Hacked - Paperweights
Episode Date: May 1, 2022The story of the wild amount of work it takes to turn a stolen phone back into money. If you like the show and want to make sure we can keep making it, please subscribe, and if you can visit https://...www.patreon.com/hackedpodcast and show us some love. Thanks to our sponsor Command Line Heroes. Check out the show right over here -> https://link.chtbl.com/commandlineheroes_cyoa?sid=s9.podcast.hacked Learn more about your ad choices. Visit podcastchoices.com/adchoices
Transcript
Discussion (0)
So this family goes shopping at the mall.
My wife and I and a kid were shopping.
That's the dad, John.
And it's getting a little bit late in the day,
and their son is starting to get tired.
Because it was kind of getting close to nap time.
I had to get supper started and whatnot.
And she kept shopping with my mom who was visiting.
And while he's at home, he gets this call.
About 20 minutes later, she called me up from my mom's cell phone and said,
hey, can you track my iPhone and, you know, I seem to lost it.
I think my kid, you know, we kind of thought, oh, maybe our son took it out of her purse
and dropped it on the floor or something like that.
So he logs into her eye cloud to see where it is, and her phone isn't reporting its location
anymore.
It's gone offline, it's been turned off in the last couple minutes, which makes him think.
Like, this isn't just a random, okay, lost my cell phone.
It's somebody stole it.
Here's a question.
In a world where you can lock, encrypt, and blacklist a lost or stolen phone,
where a lost phone, if properly reported, is basically an expensive paperwork.
What is the point of stealing a phone?
Who would buy it?
Do you just sell it for parts, or is there something that I and John were missing?
John, which isn't his real name, works at a really well-known technology company.
And when his wife's phone went missing at the mall, he started going down this rabbit hole of trying to answer that question.
What does a phone thief even do with a wiped, registered a stolen, blacklisted phone?
Until one night, his wife's new phone gets a text message.
Something came crawling back out of the rabbit hole.
This is where stolen phones go.
Here on Hacked.
Have you ever lost a phone?
No.
I don't think I have.
But I know many people that have, obviously.
Yeah, sure.
I've never lost one.
I found a phone once, and I returned it to the person.
Same.
Same.
Yeah, as we all shed.
Good for us.
Yeah, good.
I know, yeah, high five.
Pat on our back.
Yeah, yeah, yeah.
But I have always wondered.
So, like, for about 10 years now in the West, I guess,
there's been really good infrastructure for blacklisting stolen or lost phones.
And it probably, when you look at the timeline, it sort of roughly lines up with the transition
from phones being phones to phones being personal computers that contain.
Sure.
Exactly.
But it didn't used to be that way.
We had to build this infrastructure.
The first step to locking down stolen phones was developing like a black list.
list of stolen devices. Europe got one in 2004. Canada followed about nine years later with the
CWTA in 2013. The US got one a little bit after that. And over time, a bunch of them have all
sort of started talking to each other, like sharing this list of stolen phones, a list of IMEI numbers.
Do you know what an IMEI number is, Scott? I sure do. It's essentially the unique ID code for
your phone on the wireless network. Bingo. International
mobile equipment identity.
It's like a 15-digit fingerprint for when your phone connects to the carrier.
When you report a phone stolen, what they do is they add that IMEI number to a blacklist
that's shared between all these different networks.
So if anybody tries to use the phone anywhere in all of North America, that blacklist
is going to prevent it from being activated on any wireless carrier until you remove it
from the list, which only you the owner can do.
You can technically change an IMEI, but it's difficult if, say, on like, an iPhone, you mark it as lost through ICloud, which remotely locks and encrypts the device, disables Apple pay. It's very, very hard.
The phone is, if I'm following all this correctly, to borrow John's phrase, it basically becomes a paperweight.
So John's wife's phone goes missing at the mall.
She calls up her husband, and John starts kind of poking around a little bit.
He posts on a local community Facebook page where they live, just saying, hey.
If anybody finds a blue iPhone 12 in the mall, probably around this time,
let me know, you know, it belongs to my spouse.
And then a few minutes later, I started getting replies saying, oh, my phone's missing too.
So I had about four or five people report, you know, just on that Facebook post saying that
there, they had a phone stolen from them at the mall or, you know, neighboring stores that afternoon.
And that's kind of, that's kind of what I thought, okay, man, what's going on?
Like, this isn't just a random, okay, lost my cell phone.
It's somebody stole it.
So John goes through those steps that we listed before, right?
Turning the phone, he thinks, into a paperweight.
You're bricking it.
Bricking it.
He goes to the carrier portal.
He marks it as stolen.
So the phone's IMEI number gets added to the blacklist and won't connect to any carrier in North America unless she removes it.
Then to protect the data and make the device useless outside of North America, he hops on the ICloud and reports that is lost there, which locks the phone itself down, disables Apple Pay.
You can wipe it.
You can't wipe it.
Yeah.
And do all kinds of things.
Now you don't even, you can't even just get into it with the phone's password.
you need the full iCloud credentials if you want to essentially unlock this phone at this point.
And even then, it still wouldn't connect to a carrier unless he tells the carrier, hey, I found my phone.
