I fell victim to a highly sophisticated breach of my Apple ID, which had a significant impact on me both emotionally and financially. As a tech entrepreneur, I understood the importance of multi-factor authentication and the warning signs of SIM swaps, and I had taken precautions to protect myself. However, despite my vigilance, I was audaciously attacked one evening in January last year, proving that anyone can become a target.
I have been using my Apple ID since its inception, making numerous purchases of software, movies, TV shows, and hardware over the years, amounting to tens or even hundreds of thousands of dollars. Suddenly, I received notifications of 15,000 login attempts, one after another. It was like a barrage of attempts, and I repeatedly pressed “Don’t allow, don’t allow, don’t allow.”
Shortly after, I received a call from someone claiming to be from Apple technical support. This person had detailed information about the devices I owned and their recent usage, including the locations from which the login attempts were originating. While many unsuspecting victims might have found this call credible, something didn’t feel right to me. The caller told me, “I’m going to send you a code,” to which I replied, “I’m not going to give it to you.”
Subsequently, I received codes on my phone from the same number that Apple had used in the past to send verification codes. I decided to contact Apple directly to get to the bottom of the situation, but unfortunately, the nightmare had only just begun. The attacker had managed to gain access to my account.
I explained the situation to the Apple representative, but she simply told me to accept my losses. I was taken aback. What did she mean? As someone with technical knowledge, I understood that my Apple ID might be permanently lost, but there were larger implications at stake. I had valuable nonfungible tokens (NFTs) and artwork that I had held onto for years. I also had access to various corporate and brokerage accounts. Yet, the representative kept repeating, “Accept your loss, accept your loss, accept your loss.”
In a race against time, I tried to protect my assets by moving my fiat currency to a secure location. However, my cryptocurrency had already been transferred to a wallet beyond my control and liquidated. Soon after, I received an anonymous call from someone using a voice modulator, delivering a chilling message: “Check your Telegram.”
I received messages stating that my Apple ID and assets would be returned if I provided the phone numbers and email addresses of three other individuals. However, I refused, informing the attacker that he had chosen the wrong person.
I decided to share my ordeal on Twitter, which caused the hacker to panic. He threatened to leak photos of my four-month-old daughter, so I promptly took down the tweet. The messages continued, and I was told that I would regain access to my Apple ID if I refrained from posting online for 48 hours. However, three days later, the attacker changed his demands once again, now demanding $50,000.
The perpetrator confessed to me, saying, “Normally what I do is find people who are usually having affairs, doing something wrong, or have sensitive information that I extort them for.” For the next three months, he tried to extort and terrorize me, creating immense stress that I had to hide from my wife and daughter. To make matters worse, my Amex and Chase withdrawal limits were reduced, and my credit rating plummeted.
Nevertheless, I continued to exchange messages and calls with the person who had stolen my identity, collecting substantial evidence along the way.
Unbeknownst to me, law enforcement was already closing in on the attacker. He was already under investigation for a SIM swap and detectives soon discovered that this was just the tip of the iceberg. By tracing the stolen funds to Cash App and Venmo, investigators were able to connect the dots and identify me as one of the victims. When an FBI agent contacted me, I provided a detailed description of the person responsible, which was sufficient to obtain a warrant. Authorities subsequently raided the attacker’s house, where they found evidence linking him to my Apple ID.
The investigation later uncovered approximately 20 other victims, most of whom were women. The attacker had coerced many of them into engaging in sexual acts. I received a call from the sentencing officer, who was unaware of these details. She confessed that in her career dealing with serial killers, murderers, and other criminals, she had never encountered someone as repugnant as this individual.
I was the only victim who had the courage to speak out and provide a written statement to the court. The power of my words led the judge to double the hacker’s sentence to eight years without parole, despite his guilty plea and cooperation with law enforcement. A federal case is still pending, ensuring that he will remain incarcerated for a considerable time. It is a tragic waste of a life.
In light of my experience, I am determined to prevent others from suffering a similar fate. I am about to receive a refund from Apple for all the purchases I made over the past two decades as compensation. In the meantime, I would like to share some valuable tips for other victims:
1. Maintain a strict timeline and take detailed notes of all interactions.
2. Ensure that the law enforcement officials you speak to also take thorough notes.
3. Document the date, time, name, and contact details of every call.
4. Contact local police and report the incident.
5. File a detailed report with the Internet Crime Complaint Center (IC3), as this helps federal authorities in apprehending criminals.
Having experienced the devastating consequences of having my digital life stolen in an instant, I firmly believe that decentralized identities, where personal data is fully encrypted and stored in secure wallets, are the only solution. Digital identities will serve as the foundation of Web3, enabling us to verify the authenticity of the individuals we interact with. Our current communication infrastructure as a society is woefully inadequate. With a true digital identity, individuals can take control of their own data and protect their financial information and personal records.
I am committed to ensuring that no one else falls victim to such a harrowing experience.