Former Apple Employees Arrested For Selling Customer Data on Dark Web

On June 7, after months of investigation, 22 people were arrested in the Southern province of Zhejiang, China, for stealing Apple customer information and selling it on the dark web.

The cyber criminal group gathered sensitive personal data from Apple consumers such as names, addresses and Apple IDs amongst other types and sold batches of information on darknet marketplaces for around $1.50 per account.

According to Graham Cluley, award-winning computer security analyst, the Chinese criminal group profited more than $7.36 million in a relatively short period of time.

Local publications including South China Morning Post reported that out of the 22 criminals that were arrested, 20 previously worked for Apple. After the completion of four separate raids in the provinces of Guangdong, Jiangsu, Zhejiang and Fujian, the 22 suspects were in police custody and the tools the group used to scam Apple consumers were seized by local authorities.

According to local reports, the suspects of the alleged cyber criminal group utilized an internal system of Apple to gather names, phone numbers, Apple IDs, passwords and other information. Although local police announced that the tools used in the attack were seized, investigators did not mention how the group gained access to an internal system of Apple.

Analysts suggested that the 20 suspects who previously worked in direct marketing and outsourcing for Apple in China managed to gain access to Apple’s internal system and develop a tool to steal customer information.

In the past, hackers and members of cyber criminal groups that illegally obtained personal information and sold them on the dark web received an 11-month jail sentence. Based on Chinese regulations, anyone that sells more than 50 pieces of illegally obtained data are subjected to criminal liability.

In an analytical blog post, Cluley noted that Apple customer scams and frauds were exploited before. Most notably, in 2016, a cyber criminal group operating under an entity called “AppleInc” scammed many Apple users by sending mobile messages to Apple users regarding account security and expiration.

The messages included a hyperlink which users were asked to click in order to recover their accounts before they expire. The hyperlink instead led Apple customers to a fake Apple sign-in page which stole Apple IDs and passwords.

Cluley explained that the popularization of the dark web and the sudden emergence of darknet marketplaces that operate as well-structured criminal organizations made it significantly easier for scammers and fraudsters to monetize hacking the accounts of devices. Previously, fraudsters had to extort account owners for ransom directly with payment methods such as bitcoin.

However, due to the establishment of the dark web and highly functional darknet marketplaces, criminals can now easily sell client information in batches and make money from stolen content much more efficiently.

Through Apple account hacks, cyber criminals and hackers can also steal potentially valuable financial information and other types of sensitive data by logging into the vulnerable accounts. If financial apps and emails are left unprotected, they can be sold on the dark web for substantially higher prices or if the data stored on the device is worthwhile, fraudsters can conduct secondary attacks.

“On the other hand, they can leverage those IDs to gain access to users’ personal documents and emails, which they can then use to potentially steal financial information and/or conduct secondary attacks,” said Cluley.