How a brazen passcode thief used stolen iPhones to rob $2 million

Once a thief has your iPhone passcode, they can lock you out of your own phone

Following Apple's launch of Stolen Device Protection, thief Aaron Johnson has revealed how vulnerable iPhones are — and still can be. Now serving up to eight years in the Minnesota Correctional Facility, Johnson talked to the Wall Street Journal about what he did, and what iPhone owners can do to avoid theft.

"I'm already serving time. I just feel like I should try to be on the other end of things and try to help people," said Johnson, who also explained how he began stealing. "I was homeless. Started having kids and needed money."

"I couldn't really find a job," he continued. "So that's just what I did." He then moved into stealing iPhones — sometimes Android but usually higher-value iPhones — after realizing how far a passcode could let him into the phone.

"That passcode is the devil," he said. "It could be God sometimes — or it could be the devil."

In late night bars, Johnson says he would typically target college-aged men because women were more alert to suspicious behavior, but the men are "already drunk and don't know what's going on for real."

He would talk with them, sometimes offering drugs, sometimes claiming to be a rapper who wanted to add them on Snapchat. The victim would hand over their iPhone, expecting Johnson to tap in his phone number and hand it right back.

"I say, 'Hey, your phone is locked. What's the passcode?'" explains Johnson. "They say, '2-3-4-5-6,' or something. And then I just remember it."

Johnson would then leave with the phone, or slip it to one of a series of co-conspirators, around 11 of whom were later arrested.

Having the iPhone and its passcode, Johnson would change the Apple ID password, and use the new one to disable Find My iPhone.

Until he did that, a victim could track and erase the iPhone, but Johnson says he was quick, "faster than you could say supercalifragilisticexpialidocious."

"You gotta beat the mice to the cheese," he explains.

Then when he was safe from being found or the phone erased, he would add his face to Face ID — and says that "when you got your face on there, you got the key to everything."

He would comb through the iPhone looking for notes or even photos that contain further password details, such as to bank accounts. Then overnight he would drain those bank accounts and finally he would go to stores to buy items using Apple Pay.

Profiting from stolen iPhones

This way Johnson could steal up to 30 iPhones on a weekend, and make $20,000 from buying goods and then selling the phones — all on top of whatever he could take from bank accounts.

"I had a rush for large amounts at a time," he said. "I just got too carried away."

The police report that Johnson and his colleagues stole $300,000. However, he says the figure was much higher, with him estimating between $1 million and $2 million in all.

All of this was done before Apple released its Stolen Device Protection, but that new feature has to be enabled — and it only adds an extra line of defense. Johnson's advice is "don't give your passcode out."

Johnson is far from the first to use passcodes to steal iPhones. Learn what more you can do to protect yourself