According to a report from 404 Media, a security researcher who had previously reported security issues to Apple was arrested in January for defrauding the company of millions of dollars.
The accused, Noah Roskin-Frazee, and an associate were charged with acquiring over $3 million in goods and services through more than 22 counts of fraud. This included approximately $2.5 million in gift cards and $100,000 worth of “goods and services.” Although Apple was not explicitly named in the lawsuits, it is evident that the unnamed “Company A” referred to is Apple, given its location in Cupertino, California. The court documents revealed that one of the individuals used the illicitly obtained gift cards to “purchase Final Cut Pro on Company A’s App Store,” and Apple is the exclusive vendor of this software.
In 2019, Frazee and his colleague utilized a password-recovery tool to gain unauthorized access to an employee account at an undisclosed “Company B,” which provides customer support for Apple. This breach led to the discovery of additional sensitive information about the employees, and Frazee managed to locate Company B’s VPN servers. Subsequently, he infiltrated Apple’s systems and executed fraudulent commands for Apple products. He employed Apple’s “Toolbox” software, which is intended for modifying orders after they have been placed, to manipulate orders, add items, and include AppleCare contracts. These illicit activities were carried out over the course of three months, from January to March 2019.
The individuals implicated in the scheme were linked to computers in India and Costa Rica. The fraudulent activities involved altering the monetary value to zero, adding existing products such as mobile phones and laptops at no cost, and increasing existing contracts. This included extending a client cooperation agreement with one of the defendants and his family by an additional two years without payment.
An interesting element of the case is that less than two weeks after the arrest, Apple publicly acknowledged Frazee for identifying several bugs in macOS Sonoma in a support document published on their website. They expressed gratitude to Frazee and Prof. J. (ZeroClicks.ai Lab) for their assistance in identifying a Wi-Fi vulnerability. Despite this, Frazee is facing charges including wire theft, mail fraud, conspiracy to commit wire and mail fraud, conspiracy to commit computer fraud and harassment, and willful damage to a protected computer. If convicted, he could be required to forfeit all stolen property and might face a prison sentence of up to 20 years.