The LA Times reported this week that Los Angeles man Hao Kuo “David” Chi has pleaded guilty to four federal felonies related to his attempts to steal and share nude photos of young women online. Chi collected more than 620,000 private photos and 9,000 videos from an unspecified number of victims in the US, most of whom were young and female.
“At least 306” victims
Chi’s plea deal with federal prosecutors in Tampa, Florida, recognized “at least 306” victims. This number may be significantly lower than the actual total, as the FBI found that about 4,700 of the 500,000 emails in two of Chi’s Gmail accounts—
applebackupicloud at Gmail – contained iCloud credentials that Chi tricked his victims into providing them.
According to Chi, he selected about 200 of these victims based on online requests. Chi marketed its iCloud intrusion “services” under the nom de guerre
icloudripper4you† His “customers” would identify an iCloud account for an attack, after which Chi would use his sketchily named Gmail accounts to contact the victim, posing as an Apple service representative.
If the victim fell for Chi’s spearphishing attempt, Chi would use the victim’s own iCloud credentials to log into the service and store their photos and videos in Dropbox, followed by the Dropbox link to his customers and/ or conspirators.
According to court documents, Chi organized and stored the stolen media for personal use by his own and unnamed conspirators, and provided them to
icloudripper4you “customers.” The phishing ring used an offshore-hosted encrypted email service to communicate anonymously — “I don’t even know who was involved,” Chi told the LA Times. The ring referred to nude photos and videos found in the stolen accounts as “victories,” which they shared.
FBI Agent Anthony Bossone told the court that Chi’s Dropbox account contained about 620,000 photos and 9,000 videos, organized in part by the presence or lack of “wins” in it.
An unsophisticated operation
Despite Chi’s use of “bulletproof” offshore encrypted email, his operation appears to have been rather artless – he relied on his victims’ willingness to relinquish their iCloud credentials via email, and his plan was unraveled. , more because of the fame of one victim than by any daring technical scheme.
In early 2018, one of Chi’s victims — an unnamed public figure in Tampa, where the lawsuit was eventually filed — discovered his own nudes on pornographic websites, courtesy of a California company that specializes in removing celebrity photos from the Internet. The nude photos were originally stored on an iPhone, from which they were backed up to iCloud.
After this victim complained to the police, Chi’s plan was easily unraveled: He had logged into his victim’s iCloud account directly from his own home in La Puente, California. By the time the FBI received a search warrant and raided his home in May, the agents already had a clear picture of Chi’s plans thanks to subpoenaed data from Dropbox, Google, Apple, Facebook and Charter Communications.
On August 5, Chi pleaded guilty to one count of conspiracy and three counts of gaining unauthorized access to a secure computer. He faces up to five years in prison on each charge, but will almost certainly receive much less than that, both because of sentencing guidelines and the negotiations on pleading guilty.
stay sharp there
It’s a shame Apple never noticed that a single man can access thousands of iCloud accounts, apparently directly from a single home IP address and on a service that doesn’t use carrier-grade NAT. It’s worth noting, though, that Chi’s predation — and that of many, many other phishers — relied entirely on the gullibility of its victims.
This is important because Chi itself is more symptom than disease, representing just the tip of a huge iceberg. It’s not hard to find “services” like Chi’s on any social media platform – in some cases, whether you like it or not.
Facebook recently locked my own profile for two days in a row for no apparent reason. On the second day, a random, possibly compromised Facebook account promoted “Steve”‘s services on Instagram, “100% sure and guaranteed” to “help fix my account”. Following the Instagram link in a disposable virtual machine led me to “the_dark_hacker_unlock” – and services that clearly seem to target attackers, not victims.
Despite reporting both the Facebook comment and the Instagram account that promoted it, both accounts are still online — along with many, many others who are just like them.