The LA Times reported this week that Los Angeles man Hao Kuo “David” Chi pled guilty to four federal felonies related to his efforts to steal and share online nude images of young women. Chi collected more than 620,000 private photos and 9,000 videos from an undetermined number of victims across the US, most of whom were young and female.
“At least 306” victims
Chi’s plea agreement with federal prosecutors in Tampa, Florida, acknowledged “at least 306” victims. This number may be considerably smaller than the true total, since the FBI found that about 4,700 out of 500,000 emails in two of Chi’s Gmail accounts—
applebackupicloud at Gmail—contained iCloud credentials that Chi tricked his victims into providing.
According to Chi, he selected roughly 200 of these victims based on online requests. Chi marketed his iCloud break-in “services” under the nom de guerre
icloudripper4you. His “customers” would identify an iCloud account for attack, after which Chi would use his sketchily named Gmail accounts to contact the victim, impersonating an Apple service representative.
If the victim fell for Chi’s spearphishing attempt, Chi would then use the victim’s own iCloud credentials to log in to the service and save their photos and videos to Dropbox—followed by providing the Dropbox link to his customers and/or conspirators.
According to court documents, Chi organized and saved the stolen media for his own and unnamed conspirators’ personal use, as well as providing them to
icloudripper4you “customers.” The phishing ring used an offshore-hosted encrypted email service to communicate anonymously—”I don’t even know who was involved,” Chi told the LA Times. The ring referred to nude photos and videos found in the stolen accounts as “wins,” which they shared with one another.
FBI Agent Anthony Bossone told the court that Chi’s Dropbox account contained roughly 620,000 photos and 9,000 videos, organized in part by the presence or lack of “wins” within them.
An unsophisticated operation
Despite Chi’s use of “bulletproof” offshore encrypted email, his operation appears to have been quite unsophisticated—he relied on his victims’ willingness to part with their iCloud credentials over email, and his scheme unraveled due more to one victim’s fame than to any daring technical scheme.
In early 2018, one of Chi’s victims—an unnamed public figure in Tampa, where the court case was eventually held—discovered their own nudes on pornographic websites, courtesy of a California company that specializes in removing celebrity photos from the Internet. The nude images were originally stored on an iPhone, from which they were backed up to iCloud.
Once this victim complained to law enforcement, Chi’s scheme unraveled easily—he had logged in to his victim’s iCloud account directly from his own home in La Puente, California. By the time the FBI got a search warrant and raided his house in May, the agents already had a clear picture of Chi’s schemes thanks to records subpoenaed from Dropbox, Google, Apple, Facebook, and Charter Communications.
On August 5, Chi pled guilty to one count of conspiracy and three counts of gaining unauthorized access to a protected computer. He faces up to five years in prison for each charge but will almost certainly receive far less than that due both to sentencing guidelines and guilty-plea negotiations.
Stay sharp out there
It’s unfortunate that Apple never noticed a single man accessing thousands of iCloud accounts, apparently directly from a single residential IP address and on a service that does not use carrier-grade NAT. However, it’s worth noting that Chi’s predation—and that of many, many other phishers—relied entirely on his victims’ gullibility.
This is important because Chi himself is more symptom than disease, representing only the tip of a vast iceberg. It’s not difficult to find “services” like Chi’s on any social media platform—in some cases, whether you’d like to or not.
Facebook recently locked my own profile for no apparent reason two days in a row. On the second day, a random, possibly compromised Facebook account promoted the services of “Steve” on Instagram, “100% sure and guaranteed” to “help recover my account.” Following the Instagram link in a throwaway virtual machine led me to “the_dark_hacker_unlock”—and services that seem clearly aimed at attackers, not victims.
Despite reporting both the Facebook comment and the Instagram account it promoted, both accounts are still online—along with many, many others just like them.