Kerem Albayrak: The Truth Behind the 2017 Apple Blackmail Plot

A significant chapter of digital folklore was revisited yesterday as Kerem Albayrak, the hacker who famously claimed to have breached hundreds of millions of Apple iCloud accounts in 2017, appeared on a new episode of the Cybercrime Magazine Podcast to tell his side of the story for the first time. The disclosure, dated April 17, 2026, marks a decade since the initial “Turkish Crime Family” panic that sent shockwaves through the tech industry. Albayrak, who was originally sentenced in 2019 for his attempt to blackmail Apple for $100,000 in iTunes gift cards and cryptocurrency, confirmed that the high-profile “breach” was largely a calculated publicity stunt aimed at promoting a cybersecurity tool he was developing at the time. This retrospective provides a rare glimpse into the mechanics of social engineering and the thin line between grey-hat marketing and criminal extortion.

The Genesis of the Turkish Crime Family and Kerem Albayrak

In early 2017, the cybersecurity world was gripped by a series of escalating threats from a group calling itself the “Turkish Crime Family” (TCF). At the center of this storm was Kerem Albayrak, a 22-year-old from North London who acted as the group’s primary spokesperson and strategist. The group claimed to have gained unauthorized access to over 300 million iCloud accounts, threatening to factory reset millions of iPhones and iPads if their demands were not met. The ransom was notably unconventional: $75,000 in cryptocurrency or $100,000 worth of iTunes gift cards.

The 2026 interview reveals that the TCF was less an organized criminal syndicate and more a loose collective of “internet buddies” who understood the power of media manipulation. Albayrak admits that the primary goal was never to permanently damage Apple’s infrastructure, but rather to generate a level of notoriety that would serve as a launchpad for his legitimate career in software development and security auditing. However, the legal system and Apple’s security team viewed the threat with far greater gravity than the hackers had anticipated.

Technical Illusion: Credential Stuffing vs. Server Compromise

One of the most critical technical details Albayrak clarified in his recent disclosure was the nature of the “data” he possessed. During the 2017 investigation, the UK’s National Crime Agency (NCA) and Apple’s internal security teams maintained that there was no evidence of a direct breach of Apple’s servers. Albayrak’s recent comments confirm this technical assessment, detailing how the group leveraged credential stuffing rather than a systemic exploit.

• Stale Databases: The “319 million accounts” cited by Albayrak were largely comprised of credentials leaked in previous high-profile breaches from third-party services like LinkedIn, MySpace, and Tumblr (circa 2012-2016).
• Password Reuse: The effectiveness of the threat relied entirely on users who utilized the same email and password combination for their third-party accounts as they did for their iCloud login.
• API Scraping: To prove their “access,” the group used automated scripts to test these credentials against Apple’s login endpoints. While many of the accounts were inactive or had since enabled Two-Factor Authentication (2FA), the sheer volume of “hits” allowed the group to create the illusion of a massive, active compromise.

The Publicity Stunt That Went Too Far

The core of Kerem Albayrak’s new testimony revolves around the “Cybersecurity Tool” he was attempting to market. In 2017, the group released a YouTube video showing Albayrak accessing two seemingly random iCloud accounts. This video was sent to various media outlets to bolster the group’s claims. Albayrak now admits that the tool being “demonstrated” was a security auditing platform designed to help users identify if their credentials were part of known leaks—a precursor to modern services like Have I Been Pwned.

However, the transition from “demonstrating a vulnerability” to “demanding a ransom” is where the legal line was crossed. Albayrak describes the escalation as a psychological feedback loop. “When you have power on the internet, it’s like fame,” he noted in the podcast, echoing statements he made to investigators in 2019. “Everyone is chasing that. The more the media wrote about us, the more we felt we had to raise the stakes to keep the momentum going.”

