A 22-year-old man has admitted trying to blackmail Apple by claiming he had access to many iCloud accounts. Kerem Albayrak from north London threatened to wipe 319 million accounts unless Apple gave him iTunes gift cards worth $100,000 (£76,000).
But an investigation found that Albayrak had not compromised Apple’s systems. He has been given a two year suspended jail sentence and ordered to try to 300 hours of unpaid work.
In March 2017, Albayrak emailed Apple’s security team, claiming to possess breached many iCloud accounts. He posted a video on YouTube that seemed to show him breaking into two accounts.
He threatened to sell the account information, dump his database online and reset the accounts unless Apple paid his iTunes gift card demand.
Albayrak also said he would accept $75,000 worth of crypto-currency, but later increased this to $100,000.He was arrested at his range in north London about a fortnight after sending his threat.
Apple investigated his claims but couldn’t find evidence that its systems had been compromised.
The UK’s National Crime Agency found that Albayrak had gathered email addresses and passwords from other services, which had previously been exposed in data breaches.
He then tried his luck, seeing if anybody had used an equivalent username and password for his or her iCloud account.
This type of attack, referred to as credential stuffing, are often automated to hurry up the method. Albayrak told investigators: “When you’ve got power on the web it’s like fame and everybody respects you.”
In addition to the 300 hours of unpaid work, he has been given a six-month electronic curfew.
“Albayrak wrongly believed he could escape justice after hacking into two accounts and attempting to blackmail an outsized multi-national corporation,” said Anna Smith, a senior investigative officer for the NCA.