So, you know, I can't connect. There's no data usage, no phone usage. And it's just kind of marked as lost or stolen.
That way, you're not on the hook for incurring any charges that happen after that?
John does exactly what I, as a layperson, kind of understand you're supposed to do when you lose a phone.
He, you know, locks it down and he goes to bed.
And sure, it's kind of a sour note to end an otherwise nice day at the mall on, but like, you know, you lose a phone sometimes.
What can you do?
Costly, costly errors, but something that's probably more common than we wish it was.
until
Later that night
about 10 o'clock
I got a ping on my cell phone that said
oh
iPhone's been located
and it had shown up online
three hours away
at a strip mall in Toronto
I thought okay
that's really weird
so I reached out
to a couple of the people that I had been chatting
with on Facebook about
them having their partner
or girlfriend or whatnot had their phone
stolen and said, hey, so our phone showed up, you know, at this address, you? And they, the two
people that I spoke to confirmed it, that their phone was there as well. So the phone goes missing
and then briefly appears online three hours away in a strip mall before going dark again,
and it wasn't alone. And this all kind of starts to tell a little bit of a story. Someone has
spent the day stealing phones across this part of Ontario, and they get in their car or whatever
with all these phones, and they go somewhere, and they take them to the same place.
And there, in the middle of the night, they're just sort of quickly turning these phones on
to see if they're locked or wiped, or if they work, or if they don't.
And they turn on John's wife's phone, and they see it's got the password, see it's locked,
and they quickly turn it back off.
So John, now confident that this is a theft, does you mean.
mentioned this earlier, he doesn't just lock the phone. He now says, okay, next time this thing
turns on, wipe off the hard drive. Delete everything on this thing. These are phone thieves.
Brick it. Truly the last step he could take. Yeah, shut it off. Kill it forever.
Just butcher the thing. Save those. Protect the data. Exactly.
So the next time it comes online, it'll check in and erase itself. And it's still locked down
behind those iCloud credentials.
He's not only bricked the phone,
his file to police report, told it to erase itself the next time it comes online.
The only way this phone is of any use is if somehow his wife gets it back
and can log back into her iCloud account on it.
She would have to re-download everything and turn it back into a phone.
A couple of weeks pass until this device shows its face again.
And in those intervening weeks,
it has gone on a journey.
It's two weeks later, again in the middle of the night, and they get an email, a legitimate email from Apple saying, hey, you know how you told us that the next time this phone comes online to immediately wipe the hard drive?
Well, we're just letting you know, it came online and we wiped it.
And John says, where did it come online?
It was reporting as being located in Vietnam.
So they'd put this phone on a plane in a shipping container, in a package, and they'd gotten it to Vietnam,
where someone had tried turning it on, at which point Apple says, there's that little bastard and wipes the drive.
And sends John a message letting him know what had happened.
The blacklisted, wiped, and importantly locked phone is now in Vietnam.
The only way it becomes a phone again, anything other than a paperweight, is if John's wife,
were to log in with her iCloud credentials.
And John gets this suspicion that he knows what's going to happen next.
For sure.
I kind of jokingly said to my wife that, okay, you're going to start to see some phishing emails.
In the week since, his wife had gotten a new phone with the same number as before.
And the next morning, she gets a text message that basically said something along the lines of,
your iPhone has been found.
Please click here and log in to see its location.
And she says, is this what you meant?
John says, yes, that is exactly what I meant.
Don't click on that whatsoever.
The verbatim, the text is what it says.
It would be, dear customer, your iPhone 12, 64GB blue was found.
View the location at, and then there's a URL, and then, you know, it's signed by Find
My iPhone.
And these texts just start coming one after another after another.
And John could have ignored them.
He could have said, it's kind of creepy that they've got our old phone
and they're trying to trick us into giving them the iCloud login.
But as long as you don't, as long as I don't,
as long as no one gives those credentials, we're fine.
I think I probably would have just called it a day there.
But curiosity gets the best of him.
And he starts saying, I'm going to collect these messages.
I'm going to start creating a little database and I'm going to start putting them in
and keeping track of all these URLs, these fishing attempts,
I'm going to try and just figure out what it is these people are doing.
What we did was I just started collecting them.
I started collating these bad links as a way just to say,
okay, what are they doing?
He starts building this database, trying to figure out how this thing works.
I think in one of our early episodes,
we talked about the fishing classic of,
like, you get an email from someone with an important file,
but it's not actually their email.
It's a version that's ever so slightly misspelled, right?
That's the classic of this.
The easiest deception.
At first, I assumed it was going to be more complicated than that.
So I started researching what had happened to miss, like, where did we go after the misspelling?
There were some really cool evolutions of that attack vector.
One I thought was really cool was called a homograph technique.
Have you heard of this?
So it was in vogue for a couple years before browsers sort of nipzig.
it in the bud.
So, say for like example, Cyrillic characters.
Cyrillic characters will have codes that you can use.
And if you were to type in one of these codes, copy it in probably.
The software will automatically convert it to the serilic character.