The “150 Resets Per Minute” Claim

A particularly alarming technical claim made by the TCF in 2017 was that they had developed scripts capable of factory resetting 150 iCloud accounts per minute, per script, across multiple servers. In his 2026 retrospective, Albayrak deconstructed the feasibility of this claim:

1. Find My iPhone Exploitation: The group intended to use the “Find My iPhone” remote wipe feature, which could be triggered via a logged-in iCloud session.
2. Scripted Automation: By using headless browsers (like Selenium) or direct API calls, the hackers aimed to automate the “Wipe Device” command for every account they successfully validated through credential stuffing.
3. Rate Limiting: Apple’s security protocols eventually caught these automated requests, but the initial burst of activity was enough to convince Albayrak—and subsequently the media—that a mass reset was technically possible.

Legal Fallout and the 2019 Sentencing

The investigation culminated in March 2017 when officers from the NCA’s National Cyber Crime Unit (NCCU) arrested Kerem Albayrak at his home in North London. Seized devices provided a treasure trove of evidence, including logs of the “Turkish Crime Family” chat rooms where Albayrak bragged that the attack was “99.9% likely to happen.”

In December 2019, Albayrak pleaded guilty at Southwark Crown Court to one count of blackmail and two counts of unauthorized acts with intent to impair the operation of a computer. The court’s sentence was a reflection of the evolving legal view on “fame-seeking” hackers:

• Suspended Sentence: A two-year prison term, suspended for two years.
• Community Service: 300 hours of unpaid work.
• Electronic Curfew: A six-month curfew monitored by an electronic tag.

Judge Christopher Hehir noted during sentencing that Albayrak was a “cynical and calculated” individual who sought to use Apple’s brand reputation for his own gain. The case became a landmark example of how the Computer Misuse Act 1990 could be applied to extortion attempts involving stolen credentials, even when the target company’s own servers remained uncompromised.

The Evolution of a Cyber Professional

The most compelling part of the 2026 disclosure is Albayrak’s transition into a legitimate cybersecurity professional. Now working as a consultant, his journey reflects a broader trend within the infosec community where former “grey hat” hackers find redemption in defensive security. Albayrak argues that his experience in 2017 provided him with a unique “adversarial mindset” that is invaluable in modern threat hunting.

He now advocates for proactive credential hygiene and the universal adoption of hardware-based MFA (Multi-Factor Authentication). “The TCF stunt would be impossible today,” Albayrak noted during the podcast. “Apple’s implementation of 2FA by default and the decline of the ‘password-only’ login have killed the effectiveness of the credential stuffing techniques we used back then.”

Legacy and Ethics in the Late 2010s

The retrospective on Kerem Albayrak highlights the “wild west” era of the late 2010s, where the line between security research and criminal activity was often blurred by the desire for social media clout. The TCF incident served as a wake-up call for both corporations and the media. Corporations learned that brand damage could occur even without a server breach, simply through the perception of a compromise. The media, meanwhile, learned to be more skeptical of “hacker groups” providing screenshots and YouTube videos as “proof” of massive data heists.

Ultimately, Albayrak’s first full disclosure serves as a cautionary tale. While he has successfully navigated his way back into the professional fold, the legal and personal cost of his “publicity stunt” was immense. It stands as a reminder that in the digital age, clout is a dangerous currency, and the pursuit of internet fame can lead down a path that ends in a crown court rather than a boardroom.

Key Takeaways for Modern Cybersecurity

Reflecting on the Albayrak case in 2026, several technical and procedural lessons remain relevant for today’s CISO (Chief Information Security Officer) and security analysts:

• Credential Hygiene: Organizations must treat third-party leaks as a direct threat to their own authentication systems.
• API Security: Rate limiting and behavioral analysis on login endpoints are the primary defenses against the type of automated scripts used by the TCF.
• The Human Factor: Social engineering directed at the media can be just as damaging as a technical exploit. Rapid, transparent communication from the target company is essential to debunking false claims of a breach.
• MFA Maturity: The transition from SMS-based 2FA to FIDO2 and biometric authentication has fundamentally changed the risk profile of credential-based attacks.

As Kerem Albayrak concludes his first full disclosure, the industry is left to ponder the complexity of the hacker’s journey. From a 22-year-old seeking fame via a $100,000 gift card demand to a 2026 cybersecurity professional, his story is an essential thread in the tapestry of modern digital history.