A 22-year-old boss backed by a gangster cabal of “internet buddies” has been thwarted and convicted in their attempt to blackmail Apple, the UK’s National Crime Agency reports. In 2017, London-based Kerem Albayrak made Apple an offer they couldn’t refuse: deliver $US100,000 ($144,900) in iTunes gift cards or $US75,000 ($108,675) in cryptocurrency or kiss 319 million iCloud accounts goodbye. On Friday, a court sentenced him to a two year suspended jail term. Tim Cook will live to see another day.
On March 12th, 2017, Albayrak, don of hacker syndicate the “Turkish Crime Family,” sent Apple Security and several media outlets a YouTube video showing him apparently logging in to two victims’ iCloud accounts. The NCA reports that Albayrak had threatened to factory reset the accounts and sell the database vis-a-vis his “internet buddies,” boasting to outlets that he’d had access to 300 million accounts (a figure which was later increased to 559 million).
They gave Apple until April 7th to fill their demands, Apple Insider has reported.
The unfolding drama paints a picture of a would-be king trying to make his mark in the cybercriminal underworld, not satisfied to just sit behind a computer screen and silently pilfer credit card information like some schmo. Later that month, an unnamed Crime Family member told Motherboard:
“I just want my money and thought this would be an interesting report that a lot of Apple customers would be interested in reading and hearing.”
Albayrak also sent his supposed accomplices a notice: “the attack will happen 99.9%. Even if it doesn’t you’re still going to get A LOT of media attention.”
One week and zero gift cards later, they upped their demands and reportedly sent ZDNet a set of 54 sample accounts. ZDNet confirmed their authenticity, though the plot thickened: at least one account had been compromised years prior. Apple and UK authorities ultimately found that the Turkish Crime Family had not, in fact, successfully compromised the network, and concluded that the data came from an unrelated breach of largely defunct third-party services.
Merely 16 days after the blackmail, law enforcement officials apprehended Albayrak at his home and confiscated his devices. (Gizmodo has asked the NCA how they tracked him down–guessing cyber skills–and will update the post if we hear back.)
Excitingly, Albayrak pleaded guilty to one count of blackmail and two counts of unauthorised acts with intent to impair the operation of or prevent/hinder access to a computer. On Friday, a court handed down a two year suspended jail term, 300 hours of unpaid labour, and six months of “electronic curfew” (an ankle bracelet).
He would later reflect on his dance with the devil while speaking with NCA investigators: “[O]nce you get sucked into it [crime], it just escalates, and it makes it interesting when it’s illegal.”
Waltzing right up to Apple Security with a ransom note and a hammer in your pocket might not be the best way to crack the iTunes Gift Card Vault. But it’s a hell of a way to get your name in the blogs.
Gizmodo has reached out to Apple and will update the post if we hear back.