Apple, one of the world's most influential tech giants, has unwittingly found itself the victim of a fraud scheme devised by a man from San Francisco. This cost the company more than US$2.5 million in gift cards and electronics. Even with his fraudulent actions, Apple saw fit to thank Noah Roskin-Frazee, a security researcher at ZeroClicks Lab, for his "help."
Roskin-Frazee and his accomplices succeeded in manipulating Apple's internal orders system, and thus had products shipped for free by changing the price details of the orders. With unauthorized access to an Apple employee account, gained by exploiting a flaw in a password reset tool, he was able to manipulate the Toolbox system that Apple employees use to manage orders. By placing orders on hold but still editable, Roskin-Frazee changed the financial details to zero expenses for the products, essentially tricking Apple into shipping items for free.
Their large-scale scheme involved more than two dozen fake orders, aimed at stealing over US$3 million worth of products and services from Apple. They then sold these ill-gotten gains, including approximately US$2.5 million in gift cards and products, to unsuspecting third parties, all the while using false identities to cover their tracks.
The crime is believed to have started in December 2018 and continued until March 2019. However, Roskin-Frazee was not arrested until January 2024. Despite the seriousness of his actions, which include charges of wire fraud, mail fraud and conspiracy to commit computer fraud, among others, Apple publicly acknowledged Roskin-Frazee in a Jan. 22 support document for identifying several bugs in macOS Sonoma, including an accessibility issue and a critical Wi-Fi vulnerability, two weeks after his arrest.
"We would like to acknowledge Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab) for their assistance," Apple detailed. The nature of Roskin-Frazee's "help" for Apple remains vague. However, according to 404 Media, he had reported security issues to the company in the past. Roskin-Frazee still faces serious charges, including wire fraud and conspiracy to commit computer fraud, which could send him to prison for more than 20 years if convicted.