Cyber-extortionists Take a Bite at Apple

Cyber-extortionists Take a Bite at Apple

On Friday April 7, a group of cybercriminals calling themselves the ‘Turkish Crime Family’ claim that they will wipe hundreds of millions of iCloud credentials, instantaneously rendering Apple users unable to play or purchase music, use apps, or access email or Cloud file backups, perhaps indefinitely.

That is, unless Apple pays the extortionists a ransom of $1,000,000 in iTunes vouchers [1].

The ‘Turkish Crime Family’ (TCF) are a self-professed organised cybercrime group [2]. The group claim to have technology that can access and reset hundreds of millions of iCloud credentials. They have posted a YouTube video allegedly showing the group accessing a stolen iCloud account and wiping the victim’s iPhone.

The group is publishing these claims on its public Twitter feed, opening the threat up to scrutiny and suspicion. Apple has downplayed the threat, claiming that the original ransom demand was for only $75,000 and its servers showed no signs of compromise.

To gain publicity, TCF have released to journalists unverifiable screenshots of alleged emails between the criminal organisation and Apple’s cyber security team. The emails contained Apple security members requesting evidence of stolen iCloud credentials and demanding the hackers to take down their YouTube video.

The credibility of the attack has diminished due to the changing narrative of the threat actor group. On the TCF’s Twitter account, the group claims to have access to 200 million iCloud accounts, while in the emails sent to the Apple’s security team the figure ranges from 300 to 559 million [2]. 54 credentials provided to ZDnet by the group, however, have been verified as valid accounts, based on the iClouds password reset function [3].

A statement released by Apple denies that their servers have been hacked, and says that the login information is sourced from a LinkedIn data breach in 2012. However, the statement also encourages iCloud users to differentiate passwords among devices and to enable the two-factor authentication system.  An alleged member of the TCF has been arrested in the UK but has not been charged of a criminal offense [4].

There is additional confusion regarding the particulars of the ransom demands. Apple claim the initial stipulations were for $75,000 in bitcoin or $100,000 dollars in iTunes vouchers for instant resale at 60% face value. TCF responded with their own public statement that they were demanding this payment for each of their seven members, and so, using baffling maths, this meant they were demanding a million dollars [5].

Whether or not the group has the capability to carry out its threat remains to be seen. Apple are standing firm: “We do not reward cyber criminals for breaking the law.” There are few other choices available to them – such a public demand could only lead to other demands in future. This type of extortion attempt could be repeated against other major companies.

The increasing trend of cyber extortion

Cyber extortion is on the rise, with 2016 being referred to as, ‘the year of ransomware’ [6].  Ransomware is a form of malware which installs covertly onto devices and uses an encryption method to hold victim’s data hostage or threaten a leakware attack until a ransom is paid. The increasing frequency of cyber extortion has been linked to the rise in crypto-currencies which is used as an untraceable and anonymised payment method for cybercriminals to receive ransom. Further, malware developers are selling ‘commodity-ransomware’ allowing organised crime groups to launch cyber-attacks significantly above their technical capabilities [7].

Cambridge Centre for Risk Studies has been studying cyber extortion and other elements of cyber risk for a number of years. In our 2016 report ‘Managing Cyber Insurance Accumulation Risk’ [8], we catalogue the families of ransomware and describe major historical examples. An accumulation stress test scenario – ‘Extortion Spree’ – was developed for the RMS Cyber Accumulation Management System. This described a hypothetical scenario of an increased wave of extortion attacks on companies with ransom demands at levels of millions of dollars. Most extortion demands from businesses to date have been limited to tens of thousands of dollars. The TCF attack may ultimately represent a growing level of ambition to try to extort large big-brand name companies, and to up their scale of ransom demands.

Implications for the business world

The Apple extortion by TCF is significant in the evolution of ransomware attacks due to its scale and brand recognition. Whether the threat is actually credible or not, the effect of the media exposure from the TCF publicity will likely have a negative impact on the Apple brand. A robust image of cybersecurity is essential for any technology brand. After high-profile iCloud hacks of private celebratory accounts, Apple has made significant effort to rebuild confidence in their cybersecurity, including implementing the two-factor authentication system for iCloud accounts since 2015 [9]. This event will be a set-back in building that image.

If the threat is credible and no ransom is paid, Apple will have to bear the costs of responding to the threat action including: incident response costs, compensation for privacy breach, possible contingent business interruption 3rd party liability, among others. Therefore, if these type of large-scale extortion cases are technologically feasible and so more frequent, businesses have to adjust to this new threat. While paying the ransom is a ‘quick-fix’, this in the long run will result in an increase highly resourced cybercriminal groups, resulting in a likely increase in the frequency of cyber extortion.


[1] Smith, Chris, (2017), “Hackers still threaten a remote wipe of iPhones, despite Apple’s statement”, BGR, 23 March 2017;

[2] Cox, Joseph, (2017), ‘Hackers: We will Remotely Wipe iPhones unless Apple Pays ransom’, Motherboard Vice, 21 March 2017;

[3] Whittaker, Zack, (2017), ‘Apple iCloud ransom demands: the facts you need to know’, ZDnet, 23 March 2017;

[4] Cox, Joseph, (2017), ‘UK Cops Arrest Man Potentially Linked to Apple Extortion’, Motherboard Vice, 29 March 2017;

[5] Smith, Chris, (2017), “Hackers still threaten a remote wipe of iPhones, despite Apple’s statement”, BGR, 23 March 2017;

[6] Hiltzik, Michael, (2016). ‘2016 is shaping up as the year of the ransomware-and the FBI isn’t helping’. Los Angeles times, 8 March 2016;

[7] Ashok, India, (2016), ‘Hackers selling new Stampado ransomware on the dark web for a mere $39 dollars’, International Business Times, 14 July 2016;

[8] Risk Management Solutions, Inc., (2016) ‘Managing Cyber Insurance Accumulation Risk’, Report prepared in collaboration with and based on original research by the Centre for Risk Studies, University of Cambridge;

[9] Painter, Lewis, (2017). ‘Protect your Apple ID: two-factor authentication vs two-step verification’, Macworld, 6 January 2017;

Andrew Smith

Andrew Smith

Andrew Smith is a Research Assistant at the Cambridge Centre for Risk Studies and has a background in economics and data modelling. Prior to joining the Risk Centre, he completed his first degree at Heriot-Watt University, Edinburgh and is currently completing his MSc Economics at VU, Amsterdam. Andrew's independent research has focused on international macroeconomics with an emphasis on fiscal policy. Andrew has previously worked as a Research Intern at an economic consultancy where he modelled the changing trade flows between Asia and South America.
Andrew Smith

Latest posts by Andrew Smith (see all)

Would you like to comment?