My traumatic Apple ID hack showed pitfalls of centralized identity
I was the target of a sophisticated breach of my Apple ID that caused a significant emotional and financial toll. My background as a tech entrepreneur meant I knew the importance of multi-factor authentication and the warning signs of SIM swaps and had precautions in place. Despite this vigilance, I fell victim to an audacious attack one January evening last year, painfully showing that it can happen to anyone.
I’ve had my Apple ID since it was invented. I’ve bought tens of thousands — maybe hundreds of thousands — of dollars worth of software, movies, TV shows, hardware. Suddenly, I was informed of 15,000 login attempts. It was literally “Boom, boom, boom.” I pressed “Don’t allow, don’t allow, don’t
Then, I was phoned by someone claiming to work for Apple technical support. They had in-depth information about how many devices I owned and when they were last used — even where the login attempts were coming from. A lot of unsuspecting victims would find this call credible, but something wasn’t sitting right with me. He said, “I’m going to send you a code” — and I replied, “I’m not going to give it to you.”
Related: Crypto leaders should stop flirting with CBDCs
Codes were subsequently sent to my phone — from the exact same number that Apple had used to send verification codes in the past. I decided to call Apple directly to get to the bottom of what was going on, but the nightmare was only just beginning. The attacker had managed to gain access to my account.
I explained what was happening, but the woman from Apple basically told me, “Accept your losses.” Excuse me? What do you mean? I’m technically savvy — I knew that my Apple ID was potentially forever gone. That doesn’t mean there weren’t bigger things at play. I had nonfungible tokens (NFTs) and art that I’d kept for two years. I had access to a lot of corporate accounts, brokerage accounts — all sorts of stuff. And she just kept repeating “Accept your loss, accept your loss, accept your loss.”
I was in a race against time to protect my assets and began moving my fiat currency to a safe location, but my crypto had already been transferred to a wallet out of my control and liquidated. I then got an anonymous call from someone using a voice modulator with a chilling message: „Check your Telegram.“
Messages were sent that said my Apple ID and assets would be returned if the phone numbers and email addresses of three other people were handed over. But I refused, telling the attacker he picked the wrong person.
I started tweeting about the situation, and the hacker panicked. He threatened to leak pictures of my four-month-old daughter, so I took down the tweet.
They continued to message, and I was then told I would get my Apple ID back as long as I didn’t post online for 48 hours. But three days later, the goalposts had been shifted once again. Now the attacker was demanding $50,000.
“Normally what I do is find people who are usually having affairs, doing something wrong or have sensitive information that I extort them for,“ the cybercriminal told me.
Months of terror
For the three months that followed, the attacker was trying to extort and terrorize me — stress I had to conceal from my wife and daughter. To make matters worse, my Amex and Chase withdrawal limits were slashed, and my credit rating plummeted.
Undeterred, I continued to exchange messages and calls with the man who stole my identity, building up gigabytes of evidence.
Little did I know that the walls were already closing in on the attacker. The criminal was already on the radar of law enforcement after being indicted for a SIM swap — and detectives soon realized this was the tip of the iceberg. Because stolen funds had been used on Cash App and Venmo, investigators were able to connect the dots and identify me as a victim. When an FBI agent called, I was able to give a detailed description of the person responsible — and it was enough to get a warrant. They went and broke into his house. The guy was on my Apple ID.
Related: Jerome Powell’s pivot heralds a boring summer for Bitcoin
The investigation later revealed that there were about 20 other victims. Most of them were women. He would make a lot of them do sexual things. I got a call from the sentencing officer who didn’t know this was a thing. She said she’s been around serial killers, murderers… bad people, and she’s never had a worse feeling than interacting with this person.
I was the only victim who wasn’t afraid to speak out — and provided a written statement to the court. The power of those words led to the judge doubling the sentence to eight years without parole, even though the hacker had pleaded guilty and snitched on his associates. A federal case is pending so he will be in jail for a while. It’s a waste of life.
Protect your digital identity
It was one of the most traumatic experiences of my life.
Meanwhile, countless millions of people around the world continue to depend on their Apple IDs in their day-to-day lives — blissfully unaware of the damage a hack causes. Take my social security number, don’t take my digital identity. I didn’t realize Apple was my digital identity until it was too late.
The attacker was part of a wider, sophisticated scheme — with scammers brazenly advertising job vacancies to join them. People then join who think they are genuinely working for Apple Support, when they are unwittingly involved in financial crime.
New speech recognition solutions are urgently needed to better protect the public — especially as someone’s voice can be recreated and abused in under 30 minutes.
Digital identities will be the foundation of Web3. Without them, we really can’t verify who we’re speaking to. Our communication stack as a society, as a civilization is embarrassing right now. A true digital identity allows you to take custody of your own data and solutions. I can now take information from my doctor and keep it in my storage. I can protect my financial information. I can take all of that.
I want to make sure this never happens to anyone else. I’m about to receive a refund from Apple for all of the purchases I made over the past 20 years as compensation — and would like to share these top tips for other victims:
- Keep a strict timeline and take rigorous notes
- Make sure law enforcement official you speak to takes notes as well
- Write down the date and time of the call, as well as their name and details
- Contact local police and tell them what happened to you
- File a detailed IC3 report, as this helps federal authorities apprehend criminals
After experiencing the ruinous impact of having my digital life stolen in the blink of an eye, I believe there’s only one answer: decentralized identities where personal data is fully encrypted and stored in a secure wallet.
Amro Shihadah is a guest columnist for Cointelegraph and a former director of operations at Nillion, and is a finance professional with expertise in traditional finance and blockchain and AI technologies. He holds an undergraduate degree in finance and business administration from American University and is completing an executive MBA at Northwestern University’s Kellogg School of Management.
This article is for general information purposes and is not intended to be and should not be taken as legal or investment advice. The views, thoughts, and opinions expressed here are the author’s alone and do not necessarily reflect or represent the views and opinions of Cointelegraph.
