He Stole Hundreds of iPhones and Looted People’s Life Savings. He Told Us How. - Kanebridge News
Share Button

He Stole Hundreds of iPhones and Looted People’s Life Savings. He Told Us How.

A convicted iPhone thief explains how a vulnerability in Apple’s software got him fast cash—and then a stint in a high-security prison

By JOANNA STERN
Thu, Dec 21, 2023 8:43amGrey Clock 5 min

RUSH CITY, Minn.—Before the guards let you through the barbed-wire fences and steel doors at this Minnesota Correctional Facility, you have to leave your phone in a locker. Not a total inconvenience when you’re there to visit a prolific iPhone thief.

I wasn’t worried that Aaron Johnson would steal my iPhone, though. I came to find out how he’d steal it.

“I’m already serving time. I just feel like I should try to be on the other end of things and try to help people,” Johnson, 26 years old, told me in an interview we filmed inside the high-security prison where he’s expected to spend the next several years.

For the past year, my colleague Nicole Nguyen and I have investigated a nationwide spate of thefts, where thieves watch iPhone owners tap their passcodes, then steal their targets’ phones—and upend their financial and digital lives.

Johnson, along with a crew of others, operated in Minneapolis for at least a year during 2021 and 2022. In and around bars at night, he would befriend young people, slyly learn their passcodes and take their phones. Using that code, he’d lock victims out of their Apple accounts and loot thousands of dollars from their bank apps. Finally, he’d sell the phones themselves.

It was an elaborate, opportunistic scheme that exploited the Apple ecosystem and targeted trusting iPhone owners who figured a stolen phone was just a stolen phone.

Last week, Apple announced Stolen Device Protection, a feature that likely will protect against these passcode-assisted crimes.

Yet even when you install the software, due in iOS 17.3, there will be loopholes. The biggest loophole? Us. By hearing how Johnson did what he did, we can learn how to better secure the devices that hold so much of our lives.

How he got started

Johnson isn’t a sophisticated cybercriminal. He said he got his start pickpocketing on the streets of Minneapolis. “I was homeless,” he said. “Started having kids and needed money. I couldn’t really find a job. So that’s just what I did.”

Soon he realised the phones he was nabbing could be worth a lot more—if only he had a way to get inside them. Johnson said no one taught him the passcode trick, he just stayed up late one night fiddling with a phone and figured out how to use the passcode to unlock a bounty of protected services.

“That passcode is the devil,” he said. “It could be God sometimes—or it could be the devil.”

According to the Minneapolis Police Department’s arrest warrant, Johnson and the other 11 members of the enterprise allegedly accumulated nearly $300,000. According to him, it was likely more.

“I had a rush for large amounts at a time,” he said. “I just got too carried away.”

In March, Johnson, who had prior robbery and theft convictions, pleaded guilty to racketeering and was sentenced to 94 months. He told the judge he was sorry for what he did.

How he did it

Here’s how the nightly operation would go down, according to interviews with Johnson, law-enforcement officials and some of the victims:

Pinpoint the victim. Dimly lit and full of people, bars became his ideal location. College-age men became his ideal target. “They’re already drunk and don’t know what’s going on for real,” Johnson said. Women, he said, tended to be more guarded and alert to suspicious behaviour.

Get the passcode. Friendly and energetic, that’s how victims described Johnson. Some told me he approached them offering drugs. Others said Johnson would tell them he was a rapper and wanted to add them on Snapchat. After talking for a bit, they would hand over the phone to Johnson, thinking he’d just input his info and hand it right back.

“I say, ‘Hey, your phone is locked. What’s the passcode?’ They say, ‘2-3-4-5-6,’ or something. And then I just remember it,” Johnson described. Sometimes he would record people typing their passcodes.

Once the phone was in his hand, he’d leave with it or pass it to someone else in the crew.

Lock them out—fast. Within minutes of taking the iPhones, Johnson was in the Settings menu, changing the Apple ID password. He’d then use the new password to turn off Find My iPhone so victims couldn’t log in on some other phone or computer to remotely locate—and even erase—the stolen device.

