A convicted iPhone thief explains how a vulnerability in Apple’s software got him fast cash—and then a stint in a high-security prison
5 min
RUSH CITY, Minn.—Before the guards let you through the barbed-wire fences and steel doors at this Minnesota Correctional Facility, you have to leave your phone in a locker. Not a total inconvenience when you’re there to visit a prolific iPhone thief.
I wasn’t worried that Aaron Johnson would steal my iPhone, though. I came to find out how he’d steal it.
“I’m already serving time. I just feel like I should try to be on the other end of things and try to help people,” Johnson, 26 years old, told me in an interview we filmed inside the high-security prison where he’s expected to spend the next several years.
For the past year, my colleague Nicole Nguyen and I have investigated a nationwide spate of thefts, where thieves watch iPhone owners tap their passcodes, then steal their targets’ phones—and upend their financial and digital lives.
Johnson, along with a crew of others, operated in Minneapolis for at least a year during 2021 and 2022. In and around bars at night, he would befriend young people, slyly learn their passcodes and take their phones. Using that code, he’d lock victims out of their Apple accounts and loot thousands of dollars from their bank apps. Finally, he’d sell the phones themselves.
It was an elaborate, opportunistic scheme that exploited the Apple ecosystem and targeted trusting iPhone owners who figured a stolen phone was just a stolen phone.
Last week, Apple announced Stolen Device Protection, a feature that likely will protect against these passcode-assisted crimes.
Yet even when you install the software, due in iOS 17.3, there will be loopholes. The biggest loophole? Us. By hearing how Johnson did what he did, we can learn how to better secure the devices that hold so much of our lives.
Johnson isn’t a sophisticated cybercriminal. He said he got his start pickpocketing on the streets of Minneapolis. “I was homeless,” he said. “Started having kids and needed money. I couldn’t really find a job. So that’s just what I did.”
Soon he realised the phones he was nabbing could be worth a lot more—if only he had a way to get inside them. Johnson said no one taught him the passcode trick, he just stayed up late one night fiddling with a phone and figured out how to use the passcode to unlock a bounty of protected services.
“That passcode is the devil,” he said. “It could be God sometimes—or it could be the devil.”
According to the Minneapolis Police Department’s arrest warrant, Johnson and the other 11 members of the enterprise allegedly accumulated nearly $300,000. According to him, it was likely more.
“I had a rush for large amounts at a time,” he said. “I just got too carried away.”
In March, Johnson, who had prior robbery and theft convictions, pleaded guilty to racketeering and was sentenced to 94 months. He told the judge he was sorry for what he did.
Here’s how the nightly operation would go down, according to interviews with Johnson, law-enforcement officials and some of the victims:
Pinpoint the victim. Dimly lit and full of people, bars became his ideal location. College-age men became his ideal target. “They’re already drunk and don’t know what’s going on for real,” Johnson said. Women, he said, tended to be more guarded and alert to suspicious behaviour.
Get the passcode. Friendly and energetic, that’s how victims described Johnson. Some told me he approached them offering drugs. Others said Johnson would tell them he was a rapper and wanted to add them on Snapchat. After talking for a bit, they would hand over the phone to Johnson, thinking he’d just input his info and hand it right back.
“I say, ‘Hey, your phone is locked. What’s the passcode?’ They say, ‘2-3-4-5-6,’ or something. And then I just remember it,” Johnson described. Sometimes he would record people typing their passcodes.
Once the phone was in his hand, he’d leave with it or pass it to someone else in the crew.
Lock them out—fast. Within minutes of taking the iPhones, Johnson was in the Settings menu, changing the Apple ID password. He’d then use the new password to turn off Find My iPhone so victims couldn’t log in on some other phone or computer to remotely locate—and even erase—the stolen device.
Johnson was changing passwords fast—“faster than you could say supercalifragilisticexpialidocious,” he said. “You gotta beat the mice to the cheese.”
Take the money. Johnson said he would then enrol his face in Face ID because “when you got your face on there, you got the key to everything.” The biometric authentication gave Johnson quick access to passwords saved in iCloud Keychain.
Savings, checking, cryptocurrency apps—he was looking to transfer large sums of money out. And if he had trouble getting into those money apps, he’d look for extra information, such as Social Security numbers, in the Notes and Photos apps.
By the morning, he’d have the money transferred. That’s when he’d head to stores to buy stuff using Apple Pay. He’d also use the stolen Apple devices to buy more Apple devices, most often $1,200 iPad Pro models, to sell for cash.
Sell the phones. Finally, he’d erase the phone and sell it to Zhongshuang “Brandon” Su who, according to his arrest warrant, sold them overseas.
While Johnson did steal some Android phones, he went after iPhones because of their higher resale value. At bars, he’d scope out the scene—looking for iPhone Pro models with their telltale trio of cameras. He said Pro Max with a terabyte of storage could get him $900. Su also bought Johnson’s purchased iPads.
Su pleaded guilty to receiving stolen property and was sentenced to 120 days at an adult corrections facility in Hennepin County, Minn. Neither Su nor his lawyer responded to requests for comment.
On a good weekend, Johnson said, he was selling up to 30 iPhones and iPads to Su and making around $20,000—not including money he’d taken from victims’ bank apps, Apple Pay and more.
A week after my trip to Minnesota, Apple announced Stolen Device Protection. The security setting will likely foil most of Johnson’s tricks, but it won’t be turned on automatically.
If you don’t turn it on, you’re as vulnerable as ever. Switching it on adds a line of defence to your phone when away from familiar locations such as home or work.
