A convicted iPhone thief explains how a vulnerability in Apple’s software got him fast cash—and then a stint in a high-security prison
5 min
RUSH CITY, Minn.—Before the guards let you through the barbed-wire fences and steel doors at this Minnesota Correctional Facility, you have to leave your phone in a locker. Not a total inconvenience when you’re there to visit a prolific iPhone thief.
I wasn’t worried that Aaron Johnson would steal my iPhone, though. I came to find out how he’d steal it.
“I’m already serving time. I just feel like I should try to be on the other end of things and try to help people,” Johnson, 26 years old, told me in an interview we filmed inside the high-security prison where he’s expected to spend the next several years.
For the past year, my colleague Nicole Nguyen and I have investigated a nationwide spate of thefts, where thieves watch iPhone owners tap their passcodes, then steal their targets’ phones—and upend their financial and digital lives.
Johnson, along with a crew of others, operated in Minneapolis for at least a year during 2021 and 2022. In and around bars at night, he would befriend young people, slyly learn their passcodes and take their phones. Using that code, he’d lock victims out of their Apple accounts and loot thousands of dollars from their bank apps. Finally, he’d sell the phones themselves.
It was an elaborate, opportunistic scheme that exploited the Apple ecosystem and targeted trusting iPhone owners who figured a stolen phone was just a stolen phone.
Last week, Apple announced Stolen Device Protection, a feature that likely will protect against these passcode-assisted crimes.
Yet even when you install the software, due in iOS 17.3, there will be loopholes. The biggest loophole? Us. By hearing how Johnson did what he did, we can learn how to better secure the devices that hold so much of our lives.
Johnson isn’t a sophisticated cybercriminal. He said he got his start pickpocketing on the streets of Minneapolis. “I was homeless,” he said. “Started having kids and needed money. I couldn’t really find a job. So that’s just what I did.”
Soon he realised the phones he was nabbing could be worth a lot more—if only he had a way to get inside them. Johnson said no one taught him the passcode trick, he just stayed up late one night fiddling with a phone and figured out how to use the passcode to unlock a bounty of protected services.
“That passcode is the devil,” he said. “It could be God sometimes—or it could be the devil.”
According to the Minneapolis Police Department’s arrest warrant, Johnson and the other 11 members of the enterprise allegedly accumulated nearly $300,000. According to him, it was likely more.
“I had a rush for large amounts at a time,” he said. “I just got too carried away.”
In March, Johnson, who had prior robbery and theft convictions, pleaded guilty to racketeering and was sentenced to 94 months. He told the judge he was sorry for what he did.
Here’s how the nightly operation would go down, according to interviews with Johnson, law-enforcement officials and some of the victims:
Pinpoint the victim. Dimly lit and full of people, bars became his ideal location. College-age men became his ideal target. “They’re already drunk and don’t know what’s going on for real,” Johnson said. Women, he said, tended to be more guarded and alert to suspicious behaviour.
Get the passcode. Friendly and energetic, that’s how victims described Johnson. Some told me he approached them offering drugs. Others said Johnson would tell them he was a rapper and wanted to add them on Snapchat. After talking for a bit, they would hand over the phone to Johnson, thinking he’d just input his info and hand it right back.
“I say, ‘Hey, your phone is locked. What’s the passcode?’ They say, ‘2-3-4-5-6,’ or something. And then I just remember it,” Johnson described. Sometimes he would record people typing their passcodes.
Once the phone was in his hand, he’d leave with it or pass it to someone else in the crew.
Lock them out—fast. Within minutes of taking the iPhones, Johnson was in the Settings menu, changing the Apple ID password. He’d then use the new password to turn off Find My iPhone so victims couldn’t log in on some other phone or computer to remotely locate—and even erase—the stolen device.
Johnson was changing passwords fast—“faster than you could say supercalifragilisticexpialidocious,” he said. “You gotta beat the mice to the cheese.”
Take the money. Johnson said he would then enrol his face in Face ID because “when you got your face on there, you got the key to everything.” The biometric authentication gave Johnson quick access to passwords saved in iCloud Keychain.
Savings, checking, cryptocurrency apps—he was looking to transfer large sums of money out. And if he had trouble getting into those money apps, he’d look for extra information, such as Social Security numbers, in the Notes and Photos apps.
By the morning, he’d have the money transferred. That’s when he’d head to stores to buy stuff using Apple Pay. He’d also use the stolen Apple devices to buy more Apple devices, most often $1,200 iPad Pro models, to sell for cash.
Sell the phones. Finally, he’d erase the phone and sell it to Zhongshuang “Brandon” Su who, according to his arrest warrant, sold them overseas.
While Johnson did steal some Android phones, he went after iPhones because of their higher resale value. At bars, he’d scope out the scene—looking for iPhone Pro models with their telltale trio of cameras. He said Pro Max with a terabyte of storage could get him $900. Su also bought Johnson’s purchased iPads.
Su pleaded guilty to receiving stolen property and was sentenced to 120 days at an adult corrections facility in Hennepin County, Minn. Neither Su nor his lawyer responded to requests for comment.
On a good weekend, Johnson said, he was selling up to 30 iPhones and iPads to Su and making around $20,000—not including money he’d taken from victims’ bank apps, Apple Pay and more.
A week after my trip to Minnesota, Apple announced Stolen Device Protection. The security setting will likely foil most of Johnson’s tricks, but it won’t be turned on automatically.
If you don’t turn it on, you’re as vulnerable as ever. Switching it on adds a line of defence to your phone when away from familiar locations such as home or work.
To change the Apple ID password, a thief would need Face ID or Touch ID biometric scans—that is, your face or your finger. The passcode alone won’t work. And the process has a built-in hourlong delay, followed by another biometric scan. This same slow process is also required for adding a new Face ID and disabling Find my iPhone.
