This Respected Security Researcher Stole $2.5 Million From Apple

A well-respected security researcher has been indicted in a scheme that allowed him and his cohorts to steal millions of dollars of Apple gift cards, products, and services. The twist to the story is that just days after being indicted in the scheme, Apple thanked him in the notes for one of its operating system security releases!

The security researcher in question, Noah Roskin-Frazee, is affiliated with ZeroClicks.ai Lab. He has been praised by Apple for identifying software vulnerabilities that led to patches being developed for the flaws. However, the software vulnerabilities Roskin-Frazee was thanked for discovering had nothing to do with the security vulnerabilities he allegedly used to steal $2.5 million worth of Macs, iPhones, and gift cards.

As reported by 404Media, Roskin-Frazee discovered a vulnerability in
Toolbox, a backend system that Apple uses to place orders on hold. While on hold, those orders can still be edited.

Roskin-Frazee and his alleged co-conspirator, Keith Latteri, used a password reset tool, gaining access to an employee account of an outside contractor who aided Apple with customer support. Once they were able to access the employee’s credentials, they were able to access Apple’s systems, placing fraudulent orders for Apple devices and gift cards.

The pair began placing the fraudulent orders in December 2018, continuing until at least March 2019.

Once in the system, the pair would create and edit orders, adding products, including iPhones and Macs, and then changing the price of the products to zero. The larcenous duo would also order gift cards to be used in Apple retail stores or resold.

While the duo used false identities and drop shipping addresses for the delivery of the physical products, one of the pair took the opportunity to grab two-year extensions of existing AppleCare memberships for himself and family members.

While the indictment does not mention Apple by name, the description of “Company A” is obviously Apple. from the 404Media report:

Company A is headquartered in Cupertino, California, and “developed, manufactured, licensed, supported and sold computer software, consumer electronics, personal computers, and services,” the indictment reads. Later on, the document mentions one of the defendants using gift cards to “purchase FinalCut Pro on Company A’s app store.” FinalCut Pro is Apple’s video editing software, which costs $299.99. The only way to buy it online officially is via Apple’s App Store.   

Lawyers for both Latteri and Roskin-Frazee did not respond to a request for comment from 404Media.

As if that wasn’t enough, a bit less than two weeks after Roskin-Frazee was arrested, Apple thanked him on its website for finding security vulnerabilities in several recent operating system releases, including macOS 14.2 Sonoma, iOS/iPadOS 17.3, watchOS 10.3, and tvOS 17.3.

We would like to acknowledge Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab) for their assistance.

Roskin-Frazee has also been acknowledged in the past for helping to discover vulnerabilities in macOS Ventura 13.6.4 and macOS Monterey 12.7.3.

ZeroClicks.ai Lab is a security research company that listed Roskin-Frazee as one of two principals on its website, alongside “Professor J.” However, the site appears to be offline as of this writing.

“Bridging the gap between vulnerability and security, ZeroClicks is a research blog dedicated to the security community,” the website previously read. “We unveil new Zero Day findings and vulnerabilities, all discovered with the aid of AI. The concept of “Zero Clicks” embodies the dual nature of cybersecurity, representing both the threats we face and the solutions we seek.”

A Twitter account under Roskin-Frazee’s name also lists him as a “certified Apple technician.”