Russian police have arrested two alleged hackers they say extorted money from users of Apple devices by locking them and demanding payment to free them up again.
The suspects, one a teenager and the other in his early 20s, could be jailed for two years if tried and convicted in a relatively rare cybersecurity case in which the arrests have been announced by Russian authorities.
The suspects, residents of Moscow, were arrested by the Interior Ministry's cybercrime department — Directorate K — and have given self-incriminating evidence, according to a ministry statement issued on Monday.
The ministry did not say how many Apple users were affected or whether there were victims outside Russia. Australia users recently complained of similar attacks.
It said the suspects exploited Apple's Find My iPhone app, which allows users to find and lock devices they believe to be lost or stolen, to extort money from victims using two methods.
"The first involved gaining access to the victim's Apple ID by means of the creation of phishing pages, (gaining) unauthorized access to e-mail or using methods of social engineering," it said.
"The second scheme was aimed at attaching other people's devices to a prearranged account" by offering Apple IDs with media content for lease on the Internet, which enabled the suspects to gain control of the devices, the statement said.
Apple said that its own services had not been hacked and users who got notices their phones were locked could regain control by entering passwords and changing their Apple identification. Users without passwords could get help in Apple stores.
Apple cautioned users against using the same password on multiple sites, since breaches on one site could prompt criminals to try the same passwords elsewhere.
Cybersecurity experts and Western law enforcement agencies have raised questions about Russia's commitment to fighting hackers, some accused of attacks on Western government and business computers, on its own soil.
Though Russian authorities have made more arrests in recent years, officials in the U.S. and Britain continue to complain about lack of cooperation. Since Russia does not extradite anyone for offenses committed elsewhere as a matter of law, hackers must be suspected of breaking domestic Russian law before charges are filed.
Police launched a search for suspects in the past few months, when they began receiving reports of devices being hijacked by hackers demanding money, K Directorate said.
It said officers confiscated computer hardware, SIM cards, phones and how-to literature on hacking in searches of the suspects' apartments in southern Moscow.
Russian daily MK reported that the suspects were identified in part thanks to surveillance-camera footage showing them withdrawing cash from ATMs using bank cards linked to accounts into which they told victims to transfer money.
The Interior Ministry said one of the suspects had been convicted of a crime earlier. According to MK, he practiced a lower-tech form of extortion: stealing license plates from neighbors' cars and selling them back to their owners.