Summary

A security researcher known for reporting bugs to Apple has been apprehended on charges of defrauding the tech giant of millions of dollars. Noah Roskin-Frazee, along with a co-conspirator, allegedly obtained over $3 million in products and services through fraudulent means, including the acquisition of $2.5 million worth of gift cards. Apple, though not explicitly named, is referred to as “Company A” in the court records relating to the case.

The Scheme

Exploiting Loopholes and Accessing Apple’s Systems

During the course of this illicit operation, which took place between January and March 2019, Frazee and his accomplice employed various techniques to gain unauthorized access to Apple’s systems. In 2019, the researchers took advantage of a password reset tool, enabling access to an employee account belonging to “Company B” – a customer support services provider for Apple. This initial breach led to the acquisition of additional employee credentials, granting Frazee access to Company B’s VPN servers.

Fraudulent Orders and Abuse of Apple’s Programs

Once inside Apple’s systems, Frazee allegedly placed fraudulent orders for Apple products, exploiting the “Toolbox” program to manipulate orders after they were placed. Among his manipulations, Frazee changed order values to zero, added products to orders without cost, and extended AppleCare contracts. In collaboration with his co-conspirator, Frazee is said to have made over two dozen fraudulent orders, misappropriating gift cards and “products and services” valued at millions of dollars.

Remote Access and Indictment

According to the indictment, the defendants used remote access to computers located in India and Costa Rica to facilitate their scheme. This allowed them to alter order prices to zero, add items to existing orders without incurring expenses, and extend service contracts. In one instance, a customer service contract associated with one of the defendants and his family was extended by two years without payment.

Apple’s Acknowledgement

Surprisingly, during the height of his illegal activities, Apple publicly acknowledged Frazee’s contribution to their software by mentioning his name in a support document regarding vulnerabilities in macOS Sonoma. The document was released less than two weeks after Frazee’s arrest, expressing gratitude to him for identifying several bugs in the system. The acknowledgment also referenced Professor J. (ZeroClicks.ai Lab) for their assistance in identifying a Wi-Fi vulnerability.

Legal Consequences

Noah Roskin-Frazee has been charged with wire fraud, mail fraud, conspiracy to commit wire fraud and mail fraud, conspiracy to commit computer fraud and abuse, and intentional damage to a protected computer. In the event of a conviction, Frazee may face imprisonment for more than 20 years, in addition to forfeiting the stolen goods and profits.