The Turkish Crime Family (TFC) versus Apple cyber extortion case is unique in being one of the first widely reported incidents of a large tech company being subjected to extortion. TCF claimed access to hundreds of millions of iCloud accounts, which they threatened to wipe if Apple did not pay a ransom (the amount in question varied) by an April 7 deadline. After the deadline passed, the Turkish Crime Family (TCF) claimed via Twitter that Apple had paid a ransom of over $480,000 worth of bitcoin. Below is a timeline of how events unfolded:
- April 6: At 7pm (GMT), the TCF simply tweeted “7th of April 7:30pm GMT”. The tweet while vague, implied that the cyber-attack threatening to wipe millions of iCloud accounts would be actioned at this time.
- April 7 (7:53 pm): Throughout the cyber extortion process, TCF have claimed to be in contact with the Apple cybersecurity team. In a tweet TCF claimed that negotiations for a ransom had resulted in a final agreement but they had yet to receive payment. Within this tweet, the group posted a Blockchain.info link, a popular bitcoin wallet, where the ransom was to be paid. As mentioned previously, bitcoin platforms are often used by cybercrime organisations to receive funds which are by large untraceable.
- April 7 (deleted tweet – witnessed by blog author): A tweet was made and subsequently deleted on the TCF Twitter page that stated the negotiations had concluded and Apple had agreed to pay a ransom of $390,000. This is significantly less than the final ransom demanded the day prior, which was $1,000,000 (one of many ransom amounts demanded).
- April 7 (9:50pm): the same Blockchain.info link as above was posted, displaying a transaction of 401.7 bitcoins, worth $489,687 dollars at day of transfer. The group claims that this is evidence of Apple having paid the ransom. The amount received is less than half that was demanded by the cyber-extortionists and two hours past the ransom deadline.
- April 7 (after the fact, subsequently deleted, witnessed by author): Following these events a “Twitter-spat” between TCF and sceptical Twitter users broke out. Some of the TCF’s followers were unconvinced by the evidence provided and retaliated with profanity and abuse.
The payment made to Blockchain is authentic as the design of the bitcoin block chain means that transactions cannot be forged. The unique hash 160, which is a crypotographically hashed bitcoin public address (in shorter format) was identical to both the Blockchain link tweeted by TCF at 7:53pm that showed evidence of no bitcoin transaction and the link that was posted at 9:50pm, which showed bitcoins had been transferred. Arguably a transaction occurred within this timeframe (Alyson, 2014). However, the nature of Blockchain transactions is such that both parties involved are anonymised. Without a statement from Apple it is impossible to know the source and destination of the transaction.
A likely explanation for the above transaction of bitcoins is that TCF were aware of an unrelated transaction occurring at this time and used this for their own gains as evidence of a ransom payment from Apple. This is likely an attempt by the TCF to gain some credibility in the cybercrime world and increase their notoriety.
According to Blockchain experts, the transaction is part of an internal money deposit process at a Korean bitcoin exchange (Kan, 2017). Combined with the scepticism surrounding the validity of the claimed iCloud data, it seems highly probable that the transaction was not a ransom paid by Apple.
The lack of media coverage after the fact suggests that Apple has managed to avoid any further embarrassment from the extortion. Their reputation for robust cyber-security has been not been significantly impacted.
Since there is some possibility, however small, that Apple paid the ransom, this could encourage other firms who are subjected to cyber extortion to also pay. As stated in the first installment of this post, this is a short term solution which could have long term negative implications, particularly in light of the growing trend for cyber extortion.
Alyson, M., (2014)., ‘How to understand the Blockchain.info address and transactions page’. Available at: https://blog.blockchain.com/2014/08/29/how-to-understand-the-blockchain-info-address-and-transactions-page/#more-3129
Kan, M., (2017)., ‘The iCloud hackers bitcoin ransom looks like a fake’. CSO news, Apr 10th 2017. Available at: http://www.csoonline.com/article/3188515/security/the-icloud-hackers-bitcoin-ransom-looks-like-a-fake.html