A convicted iPhone thief explains how a vulnerability in Apple’s software got him fast cash—and then a stint in a high-security prison
5 min
RUSH CITY, Minn.—Before the guards let you through the barbed-wire fences and steel doors at this Minnesota Correctional Facility, you have to leave your phone in a locker. Not a total inconvenience when you’re there to visit a prolific iPhone thief.
I wasn’t worried that Aaron Johnson would steal my iPhone, though. I came to find out how he’d steal it.
“I’m already serving time. I just feel like I should try to be on the other end of things and try to help people,” Johnson, 26 years old, told me in an interview we filmed inside the high-security prison where he’s expected to spend the next several years.
For the past year, my colleague Nicole Nguyen and I have investigated a nationwide spate of thefts, where thieves watch iPhone owners tap their passcodes, then steal their targets’ phones—and upend their financial and digital lives.
Johnson, along with a crew of others, operated in Minneapolis for at least a year during 2021 and 2022. In and around bars at night, he would befriend young people, slyly learn their passcodes and take their phones. Using that code, he’d lock victims out of their Apple accounts and loot thousands of dollars from their bank apps. Finally, he’d sell the phones themselves.
It was an elaborate, opportunistic scheme that exploited the Apple ecosystem and targeted trusting iPhone owners who figured a stolen phone was just a stolen phone.
Last week, Apple announced Stolen Device Protection, a feature that likely will protect against these passcode-assisted crimes.
Yet even when you install the software, due in iOS 17.3, there will be loopholes. The biggest loophole? Us. By hearing how Johnson did what he did, we can learn how to better secure the devices that hold so much of our lives.
Johnson isn’t a sophisticated cybercriminal. He said he got his start pickpocketing on the streets of Minneapolis. “I was homeless,” he said. “Started having kids and needed money. I couldn’t really find a job. So that’s just what I did.”
Soon he realised the phones he was nabbing could be worth a lot more—if only he had a way to get inside them. Johnson said no one taught him the passcode trick, he just stayed up late one night fiddling with a phone and figured out how to use the passcode to unlock a bounty of protected services.
“That passcode is the devil,” he said. “It could be God sometimes—or it could be the devil.”
According to the Minneapolis Police Department’s arrest warrant, Johnson and the other 11 members of the enterprise allegedly accumulated nearly $300,000. According to him, it was likely more.
“I had a rush for large amounts at a time,” he said. “I just got too carried away.”
In March, Johnson, who had prior robbery and theft convictions, pleaded guilty to racketeering and was sentenced to 94 months. He told the judge he was sorry for what he did.
Here’s how the nightly operation would go down, according to interviews with Johnson, law-enforcement officials and some of the victims:
Pinpoint the victim. Dimly lit and full of people, bars became his ideal location. College-age men became his ideal target. “They’re already drunk and don’t know what’s going on for real,” Johnson said. Women, he said, tended to be more guarded and alert to suspicious behaviour.
Get the passcode. Friendly and energetic, that’s how victims described Johnson. Some told me he approached them offering drugs. Others said Johnson would tell them he was a rapper and wanted to add them on Snapchat. After talking for a bit, they would hand over the phone to Johnson, thinking he’d just input his info and hand it right back.
“I say, ‘Hey, your phone is locked. What’s the passcode?’ They say, ‘2-3-4-5-6,’ or something. And then I just remember it,” Johnson described. Sometimes he would record people typing their passcodes.
Once the phone was in his hand, he’d leave with it or pass it to someone else in the crew.
Lock them out—fast. Within minutes of taking the iPhones, Johnson was in the Settings menu, changing the Apple ID password. He’d then use the new password to turn off Find My iPhone so victims couldn’t log in on some other phone or computer to remotely locate—and even erase—the stolen device.
Johnson was changing passwords fast—“faster than you could say supercalifragilisticexpialidocious,” he said. “You gotta beat the mice to the cheese.”
Take the money. Johnson said he would then enrol his face in Face ID because “when you got your face on there, you got the key to everything.” The biometric authentication gave Johnson quick access to passwords saved in iCloud Keychain.
Savings, checking, cryptocurrency apps—he was looking to transfer large sums of money out. And if he had trouble getting into those money apps, he’d look for extra information, such as Social Security numbers, in the Notes and Photos apps.