Johnson was changing passwords fast—“faster than you could say supercalifragilisticexpialidocious,” he said. “You gotta beat the mice to the cheese.”

Take the money. Johnson said he would then enrol his face in Face ID because “when you got your face on there, you got the key to everything.” The biometric authentication gave Johnson quick access to passwords saved in iCloud Keychain.

Savings, checking, cryptocurrency apps—he was looking to transfer large sums of money out. And if he had trouble getting into those money apps, he’d look for extra information, such as Social Security numbers, in the Notes and Photos apps.

By the morning, he’d have the money transferred. That’s when he’d head to stores to buy stuff using Apple Pay. He’d also use the stolen Apple devices to buy more Apple devices, most often $1,200 iPad Pro models, to sell for cash.

Sell the phones. Finally, he’d erase the phone and sell it to Zhongshuang “Brandon” Su who, according to his arrest warrant, sold them overseas.

While Johnson did steal some Android phones, he went after iPhones because of their higher resale value. At bars, he’d scope out the scene—looking for iPhone Pro models with their telltale trio of cameras. He said Pro Max with a terabyte of storage could get him $900. Su also bought Johnson’s purchased iPads.

Su pleaded guilty to receiving stolen property and was sentenced to 120 days at an adult corrections facility in Hennepin County, Minn. Neither Su nor his lawyer responded to requests for comment.

On a good weekend, Johnson said, he was selling up to 30 iPhones and iPads to Su and making around $20,000—not including money he’d taken from victims’ bank apps, Apple Pay and more.

How you can prevent it

A week after my trip to Minnesota, Apple announced Stolen Device Protection. The security setting will likely foil most of Johnson’s tricks, but it won’t be turned on automatically.

If you don’t turn it on, you’re as vulnerable as ever. Switching it on adds a line of defence to your phone when away from familiar locations such as home or work.

To change the Apple ID password, a thief would need Face ID or Touch ID biometric scans—that is, your face or your finger. The passcode alone won’t work. And the process has a built-in hourlong delay, followed by another biometric scan. This same slow process is also required for adding a new Face ID and disabling Find my iPhone.

Some functions, such as accessing saved passwords in iCloud Keychain or erasing the iPhone, are available without the delay but still require Face ID or Touch ID.

A criminal might still be motivated to kidnap a person with lots of money, then slowly break through these layers of security. However, the protections will likely dissuade thieves who just want to grab phones and flee the scene.

So what loopholes remain? A thief who gets the passcode could still buy things with Apple Pay. And any app that isn’t protected by an additional password or PIN—like your email, Venmo, PayPal and more—is also vulnerable.

That’s why you should also:

  • Add a distinct passcode to money apps, like Venmo and Cash App.
  • Delete any notes or photos that include personal information such as passwords or Social Security numbers. Store that stuff in a secure note inside a third-party password manager, such as Dashlane or 1Password.
  • Create a stronger iPhone passcode—one that uses letters and numbers.

The most obvious is Johnson’s advice: Watch your surroundings and don’t give your passcode out.

If this crime has taught us anything, it’s that a single device now contains access to our entire lives—our memories, our money and more. It’s on us to protect them.

Nicole Nguyen contributed to this article.



MOST POPULAR

What a quarter-million dollars gets you in the western capital.

Alexandre de Betak and his wife are focusing on their most personal project yet.

Related Stories
Money
To Find Winning Stocks, Investors Often Focus on the Laggards. They Shouldn’t.
By KEN SHREVE 12/06/2024
Money
Louis Vuitton Unveils Its Most Extravagant High-Jewellery Collection Ahead of Olympics
By LAURIE KAHLE 09/06/2024
Money
Sylvester Stallone Sells His Knockout Watch Collection, Including the Most Valuable Modern Timepiece Sold in Sotheby’s History
By ERIC GROSSMAN 08/06/2024

These stocks are getting hit for a reason. Instead, focus on stocks that show ‘relative strength.’ Here’s how.

By KEN SHREVE
Wed, Jun 12, 2024 4 min

A lot of investors get stock-picking wrong before they even get started: Instead of targeting the top-performing stocks in the market, they focus on the laggards—widely known companies that look as if they are on sale after a period of stock-price weakness.

