Individual charged with breaking into thousands of iCloud accounts to try and find explicit photos of women

Apple bills iCloud as a safe place to store a user’s digital footprint, from documents to files to just about everything else that can be stored in the cloud. However, some folks out there in the wild will do just about anything to find personal, revealing photos of others. Like one man who has apparently broken into thousands of iCloud accounts on the hunt for explicit photos.

And while Apple’s software offers plenty of security to help boost user privacy, sometimes the nefarious individuals (or groups) find a way through. In a new report today from The Los Angeles Times, one man identified as Hao Kuo Chi, a 40-year-old man from La Puente, California, has agreed to plead guilty to four different felony charges. One of those charges includes conspiracy to gain unauthorized access to a computer.

Which certainly makes sense, because according to the report, Kuo Chi broke into “thousands” of iCloud accounts and stole a whopping 620,000 private photos and videos while searching for explicit photos of women.

iCloud Login Screen Web

To make it happen, Kuo Chi, who goes by David, apparently acted as Apple Support in emails to unsuspected individuals. In the email chains, it’s revealed that David was able to get Apple IDs and passwords from quite a few people while on his spree, which allowed him access to the iCloud accounts.

From the original report:

Chi, who goes by David, admitted that he impersonated Apple customer support staff in emails that tricked unsuspecting victims into providing him with their Apple IDs and passwords, according to court records.

He gained unauthorized access to photos and videos of at least 306 victims across the nation, most of them young women, he acknowledged in his plea agreement with federal prosecutors in Tampa, Fla.

Things get interesting when David admits that he hacked into the accounts of around 200 people at the request of people he met online. While speaking with those people online, David went by another name: “icloudripper4you,” and told people he could hack into iCloud Photo libraries to steal photos and videos, court documents revealed.

David wasn’t alone in all of the actions, either:

Chi acknowledged in court papers that he and his unnamed co-conspirators used a foreign encrypted email service to communicate with each other anonymously. When they came across nude photos and videos stored in victims’ iCloud accounts, they called them ‘wins,’ which they collected and shared with one another.

Kuo Chi says that he’s not aware of the names of the other people who were helping him in some instances.

As noted in the original report, this is not the best time for Apple’s name, or the iCloud Photos library, to be wrapped up in any kind of scandal. Apple recently unveiled a brand new suite of features for iOS, macOS, iPadOS, and watchOS that are designed to help stop child sexual abuse. However, one of those features, the ability to scan each iOS user’s iCloud Photo library, has been met with plenty of pushback to which Apple has gone out of its way to defend.

Now, what Kuo Chi did and this feature are not related by any means, and that should be reinforced. While Kuo Chi did hack into some accounts, the majority of his efforts went into acquiring Apple IDs and passwords directly from users. So it should be said here: do not hand over your Apple ID and/or password to anyone via email, not even to an account that looks like an official Apple Support account.

Especially not when the email account looks like this: “applebackupicloud,” which is one of the Gmail accounts Kuo Chi used:

In court papers, the FBI identified two Gmail addresses that Chi used to lure victims into changing their iCloud sign-on information: ‘applebackupicloud’ and ‘backupagenticloud.’ The FBI said it found more than 500,000 emails in the two accounts, including about 4,700 with iCloud user IDs and passwords that were sent to Chi.

Chi’s conspirators would request that he hack a certain iCloud account, and he would respond with a Dropbox link, according to a court statement by FBI agent Anthony Bossone, who works on cybercrime cases.

And this all happened some years ago, too. Apparently everything started to fall apart back in 2018, when Kuo Chi hacked into the account of a public figure, acquired explicit photos, and then those photos were published to some website. The Federal Bureau of Investigation (FBI) launched an investigation and discovered Kuo Chi’s involvement.

Kuo Chi has gone on record as saying he’s “remorseful” for what he did.