By the morning, he’d have the money transferred. That’s when he’d head to stores to buy stuff using Apple Pay. He’d also use the stolen Apple devices to buy more Apple devices, most often $1,200 iPad Pro models, to sell for cash.
Sell the phones. Finally, he’d erase the phone and sell it to Zhongshuang “Brandon” Su who, according to his arrest warrant, sold them overseas.
While Johnson did steal some Android phones, he went after iPhones because of their higher resale value. At bars, he’d scope out the scene—looking for iPhone Pro models with their telltale trio of cameras. He said Pro Max with a terabyte of storage could get him $900. Su also bought Johnson’s purchased iPads.
Su pleaded guilty to receiving stolen property and was sentenced to 120 days at an adult corrections facility in Hennepin County, Minn. Neither Su nor his lawyer responded to requests for comment.
On a good weekend, Johnson said, he was selling up to 30 iPhones and iPads to Su and making around $20,000—not including money he’d taken from victims’ bank apps, Apple Pay and more.
A week after my trip to Minnesota, Apple announced Stolen Device Protection. The security setting will likely foil most of Johnson’s tricks, but it won’t be turned on automatically.
If you don’t turn it on, you’re as vulnerable as ever. Switching it on adds a line of defence to your phone when away from familiar locations such as home or work.
To change the Apple ID password, a thief would need Face ID or Touch ID biometric scans—that is, your face or your finger. The passcode alone won’t work. And the process has a built-in hourlong delay, followed by another biometric scan. This same slow process is also required for adding a new Face ID and disabling Find my iPhone.
Some functions, such as accessing saved passwords in iCloud Keychain or erasing the iPhone, are available without the delay but still require Face ID or Touch ID.
A criminal might still be motivated to kidnap a person with lots of money, then slowly break through these layers of security. However, the protections will likely dissuade thieves who just want to grab phones and flee the scene.
So what loopholes remain? A thief who gets the passcode could still buy things with Apple Pay. And any app that isn’t protected by an additional password or PIN—like your email, Venmo, PayPal and more—is also vulnerable.
That’s why you should also:
The most obvious is Johnson’s advice: Watch your surroundings and don’t give your passcode out.
If this crime has taught us anything, it’s that a single device now contains access to our entire lives—our memories, our money and more. It’s on us to protect them.
—Nicole Nguyen contributed to this article.
Copyright 2020, Dow Jones & Company, Inc. All Rights Reserved Worldwide. LEARN MORE
What a quarter-million dollars gets you in the western capital.
Alexandre de Betak and his wife are focusing on their most personal project yet.
Multinationals like Starbucks and Marriott are taking a hard look at their Chinese operations—and tempering their outlooks.
4 min
For years, global companies showcased their Chinese operations as a source of robust growth. A burgeoning middle class, a stream of people moving to cities, and the creation of new services to cater to them—along with the promise of the further opening of the world’s second-largest economy—drew companies eager to tap into the action.
Then Covid hit, isolating China from much of the world. Chinese leader Xi Jinping tightened control of the economy, and U.S.-China relations hit a nadir. After decades of rapid growth, China’s economy is stuck in a rut, with increasing concerns about what will drive the next phase of its growth.
Though Chinese officials have acknowledged the sputtering economy, they have been reluctant to take more than incremental steps to reverse the trend. Making matters worse, government crackdowns on internet companies and measures to burst the country’s property bubble left households and businesses scarred.
Now, multinational companies are taking a hard look at their Chinese operations and tempering their outlooks. Marriott International narrowed its global revenue per available room growth rate to 3% to 4%, citing continued weakness in China and expectations that demand could weaken further in the third quarter. Paris-based Kering , home to brands Gucci and Saint Laurent, posted a 22% decline in sales in the Asia-Pacific region, excluding Japan, in the first half amid weaker demand in Greater China, which includes Hong Kong and Macau.
Pricing pressure and deflation were common themes in quarterly results. Starbucks , which helped build a coffee culture in China over the past 25 years, described it as one of its most notable international challenges as it posted a 14% decline in sales from that business. As Chinese consumers reconsidered whether to spend money on Starbucks lattes, competitors such as Luckin Coffee increased pressure on the Seattle company. Starbucks executives said in their quarterly earnings call that “unprecedented store expansion” by rivals and a price war hurt profits and caused “significant disruptions” to the operating environment.