Some functions, such as accessing saved passwords in iCloud Keychain or erasing the iPhone, are available without the delay but still require Face ID or Touch ID.
A criminal might still be motivated to kidnap a person with lots of money, then slowly break through these layers of security. However, the protections will likely dissuade thieves who just want to grab phones and flee the scene.
So what loopholes remain? A thief who gets the passcode could still buy things with Apple Pay. And any app that isn’t protected by an additional password or PIN—like your email, Venmo, PayPal and more—is also vulnerable.
That’s why you should also:
The most obvious is Johnson’s advice: Watch your surroundings and don’t give your passcode out.
If this crime has taught us anything, it’s that a single device now contains access to our entire lives—our memories, our money and more. It’s on us to protect them.
—Nicole Nguyen contributed to this article.
Copyright 2020, Dow Jones & Company, Inc. All Rights Reserved Worldwide. LEARN MORE
Three completed developments bring a quieter, more thoughtful style of luxury living to Mosman, Neutral Bay and Crows Nest.
From the shacks of yesterday to the sculptural sanctuaries of today, Australia’s coastal architecture has matured into a global benchmark for design.
Selloff in bitcoin and other digital tokens hits crypto-treasury companies.
3 min
The hottest crypto trade has turned cold. Some investors are saying “told you so,” while others are doubling down.
It was the move to make for much of the year: Sell shares or borrow money, then plough the cash into bitcoin, ether and other cryptocurrencies. Investors bid up shares of these “crypto-treasury” companies, seeing them as a way to turbocharge wagers on the volatile crypto market.
Michael Saylor pioneered the move in 2020 when he transformed a tiny software company, then called MicroStrategy , into a bitcoin whale now known as Strategy. But with bitcoin and ether prices now tumbling, so are shares in Strategy and its copycats. Strategy was worth around $128 billion at its peak in July; it is now worth about $70 billion.
The selloff is hitting big-name investors, including Peter Thiel, the famed venture capitalist who has backed multiple crypto-treasury companies, as well as individuals who followed evangelists into these stocks.
Saylor, for his part, has remained characteristically bullish, taking to social media to declare that bitcoin is on sale. Sceptics have been anticipating the pullback, given that crypto treasuries often trade at a premium to the underlying value of the tokens they hold.
“The whole concept makes no sense to me. You are just paying $2 for a one-dollar bill,” said Brent Donnelly, president of Spectra Markets. “Eventually those premiums will compress.”
When they first appeared, crypto-treasury companies also gave institutional investors who previously couldn’t easily access crypto a way to invest. Crypto exchange-traded funds that became available over the past two years now offer the same solution.
BitMine Immersion Technologies , a big ether-treasury company backed by Thiel and run by veteran Wall Street strategist Tom Lee , is down more than 30% over the past month.
ETHZilla , which transformed itself from a biotech company to an ether treasury and counts Thiel as an investor, is down 23% in a month.
Crypto prices rallied for much of the year, driven by the crypto-friendly Trump administration. The frenzy around crypto treasuries further boosted token prices. But the bullish run abruptly ended on Oct. 10, when President Trump’s surprise tariff announcement against China triggered a selloff.
A record-long government shutdown and uncertainty surrounding Federal Reserve monetary policy also have weighed on prices.
Bitcoin prices have fallen 15% in the past month. Strategy is off 26% over that same period, while Matthew Tuttle’s related ETF—MSTU—which aims for a return that is twice that of Strategy, has fallen 50%.
“Digital asset treasury companies are basically leveraged crypto assets, so when crypto falls, they will fall more,” Tuttle said. “Bitcoin has shown that it’s not going anywhere and that you get rewarded for buying the dips.”
At least one big-name investor is adjusting his portfolio after the tumble of these shares. Jim Chanos , who closed his hedge funds in 2023 but still trades his own money and advises clients, had been shorting Strategy and buying bitcoin, arguing that it made little sense for investors to pay up for Saylor’s company when they can buy bitcoin on their own. On Friday, he told clients it was time to unwind that trade.
Crypto-treasury stocks remain overpriced, he said in an interview on Sunday, partly because their shares retain a higher value than the crypto these companies hold, but the levels are no longer exorbitant. “The thesis has largely played out,” he wrote to clients.
Many of the companies that raised cash to buy cryptocurrencies are unlikely to face short-term crises as long as their crypto holdings retain value. Some have raised so much money that they are still sitting on a lot of cash they can use to buy crypto at lower prices or even acquire rivals.
But companies facing losses will find it challenging to sell new shares to buy more cryptocurrencies, analysts say, potentially putting pressure on crypto prices while raising questions about the business models of these companies.
“A lot of them are stuck,” said Matt Cole, the chief executive officer of Strive, a bitcoin-treasury company. Strive raised money earlier this year to buy bitcoin at an average price more than 10% above its current level.
Strive’s shares have tumbled 28% in the past month. He said Strive is well-positioned to “ride out the volatility” because it recently raised money with preferred shares instead of debt.
Cole Grinde, a 29-year-old investor in Seattle, purchased about $100,000 worth of BitMine at about $45 a share when it started stockpiling ether earlier this year. He has lost about $10,000 on the investment so far.
Nonetheless, Grinde, a beverage-industry salesman, says he’s increasing his stake. He sells BitMine options to help offset losses. He attributes his conviction in the company to the growing popularity of the Ethereum blockchain—the network that issues the ether token—and Lee’s influence.
“I think his network and his pizzazz have helped the stock skyrocket since he took over,” he said of Lee, who spent 15 years at JPMorgan Chase, is a managing partner at Fundstrat Global Advisors and a frequent business-television commentator.
