Hacker Sentenced After Stealing Naked Photos from iCloud Accounts

 A man in California stole more than 620,000 personal photos and videos by perpetrating a scam using social engineering tactics.

What Happened?

A California man, Hao Kou Chi (40 years old), pleaded guilty to three counts of gaining unauthorized access to a computer and one count of conspiracy. Each of his crimes is a felony under California law.

The man impersonated an Apple customer support technician and used social engineering through a phishing email campaign to trick people out of their credentials and gain access to their iCloud accounts. The man’s goal was to steal and share nude photos of women victims.

Threatpost commented that “Chi admitted to marketing himself as a hacker-for-hire that could break into iCloud accounts using the moniker “icloudripper4you.” He then would dupe people into giving up their Apple IDs and passwords so he could steal photos from where they were stored in the cloud on Apple servers.”

The Risks of Storing Private Photos in Cloud Servers

Anyone who stores private photos on cloud servers runs the risk of exposure or theft. Hackers are gaining access to even the most secure government agencies and companies with increased cybersecurity. Reports of cloud servers being exploited hits the news daily.

With bad actors using sophisticated social engineering tactics, storing private, sensitive data on cloud servers is becoming more dangerous all the time.

Threatpost also comments on Apple’s recent announcement to scan photos for child abuse.

“The case also raises new questions about a recent disclosure by Apple of its planned rollout of a feature aimed at detecting child sexual abuse material (CSAM) images stored in iCloud Photos, which already is being criticized by privacy groups like the Electronic Frontier Foundation for the security hole it opens up.”

Essentially, opening up a backdoor for scanning images negates the idea of end-to-end encryption and total privacy. Threatpost continues, “This could open iCloud for more potential security risks, experts said.”

The scary part about this case is Chi didn’t use any vulnerabilities within the system; he simply registered two Gmail accounts that appeared legitimate to victims and convinced them to give him their credentials. According to the FBI, his email accounts were “applebackupicloud” and “backupagenticloud.”

The FBI discovered more than 500,000 emails in the two email accounts, with 4,700 of them containing usernames and passwords that users had willingly handed over to him.

Threatpost details his exploits “Once he had the credentials, Chi would break into the iCloud account of a particular account holder at the request of whoever hired him for the job. The parties used Dropbox to exchange photos, with Chi’s Dropbox account including about 620,000 photos and 9,000 videos that were organized based on whether they contained nude images, according to FBI agent Anthony Bossone, the LA Times reported.”

How Was Chi Caught?

Chi’s scam was discovered in March 2018 when a company that removes celebrity photos from the internet notified a famous person that their images showed up on pornographic websites. The celebrity had stored the images on their iPhone and then backed them up to the iCloud and was caught in Chi’s scam.

Threatpost explains, “Eventually, investigators tracked the log-in to the victim’s iCloud account to an internet address at Chi’s house in La Puente, Calif., according to the FBI. The bureau built a case against Chi by using records obtained from Dropbox, Google, Apple, Facebook, and Charter Communications, according to the report.”

After obtaining a warrant, the FBI raided Chi’s house discovering thousands of stolen photos along with other evidence.

Chi has agreed to plead guilty to all of the charges and faces five years in federal prison for each of the four offenses.