Cyber-extortionists take a bite at Apple – update

posted in: Viewpoints | 0

The Turkish Crime Family (TFC) versus Apple cyber extortion case is unique in being one of the first widely reported incidents of a large tech company being subjected to extortion. TCF claimed access to hundreds of millions of iCloud accounts, which they threatened to wipe if Apple did not pay a ransom (the amount in question varied) by an April 7 deadline.  After the deadline passed, the Turkish Crime Family (TCF) claimed via Twitter that Apple had paid a ransom of over $480,000 worth of bitcoin. Below is a timeline of how events unfolded:

  • April 6: At 7pm (GMT), the TCF simply tweeted “7th of April 7:30pm GMT”. The tweet while vague, implied that the cyber-attack threatening to wipe millions of iCloud accounts would be actioned at this time.
  • April 7 (7:53 pm): Throughout the cyber extortion process, TCF have claimed to be in contact with the Apple cybersecurity team. In a tweet TCF claimed that negotiations for a ransom had resulted in a final agreement but they had yet to receive payment. Within this tweet, the group posted a link, a popular bitcoin wallet, where the ransom was to be paid. As mentioned previously, bitcoin platforms are often used by cybercrime organisations to receive funds which are by large untraceable.
  • April 7 (deleted tweet – witnessed by blog author): A tweet was made and subsequently deleted on the TCF Twitter page that stated the negotiations had concluded and Apple had agreed to pay a ransom of $390,000. This is significantly less than the final ransom demanded the day prior, which was $1,000,000 (one of many ransom amounts demanded).
  • April 7 (9:50pm): the same link as above was posted, displaying a transaction of 401.7 bitcoins, worth $489,687 dollars at day of transfer. The group claims that this is evidence of Apple having paid the ransom. The amount received is less than half that was demanded by the cyber-extortionists and two hours past the ransom deadline.
  • April 7 (after the fact, subsequently deleted, witnessed by author): Following these events a “Twitter-spat” between TCF and sceptical Twitter users broke out. Some of the TCF’s followers were unconvinced by the evidence provided and retaliated with profanity and abuse.

The payment made to Blockchain is authentic as the design of the bitcoin block chain means that transactions cannot be forged. The unique hash 160, which is a crypotographically hashed bitcoin public address (in shorter format) was identical to both the Blockchain link tweeted by TCF at 7:53pm that showed evidence of no bitcoin transaction and the link that was posted at 9:50pm, which showed bitcoins had been transferred. Arguably a transaction occurred within this timeframe (Alyson, 2014). However, the nature of Blockchain transactions is such that both parties involved are anonymised. Without a statement from Apple it is impossible to know the source and destination of the transaction.

A likely explanation for the above transaction of bitcoins is that TCF were aware of an unrelated transaction occurring at this time and used this for their own gains as evidence of a ransom payment from Apple. This is likely an attempt by the TCF to gain some credibility in the cybercrime world and increase their notoriety.

According to Blockchain experts, the transaction is part of an internal money deposit process at a Korean bitcoin exchange (Kan, 2017). Combined with the scepticism surrounding the validity of the claimed iCloud data, it seems highly probable that the transaction was not a ransom paid by Apple.

The lack of media coverage after the fact suggests that Apple has managed to avoid any further embarrassment from the extortion. Their reputation for robust cyber-security has been not been significantly impacted.

Since there is some possibility, however small, that Apple paid the ransom, this could encourage other firms who are subjected to cyber extortion to also pay. As stated in the first installment of this post, this is a short term solution which could have long term negative implications, particularly in light of the growing trend for cyber extortion.


Alyson, M., (2014)., ‘How to understand the address and transactions page’. Available at:

Kan, M., (2017)., ‘The iCloud hackers bitcoin ransom looks like a fake’. CSO news, Apr 10th 2017. Available at:

Block chain payment links
Andrew Smith

Andrew Smith

Andrew Smith is a Research Assistant at the Cambridge Centre for Risk Studies and has a background in economics and data modelling. Prior to joining the Risk Centre, he completed his first degree at Heriot-Watt University, Edinburgh and is currently completing his MSc Economics at VU, Amsterdam. Andrew's independent research has focused on international macroeconomics with an emphasis on fiscal policy. Andrew has previously worked as a Research Intern at an economic consultancy where he modelled the changing trade flows between Asia and South America.
Andrew Smith

Latest posts by Andrew Smith (see all)

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.