Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Man pleads guilty to stealing naked photos from iCloud accounts

Last updated

A man in Los Angeles County stole more than 620,000 photographs and videos from thousands of iCloud accounts with the intent to steal nudes — some of which ultimately ended up on porn websites.

Hao Ku Chi of La Puente, California, agreed to plead guilty to a total of four felonies, relating to intrusions into thousands of iCloud accounts owned by victims. The plot was to acquire images of naked women to share with co-conspirators.

The man impersonated a member of Apple customer support staff in emails, The Los Angeles Times reports, in a bid to trick victims into handing over their Apple IDs and passwords.

The plan worked for at least 306 victims across the United States. Chi performed around 200 of the hacks at the request of others, as he marketed himself in forums as someone who could get into iCloud accounts under the name "icloudripper4you."

Chi used a pair of Gmail addresses used against victims, including "applebackupicloud" and "backupagenticloud." Those accounts contained more than 500,000 emails, complete with 4,700 user IDs and passwords.

Requests made to Chi stated the name of an iCloud account to hack, which he would respond using a Dropbox link. The online storage was said to include 620,000 photographs and 9,000 videos organized based on whether they contained a "win," namely nude images.

The activity was discovered in March 2018, after a company that specializes in removing celebrity photographs from adult websites advised an unknown public figure of the presence of the images. The photos were stored on an iPhone and backed up to iCloud, but not distributed.

The incident resulted in a police investigation, determining a log-in to the account had been made at Chi's house. A search warrant on May 19 resulted in a large collection of other items acquired by Chi from various services.

Chi agreed to plead guilty on August 5 to one count of conspiracy and three counts of gaining unauthorized access to a protected computer. For each count, he faces up to five years in prison.

"I don't even know who was involved," said Chi in a brief phone interview.

He was also worried the publication of his crimes would "ruin my whole life," claiming "I'm remorseful for what I did, but I have a family"

This is not the first time that nude photographs have been illegally pulled from iCloud. In 2016, a man was charged for hacking iCloud and Google storage accounts owned by dozens of celebrities, via an elaborate phishing scheme.

In 2019, a hacker who took part in the "Celebgate" hack, again using phishing to access online accounts of celebrities, was sentenced to almost three years in prison.



15 Comments

crowley 15 Years · 10431 comments

I think anyone who responds to being held to account for their wrongdoing with "but I have a family" should get a charge of emotional blackmail added to their rap sheet and have an extra 5 years added to their sentence.  Utter scumbag.

aderutter 17 Years · 625 comments

So we have proof that iCloud accounts can and have been hacked.

I suppose if someone hacked an iCloud account they could easily put illegal material in that hacked account too… 

laurim 3 Years · 1 comment

No. We have confirmation people aren’t careful enough about who they hand over their iCloud login info to. This isn’t hacking. It’s phishing. 

crowley 15 Years · 10431 comments

aderutter said:
So we have proof that iCloud accounts can and have been hacked.

I suppose if someone hacked an iCloud account they could easily put illegal material in that hacked account too… 

This was phishing, not hacking.  And I assume Apple would keep a record of what device a photo was uploaded from and had performed the CSAM check, so it would be easy to prove that it wasn't you.

Plus, it's a pretty ridiculous length for a person to go to, to phish your password, set up a new iPhone using those credentials (which I believe sends an alert to your other devices anyway), and then add bunch of child abuse photos, which they'd have to source from somewhere.  All for something which is easily disprovable.  

Your enemies would have to be both very determined and a bit dim.

genius_mac 8 Years · 10 comments

Too bad most of the media tends to report phishing and stolen passwords as hacks. It is very, very different: this here is password hijacking, and not breaking and entering.