To change the Apple ID password, a thief would need Face ID or Touch ID biometric scans—that is, your face or your finger. The passcode alone won’t work. And the process has a built-in hourlong delay, followed by another biometric scan. This same slow process is also required for adding a new Face ID and disabling Find my iPhone.
Some functions, such as accessing saved passwords in iCloud Keychain or erasing the iPhone, are available without the delay but still require Face ID or Touch ID.
A criminal might still be motivated to kidnap a person with lots of money, then slowly break through these layers of security. However, the protections will likely dissuade thieves who just want to grab phones and flee the scene.
So what loopholes remain? A thief who gets the passcode could still buy things with Apple Pay. And any app that isn’t protected by an additional password or PIN—like your email, Venmo, PayPal and more—is also vulnerable.
That’s why you should also:
The most obvious is Johnson’s advice: Watch your surroundings and don’t give your passcode out.
If this crime has taught us anything, it’s that a single device now contains access to our entire lives—our memories, our money and more. It’s on us to protect them.
—Nicole Nguyen contributed to this article.
Copyright 2020, Dow Jones & Company, Inc. All Rights Reserved Worldwide. LEARN MORE
Hoping to recreate a freewheeling world tour from their youth, two retirees set themselves a ‘no itinerary’ challenge: Can they improvise their way across seven countries?
PSB Academy currently hosts over 20,000 students each year and offers certification, diploma and degree courses.
The U.S. now has more billionaires than China for the first time in a decade, driven by AI and a booming stock market.
3 min
The number of U.S. billionaires in the world reached 870 in mid-January, outpacing the number in China for the first time in 10 years, according to a snapshot of the wealthiest in the world by the Hurun Report.
The U.S. gained 70 billionaires since last year, powered by a rising stock market, a strong dollar, and the insatiable appetite for all things AI, according to the 14th annual Hurun Global Rich List . China gained nine billionaires overall for a total of 823. Hurun is a China-based research, media, and investment group.
“It’s been a good year for AI, money managers, entertainment, and crypto,” Rupert Hoogewerf, chairman and chief researcher of the Hurun Report, said in a news release. “It’s been a tough year for luxury, telecommunications, and real estate in China.”
Overall, the Hurun list—which reflects a snapshot of global wealth based on calculations made Jan. 15—counted 3,442 billionaires in the world, up 5%, or 163, from a year ago. Their total wealth rose 13% to just under $17 trillion.
In November, New York research firm Altrata reported that the billionaire population rose 4% in 2023 to 3,323 individuals and their wealth rose 9% to $12.1 trillion.
Elon Musk, CEO of electric-car maker Tesla and right-hand advisor to President Donald Trump, topped the list for the fourth time in five years, with recorded wealth of $420 billion as of mid-January as Tesla stock soared in the aftermath of the U.S. election, according to Hurun’s calculations.
The firm noted that Musk’s wealth has since nosedived about $100 billion, falling along with shares of Tesla although the EV car maker is benefiting on Thursday from Trump’s 25% tariff on cars made outside the U.S.
According to the Bloomberg Billionaires Index, Musk’s wealth stood at about $336 billion as of the market’s close on Wednesday, although measuring his exact wealth —including stakes in his privately held companies and the undiscounted value of his Tesla shares—is difficult to precisely determine.
The overall list this year contained 387 new billionaires, while 177 dropped off the list—more than 80 of which were from China, Hurun said. “China’s economy is continuing to restructure, with the drop-offs coming from a weeding out of healthcare and new energy and traditional manufacturing, as well as real estate,” Hoogewerf said in the release.
Among those who wealth sank was Colin Huang, the founder of PDD Holdings —the parent company of e-commerce platforms Temu and Pinduoduo—who lost $17 billion.
Also, Zhong Shanshan, the founder and chair of the Nongfu Spring beverage company and the majority owner of Beijing Wantai Biological Pharmacy Enterprise , lost $8 billion from “intensifying competition” in the market for bottled water. The loss knocked Zhong from his top rank in China, which is now held by Zhang Yiming founder of Tik-Tok owner Bytedance. Zhang is ranked No. 22 overall.
Hurun’s top 10 billionaires is a familiar group of largely U.S. individuals including Jeff Bezos, Mark Zuckerberg, and Larry Ellison. The list has France’s LVMH CEO Bernard Arnault in seventh place, three notches down from his fourth ranked spot on the Bloomberg list, reflecting a slump in luxury products last year.
Nvidia CEO Jensen Huang is ranked No. 11 on Hurun’s list as his wealth nearly tripled to $128 billion through Jan. 15. Other AI billionaires found lower down on the list include Liang Wenfeng, 40, founder and CEO of DeepSeek, with wealth of $4.5 billion and Sam Altman, CEO of OpenAI, with $1.8 billion.
Also making the list were musicians Jay-Z ($2.7 billion), Rihanna ($1.7 billion), Taylor Swift ($1.6 billion), and Paul McCartney ($1 billion). Sports stars included Michael Jordan ($3.3 billion), Tiger Woods ($1.7 billion), Floyd Mayweather ($1.3 billion), and LeBron James ($1.3 billion).
Wealth continues to surge across the globe, but Hoogewerf noted those amassing it aren’t overly generous.
“We only managed to find three individuals in the past year who donated more than $1 billion,” he said. Warren Buffet gave $5.3 billion, mainly to the Bill and Melinda Gates Foundation, while Michael Bloomberg —ranked No. 19 with wealth of $92 billion—gave $3.7 billion to various causes. Netflix founder Reed Hastings, ranked No. 474 with wealth of $6.2 billion, donated $1.1 billion.
