Turkish Crime Family hackers claim 'victory' in iCloud ransom threats

News by Max Metzger

New questions emerge as the Turkish Crime Family show off a bitcoin wallet with what it claims is the fruit of a ransom campaign on Apple.

April 7th has come and gone, but what of the several hundred million iCloud accounts that were supposed to be wiped? Has Apple paid the upstart hacker group known as the Turkish Crime Family?

The group has posted the address of bitcoin wallet showing hundreds of bitcoins deposited on the evening of the deadline. As of yet there has been no news of wiped iCloud accounts, leaving many wondering whether Apple actually paid the ransom.

It was only a few weeks ago that a group calling itself the Turkish Crime Family announced that it was in possession of the credentials of hundreds of millions of iCloud accounts, which it would wipe if Apple did not pay up.

Apple later told SC that it had not been breached and that “The alleged list of email addresses and passwords appears to have been obtained from previously compromised third-party services.”

Many speculated that instead of breaching Apple and getting access to hundreds of millions of Apple accounts on its own, the Turkish Crime Family had collected password and username combinations from other big breaches. It had taken those combinations and, given the proliferation of password reuse, launched them at iCloud accounts to see what stuck.

Adding to that theory was Australian security researcher and creator of haveibeenpwned.com, Troy Hunt, who's research into the available data showed that 98 percent of the email addresses corresponded to those stolen in previous breaches such as MySpace, Lastfm and LinkedIn.

The threats were often considered more light than heat as the group replaced its spokesperson and struggled to get a consistent message out to the public. 

John Bambenek, threat systems manager at Fidelis Cybersecurity, told SC, “The current threat has all the hallmarks of a stunt. If they really have the ability to wipe iPhones then they would have wiped a few already as ‘proof of life'. There are always people who make unfounded threats to organisations in the hope of an easy payday.”

After struggling to get its story straight about exactly how many accounts could be wiped and exactly how much the ransom was, the group decided on a final ransom of US$400,000 (£322,760) to be paid by 7 April 2017 into this bitcoin wallet.

While a Turkish Crime Family spokesperson told SC that the funds might take a while to transfer, no funds appeared in that wallet. A separate wallet post by the family, showed a payment of 401.731 bitcoin (£393,058) paid in the early evening of 7 April.

So did Apple pay the ransom? As of this writing, SC has not detected any reports of wiped iCloud accounts.

Many reacted with disbelief, not quite accepting that a company as prestigious as Apple would kowtow to the threats of a previously obscure group of hackers.

The Family claimed on Twitter that it had used a tumbler to obfuscate the origin of the payments, meaning that if Apple had paid the ransom it could not be traced back to the tech giant.

Apple has not yet responded to SC for comment. 

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews