doing at all. LOL
    baconstang
  • Reply 14 of 15
    swat671swat671 Posts: 154member
    I'm not one to victim blame, but I think I'll make an exception in this case. Come on, folks! This is the oldest tick in the book. NEVER GIVE OUT YOUR PASSWORD TO AN UNSOLICITED EMAIL!!!! In this case, the morons got what they deserved. Seesh. 
    baconstangwatto_cobra
  • Reply 15 of 15
    fastasleepfastasleep Posts: 6,452member
    What if he had done the opposite and uploaded illegal photos to those iCloud accounts? Would Apple's new warrantless searches get those users in trouble with law enforcement? You know it would. Any kind of automated system implemented by a company with zero experience implementing such a system will have unintended consequences. Apple is not competent to implement a terrible idea like this one.
    Hurr durr the FBI and Apple are stupid. WHAT IF indeed.
    ronnwatto_cobra
Sign In or Register to comment.