But these weak performers usually are going down for good reasons, such as for deteriorating sales and earnings, market-share losses or mutual-fund managers who are unwinding positions.

Decades of Investor’s Business Daily research shows these aren’t the stocks that tend to become stock-market leaders. The stocks that reward investors with handsome gains for months or years are more often  already  the strongest price performers, usually because of outstanding earnings and sales growth and increasing fund ownership.

Of course, many investors already chase performance and pour money into winning stocks. So how can a discerning investor find the winning stocks that have more room to run?

Enter “relative strength”—the notion that strength begets more strength. Relative strength measures stocks’ recent performance relative to the overall market. Investing in stocks with high relative strength means going with the winners, rather than picking stocks in hopes of a rebound. Why bet on a last-place team when you can wager on the leader?

One of the easiest ways to identify the strongest price performers is with IBD’s Relative Strength Rating. Ranked on a scale of 1-99, a stock with an RS rating of 99 has outperformed 99% of all stocks based on 12-month price performance.

How to use the metric

To capitalise on relative strength, an investor’s search should be focused on stocks with RS ratings of at least 80.

But beware: While the goal is to buy stocks that are performing better than the overall market, stocks with the highest RS ratings aren’t  always  the best to buy. No doubt, some stocks extend rallies for years. But others will be too far into their price run-up and ready to start a longer-term price decline.

Thus, there is a limit to chasing performance. To avoid this pitfall, investors should focus on stocks that have strong relative strength but have seen a moderate price decline and are just coming out of weeks or months of trading within a limited range. This range will vary by stock, but IBD research shows that most good trading patterns can show declines of up to one-third.

Here, a relative strength line on a chart may be helpful for confirming an RS rating’s buy signal. Offered on some stock-charting tools, including IBD’s, the line is a way to visualise relative strength by comparing a stock’s price performance relative to the movement of the S&P 500 or other benchmark.

When the line is sloping upward, it means the stock is outperforming the benchmark. When it is sloping downward, the stock is lagging behind the benchmark. One reason the RS line is helpful is that the line can rise even when a stock price is falling, meaning its value is falling at a slower pace than the benchmark.

A case study

The value of relative strength could be seen in Google parent Alphabet in January 2020, when its RS rating was 89 before it started a 10-month run when the stock rose 64%. Meta Platforms ’ RS rating was 96 before the Facebook parent hit new highs in March 2023 and ran up 65% in four months. Abercrombie & Fitch , one of 2023’s best-performing stocks, had a 94 rating before it soared 342% in nine months starting in June 2023.

Those stocks weren’t flukes. In a study of the biggest stock-market winners from the early 1950s through 2008, the average RS rating of the best performers before they began their major price runs was 87.

To see relative strength in action, consider Nvidia . The chip stock was an established leader, having shot up 365% from its October 2022 low to its high of $504.48 in late August 2023.

But then it spent the next four months rangebound—giving up some ground, then gaining some back. Through this period, shares held between $392.30 and the August peak, declining no more than 22% from top to bottom.

On Jan. 8, Nvidia broke out of its trading range to new highs. The previous session, Nvidia’s RS rating was 97. And that week, the stock’s relative strength line hit new highs. The catalyst: Investors cheered the company’s update on its latest advancements in artificial intelligence.

Nvidia then rose 16% on Feb. 22 after the company said earnings for the January-ended quarter soared 486% year over year to $5.16 a share. Revenue more than tripled to $22.1 billion. It also significantly raised its earnings and revenue guidance for the quarter that was to end in April. In all, Nvidia climbed 89% from Jan. 5 to its March 7 close.

And the stock has continued to run up, surging past $1,000 a share in late May after the company exceeded that guidance for the April-ended quarter and delivered record revenue of $26 billion and record net profit of $14.88 billion.

Ken Shreve  is a senior markets writer at Investor’s Business Daily. Follow him on X  @IBD_KShreve  for more stock-market analysis and insights, or contact him at  ken.shreve@investors.com .