An Email Scammer Stole 620K Photos From iCloud Accounts

The phishing attackers stole more than 620,000 photos and 9,000 videos, all while avoiding Apple's security measures.

A California man has pled guilty to impersonating iCloud customer support over email in order to gain access to thousands of accounts.

He stole more than 620,000 photos and 9,000 videos, stopping in mid-2018 after an FBI investigation raided his house. His motive: Stealing and sharing images of nude women, hosted on his Dropbox account.

The upsetting incident is a reminder that Apple security can’t account for phishing attempts.

How the Scam Worked

Notably, this was not a hack or a data breach. Apple’s security never failed, and Apple didn’t know their customers’ private information was being stolen. Instead, it was a phishing scheme: The man, 40-year-old Hao Kuo Chi, worked with his still-unnamed co-conspirators to send emails intended to lure victims into revealing their Apple ID login passwords.

The Los Angeles Times broke the story, working with information from federal authorities, court documents, and the FBI investigation. Chi created Gmail addresses to pretend to be an Apple customer support representative: Two examples from the FBI were “applebackupicloud” and “backupagenticloud.”

These two accounts held more than 500,000 emails, according to the FBI, 4,700 of which included iCloud user IDs and passwords.

The Consequences

Chi has pled guilty to four federal charges: One count of conspiracy and three counts of gaining unauthorized access to a protected computer. Each count could add five years to his sentence.

He fears public exposure of his crimes would “ruin my whole life,” as he told the LA Times, saying, “I’m remorseful for what I did, but I have a family.” Most people would argue that committing federal crimes is what would ruin his life, rather than the exposure of them.

While Chi is facing justice, the rest of his co-conspirators aren’t, and other phishers remain out there. This entire story is a reminder of how misogyny overlaps with cybercrime to stomach-churning results. How can you stay safe from phishing attacks?

Avoiding Phishers

There are a few general pointers that anyone can watch out for when trying to dodge phishing attempts from their email inbox, the internet, or even a phone call.

  • Check for spelling errors — Email addresses are tough to fake (you’ll never get an Apple support email with a Gmail address, for example), and many phishers rely on users not reading very closely. They’ll substitute a 1 for an I or a “rn” for an “m.”
  • Check your email history — if it’s really an email from Apple support, you’ll likely have dozens of earlier emails about routine check-ins. If it’s a phisher, you won’t have that history.
  • Consider if the phisher is trying to scare you — People can fall for a scam when they’re in a heightened emotional state. That’s part of why the pandemic has seen a rise in scammers, and it’s why those automated phone calls are constantly telling you that your car warranty is expiring. They don’t want you to think twice about verifying them before you act.
  • Get a good password manager — Many top password management tools will flag a suspicious website, and if it’s a fake site masquerading as one you’ve already used, the password manager won’t auto-load your password for it. We’ve ranked the top options over here, as well as the best picks for Macs or iPhones.

As always, stay on guard if you ever get an email asking for your login information to anything. No one wants to wind up losing data over an email they could have sent straight to their spam folder instead.

Did you find this article helpful? Click on one of the following buttons
We're so happy you liked! Get more delivered to your inbox just like it.

We're sorry this article didn't help you today – we welcome feedback, so if there's any way you feel we could improve our content, please email us at contact@tech.co

Written by:
Adam is a writer at Tech.co and has worked as a tech writer, blogger and copy editor for more than a decade. He was a Forbes Contributor on the publishing industry, for which he was named a Digital Book World 2018 award finalist. His work has appeared in publications including Popular Mechanics and IDG Connect, and his art history book on 1970s sci-fi, 'Worlds Beyond Time,' was a 2024 Locus Awards finalist. When not working on his next art collection, he's tracking the latest news on VPNs, POS systems, and the future of tech.
Explore More See all news
Back to top
close Thinking about your online privacy? NordVPN is Tech.co's top-rated VPN service See Deals