Security researcher allegedly used internal Apple tool to steal millions

By Julie Clover

The security researcher who reported the bugs to Apple was arrested in January for defrauding the company of millions of dollars, according to a report from 404 Media.

Researcher Noah Roskin-Frazee was accused, along with an accomplice, of obtaining more than $3 million in products and services through more than two dozen fraudulent orders. This includes approximately $2.5 million in gift cards and more than $100,000 in “products and services.”

Although Apple is not directly mentioned in court records, the unnamed “Company A” is based in Cupertino. the state of California, and it's clearly Apple. The court mentions that one of the criminals used gift cards to “purchase Final Cut Pro from Company A's App Store,” and Apple is the only company that sells the software.

In 2019, Frazee and an accomplice used a password reset tool to gain access to the account of an employee of an unnamed “Company B,” which handles Apple customer support. This account allowed access to additional employee credentials and gave Frazee access to Company B's VPN servers. From there, Frazee was able to infiltrate Apple systems by placing fraudulent orders for Apple products.

He used the Apple Toolbox program , which could be used to edit orders after they were placed, and changed the cost of orders. to zero, added products to orders and extended AppleCare contracts. He abused the Apple program from January to March 2019.

As part of the scheme, the defendants remotely connected to computers located in India and Costa Rica, the indictment says. The scam itself involved zeroing out the cash value of an order, adding products to existing orders at no cost, such as phones and laptops, and extending existing service contracts, the indictment adds. This included extending a customer service contract associated with one of the defendants and his family for an additional two years without payment.

In a January support document, Apple thanked Frazee for identifying several errors. on macOS Sonoma, and the document was published less than two weeks after his arrest. “We would like to thank Noah Roskin-Frazee and Professor J ( Lab) for their assistance,” Apple said on its page citing the Wi-Fi vulnerability.

Frazee charged with fraud wire fraud, mail fraud, conspiracy to commit wire fraud and mail fraud, conspiracy to commit computer fraud and abuse, and intentional damage to a protected computer. He will be required to return all stolen property and, if convicted, could be sentenced to more than 20 years in prison.


Leave a Reply