Executive anxiety extends beyond consumer companies. Elevator maker Otis Worldwide saw new-equipment orders in China fall by double digits in the second quarter, forcing it to cut its outlook for growth out of Asia. CEO Judy Marks told analysts on a quarterly earnings call that prices in China were down roughly 10% year over year, and she doesn’t see the pricing pressure abating. The company is turning to productivity improvements and cost cutting to blunt the hit.
Add in the uncertainty created by deteriorating U.S.-China relations, and many investors are steering clear. The iShares MSCI China exchange-traded fund has lost half its value since March 2021. Recovery attempts have been short-lived. undefined undefined And now some of those concerns are creeping into the U.S. market. “A decade ago China exposure [for a global company] was a way to add revenue growth to our portfolio,” says Margaret Vitrano, co-manager of large-cap growth strategies at ClearBridge Investments in New York. Today, she notes, “we now want to manage the risk of the China exposure.”
Vitrano expects improvement in 2025, but cautions it will be slow. Uncertainty over who will win the U.S. presidential election and the prospect of higher tariffs pose additional risks for global companies.
For now, China is inching along at roughly 5% economic growth—down from a peak of 14% in 2007 and an average of about 8% in the 10 years before the pandemic. Chinese consumers hit by job losses and continued declines in property values are rethinking spending habits. Businesses worried about policy uncertainty are reluctant to invest and hire.
The trouble goes beyond frugal consumers. Xi is changing the economy’s growth model, relying less on the infrastructure and real estate market that fueled earlier growth. That means investing aggressively in manufacturing and exports as China looks to become more self-reliant and guard against geopolitical tensions.
The shift is hurting western multinationals, with deflationary forces amid burgeoning production capacity. “We have seen the investment community mark down expectations for these companies because they will have to change tack with lower-cost products and services,” says Joseph Quinlan, head of market strategy for the chief investment office at Merrill and Bank of America Private Bank.
Another challenge for multinationals outside of China is stiffened competition as Chinese companies innovate and expand—often with the backing of the government. Local rivals are upping the ante across sectors by building on their knowledge of local consumer preferences and the ability to produce higher-quality products.
Some global multinationals are having a hard time keeping up with homegrown innovation. Auto makers including General Motors have seen sales tumble and struggled to turn profitable as Chinese car shoppers increasingly opt for electric vehicles from BYD or NIO that are similar in price to internal-combustion-engine cars from foreign auto makers.
“China’s electric-vehicle makers have by leaps and bounds surpassed the capabilities of foreign brands who have a tie to the profit pool of internal combustible engines that they don’t want to disrupt,” says Christine Phillpotts, a fund manager for Ariel Investments’ emerging markets strategies.
Chinese companies are often faster than global rivals to market with new products or tweaks. “The cycle can be half of what it is for a global multinational with subsidiaries that need to check with headquarters, do an analysis, and then refresh,” Phillpotts says.
For many companies and investors, next year remains a question mark. Ashland CEO Guillermo Novo said in an August call with analysts that the chemical company was seeing a “big change” in China, with activity slowing and competition on pricing becoming more aggressive. The company, he said, was still trying to grasp the repercussions as it has created uncertainty in its 2025 outlook.
Few companies are giving up. Executives at big global consumer and retail companies show no signs of reducing investment, with most still describing China as a long-term growth market, says Dana Telsey, CEO of Telsey Advisory Group.
Starbucks executives described the long-term opportunity as “significant,” with higher growth and margin opportunities in the future as China’s population continues to move from rural to suburban areas. But they also noted that their approach is evolving and they are in the early stages of exploring strategic partnerships.
Walmart sold its stake in August in Chinese e-commerce giant JD.com for $3.6 billion after an eight-year noncompete agreement expired. Analysts expect it to pump the money into its own Sam’s Club and Walmart China operation, which have benefited from the trend toward trading down in China.
“The story isn’t over for the global companies,” Phillpotts says. “It just means the effort and investment will be greater to compete.”
Corrections & Amplifications
Joseph Quinlan is head of market strategy for the chief investment office at Merrill and Bank of America Private Bank. An earlier version of this article incorrectly used his old title.
