Fake Apple Rep Stole 620,000 Photos in iCloud Phishing Scam

A California man has pled guilty to four felonies for impersonating an Apple representative and breaking into numerous iCloud accounts in order to steal over 620,000 photos and 9,000 videos.

According to the Los Angeles Times, Hao Kuo Chi, 40, of La Puente, California stands accused by the FBI of gaining access to photos and videos of at least 306 victims while seeking nudes. He says that he hacked into 200 of those accounts at the request of people he met online. He marketed himself as able to hack into iCloud accounts to steal photos and after receiving a request to break into an account.

Chi, who goes by David, admitted to impersonating an Apple customer support representative in emails where would trick victims into providing him with their Apple IDs and passwords so that he could steal their photo and video libraries.

Through his scam, he was able to build a massive library of stolen photos and videos which he hosted on his personal DropBox account and organized by what he called “wins,” which were those that contained nude images or videos of women and would be shared among a group of unnamed co-conspirators.

The FBI was able to identify two email address that Chi used to lure victims into changing their iCloud passwords and found more than 500,000 emails in the two accounts, with about 4,700 of those with iCloud user IDs and passwords that were sent to him.

Chi’s conspirators would request that he hack a certain iCloud account, and he would respond with a Dropbox link, according to a court statement by FBI agent Anthony Bossone, who works on cybercrime cases.

In all cases, the photos were always stored on Apple’s secure servers, but Chi was able to gain access by getting his victims to hand over their login credentials. There was, therefore, no breach of Apple’s iCloud security systems.

Chi was eventually discovered in 2018 when he gained access to an unidentified celebrity’s iCloud and posted the images he gleaned onto a pornographic website. A California company that specializes in removing celebrity photos from the internet was able to determine that the images of the celebrity were uploaded from Chi’s house. The FBI was then able to get a search warrant and raided Chi’s home on May 19 of that year.

According to the Los Angeles Times report, by that point, the FBI had already gathered a clear picture of Chi’s actions online from records they obtained from Dropbox, Google, Apple, Facebook, and Charter Communications.

Chi faces up to five years in prison for each of the four crimes for which he stands accused: one count of conspiracy and three counts of gaining unauthorized access to a protected computer.


Image credits: Header photo licensed via Depositphotos.