As reported Tuesday by Motherboard, hackers that go under the code-name “Turkish Crime Family” have allegedly obtained, through unknown means, access to hundreds of millions of Apple email accounts, including iCloud inboxes with email addresses on @icloud and @me domains.

They’re threatening to remotely wipe iOS devices unless Apple pays a laughable ransom. It’s notable that iCloud has never been hacked into directly and other reasons make this story hard to swallow.

They’re demanding that Apple pay a ransom by April 7 in the form of:

  • Either $75,000 in cryptocurrencies Bitcoin or Ethereum;
  • Or $100,000 in iTunes Gift Cards.

If the Cupertino company does not comply with the request, the group says it’s going to reset the accounts and effectively wipe all data on the associated Apple devices.

Trying to apply pressure from the media to coerce payment from Apple, one of the hackers said: “I just want my money and thought this would be an interesting report that a lot of Apple customers would be interested in reading and hearing.”

The group originally shared a YouTube video allegedly proving they did hack into an elderly woman’s iCloud account. The video also demonstrated the ability to remotely wipe the devices, which is trivial when you have access to the underlying Apple IDs.

Subscribe to iDownloadBlog on YouTube

It was subsequently removed after a member of Apple’s security team turned down the ransom and requested that the video be taken offline. Here’s what an unnamed member of Apple’s security team apparently wrote back to the hackers a week ago:

We firstly kindly request you to remove the video that you have uploaded on your YouTube channel as it’s seeking unwanted attention.

Second of all, we would like you to know that we do not reward cyber criminals for breaking the law.

The alleged Apple team member warned the group that archived communications with them will be sent to the authorities. The Cupertino company had not publicly commented on the situation at the time of this writing, its usual modus operandi.

This is a laughable story, in my personal opinion.

Firstly, there are the inconsistencies.

The hackers originally said they held 300 million accounts for ransom. The figure later changed to 559 million accounts. Importantly, they did not provide Motherboard with a data cache of the supposedly stolen iCloud accounts to verify the claims.

The only piece of evidence they provided came in the form of alleged screenshots (images are easily faked, mind you) of the purported emails between the group and members of Apple’s security team.

“Motherboard only saw a screenshot of this message, and not the original,” states the article. For what it’s worth, the group did gave Motherboard temporary access to an email account allegedly used for communicating with Apple as proof.

The same email account was featured in the now-removed YouTube video.

If you had access to 300 million iCloud accounts, would you request only $75,000?

It’s safe to assume that some of the claimed accounts would have Apple’s two-factor authentication feature turned on. The problem is, Apple’s two-factor authentication servers have never been hacked directly on a mass scale. Leaks of compromising photos of celebrities from iCloud accounts? That was just smart social engineering.

I mean, you look at me with a straight face and tell me they compromised hundreds of millions of iCloud accounts belonging to unknown users via social engineering alone.

The laughable request for iTunes Gift Cards is also notable here. You don’t just issue serious threat like this and ask for a small amount of money while potentially giving Apple ample time to fix any vulnerabilities in iCloud systems.

If I were “Turkish Crime Family,” I’d first take ten million accounts offline so that Apple took me seriously before trying to extort the company, not for a paltry $75,000 but for a seven-figure sum. On the other hand, the reason they asked for a small amount of money could be hope that Apple would pay quickly and quietly.

TUTORIAL: How to protect your Apple ID with Two-Factor Authentication

As Seb commented, start asking for millions and you run the risk of Apple looking more deeply into it, potentially contacting the FBI (case in point: Apple’s aggressive reaction to the stolen iPhone 4 prototype in 2010). I’m not sure why Motherboard deemed this newsworthy and reliable enough to publish, but I’m not buying this story at all.

Are you? And should Apple cave in and pay, just in case?

Source: Motherboard

  • Like you said, it’s very dubious, but one important reason why they would be asking for such little money is pretty simple.

    If you start asking for millions, then you have the risk of Apple looking more deeply into it, contacting FBI, etc. Basically, lots of time and energy going into this.

    If you ask for a small amount, you’re hoping Apple will say “let’s pay quick and keep this quiet.”

    Now asking for $100k worth of iTunes gift card is just plain ridiculous.

    Likeliness these hackers really have something: low.
    Likeliness they’re trying to take Apple for a ride: pretty high.

  • Vince Reedy
    • The Zlatan

      Beat me to it

  • jailbreaker99

    Here is my opinion : if these hackers are legitimate, Why ask for the money in iTunes gift cards? If they can prove that they can hack into Apple, why do they need the money to buy stuff from Apple? I guess they could sell the gift cards, but wouldn’t Apple just deactivate the gift cards that they give to them?
    Also if these hackers are legitimate, I can see a reason why the number of accounts have changed : over time they have the potential to hack into more accounts but why not just hold the ransom at 300 million ? It still does not add up.

    • Digitalfeind

      iTunes gift cards can be sold. Whether digital or physical.

  • Many99

    I find it funny on how he says it “I just want my money”

    • nova12

      I’m guessing 90% of iDB is too young to know what I’m talking about when I say I WANT MY TWO DOLLARS.

  • Iskren Donev

    I know this would never happen, but I would love it if Apple decided to screw these guys over – give them the gift cards, wait until some cards are redeemed, then block all cards and finally use the redeemed cards to track the “crime family” down.

    • Digitalfeind

      They want gift cards to sell. Buying from iTunes or the AppStore is nothing. $100,000 worth of gift cards can be sold for around $80,000.

      • Iskren Donev

        I assume that they would sell them off. However Apple can still follow the thread from the end user who activates the gift card to the seller, to their seller and so on until they get to the hackers.

  • Michael

    Okay iCloud was never hacked but people are stupid enough to open emails containing keyloggers, so this is how they got the accounts

  • Stephen Hedger

    if you have 300 million accounts then why not buy apps with them or music! its a scare tactic that apple are laughing at. If they genuinely had this “power” then they would have wiped 1 million and said look what we can do. That would cause concern.

    why interests me is why go to apple? you could sell all that info to some dodgy chinese or russian hacking gang and get millions!

  • Ricky Williams

    I wouldn’t quickly dismiss that they have access to those accounts for the simple reason that there are a lot of gullible, I would use another word, users out there. Emails asking for Apple ID and password are the norm and with the large number of Apple users. Well it is possible to find enough people silly enough to click the link and enter their credentials. The rest of the story though throws a lot of shade. It gives Apple ample time to do a reset on all iCloud accounts “for the security of our users”. April 7th should be a very interesting day.

  • Keyan Fayaz

    Couldn’t they ask for more money to give a patch to the hack? Lol

  • John

    There not hackers. They have just compiled a list of stollen usernames and passwords that anyone can downlaod from tor or warez sites and think they have something special. Proper little n00bs.