If the domain you're trying to spoof has a character that has a Cyrillic equivalent,
you can just make a domain with that long code in place of the letter.
And the browser will automatically convert it to display as the Cyrillic character,
which then shows it as a normal letter to the user.
and it looks exactly the same.
It looks exactly the same.
Eventually browsers figured this out
and said stop auto displaying these character codes
as the character itself
because this is like,
we're baking spoofing functionality into our browsers.
We are facilitating this attack.
The messages that John is getting
are even simpler.
They're the classic one, the misspelling.
She's getting these texts that say,
you lost your iPhone,
log in here to see where it is.
And the link, instead of apple.com,
it's actually how would you spoof apple.com
APP-L-E dot com
Oh, with a misspelling?
Yeah.
That make the P's Q's maybe?
That's pretty good.
That's pretty good.
Like one of them, it's like your brain will auto fill it in probably if like the second one.
Yeah.
But even that.
P and Q is pretty good.
Yeah.
They went with APP.
And I think they had to tag something else on the end of it.
Like a capital I.
i.com exactly you type it in it looks pretty good um i think apple does own i'm actually going to check
this they must yeah for protections sake do they own appy dot com yeah the apple dot com owns appi dot com
so they had they'd strung something else in there in order to make it their own but generally
speaking they were hiding behind appy dot appy dot com takes you to something that i don't even
and I probably shouldn't be here.
Don't forget the E.
I did.
I went to A-P-P-P-I-E.com.
Oh, God.
And I got...
Really?
Yeah, yeah, yeah.
And it looked like something that...
It looked like a website
that you don't want to open on your computer.
Weird.
I'm getting to Apple.com.
Oh, maybe your browser is smart enough
that it's redirecting you.
Oh, I'm in Safari.
Yeah, yeah, yeah.
Maybe Apple has baked that functionality in.
I was just using Microsoft Edge.
that's fascinating
yeah yeah yeah so maybe they
they have a protection built into their stuff
to stop people and that could actually
honestly be because of this attack
huh
because it's probably the same source code
yeah yeah appi.com
and my Safari browser takes me right to Apple too
yeah on Microsoft Edge it definitely does not
so
huh
real time discovery here
yeah real time
Safari has anti-spoofing
measures for Apple's own proprietary domains.
Yeah, probably to stop links opened on their mobile devices,
running Safari from opening and going to, you know, bad places.
Whatever this spoofed domain is that they're using,
if you go to it, it redirects to just Apple.com.
So it looks like it's legitimate.
But these, you know, scammers actually were sending you a URL with a malicious,
identifier there was a header in the in the email link so that my suspicion is they
could identify what phone that credential belong to right so they'd send you a
a reference and there'd be a key field and that reference would say hey this is
this is this blue iPhone that was stolen because if you actually fired up a
browser and navigated to the link and clicked on the link that was sent in the
message, it would bring you to a page that wanted you to log in and actually, you know,
enter your credentials.
It takes you to a page where it says, hey, welcome to ICloud.
Go ahead and log in here.
Yeah, yeah.
Why don't you put your security credentials into this box?
We'll take those from you.
Thank you very much.
It sounds like you want to log into ICloud.
Why don't you come to the right place?
We can help you.
a very old school fishing scam aimed just at you trying to steal your cloud credentials so they can unlock your phone.
And that's kind of when my, you know, my spidey sense started tingling. I'm like, okay, what's going on here?
And I, you know, fired up a private browser and, you know, VPN client. I actually used a virtual machine to do this so that I wasn't downloading anything malicious on my, on my home computer and just started seeing.
what these domains actually were.
And I just started compiling,
okay, you know what, this domain redirects to this domain,
and it's using this registrar,
and, you know, just compiling as much information as I could about it.
I like that.
I like that you made a sandbox just in case, just in case.
100%.
A little hazmat suit for wandering into some, yeah.
And he starts thinking about it.
And the volume of phones stolen on just that day,
all of which are getting these texts
implies that the people that are doing this
have even more devices
and are trying to run and manage
a pretty high volume of these different fishing texts,
trying to gather all the data mapped to specific phones.
It's a lot of information flow to be managing.
You would probably want to automate this in some way.
You'd need some software to manage this operation
if you were to do it at any kind of scale.
So John, hidden behind his VPN and his VPN,
end in his virtual machine in his little sandbox hazmat suit, he makes his way to some iffy
forums where he starts finding folks selling tools that do just this. What he starts to figure
out are the tools being used by this hacker to deploy these fishing texts at scale.
Interestingly enough, found out that started doing some digging into the dark web and found out
that there's actually these malware toolkits or fishing toolkits built for this sort of thing.
And they're all built around this HP exploit called Find My iPhone,
which leverages the Find My iPhone API to hammer it and try and release the activation lock.
So I found this GitHub project that was a proof of concept somebody had done,
clearly for, you know, quote unquote, not malicious purposes,
wake, wink, nudge, nudge.
And what it allowed the users of that, you know,
particular tidbit of code to do would be to pass in the Apple ID and password that they were given.
And then it would try and log in and it would, I think it would remove the activation lock
if it was able to log in, but at the very least, it was validating those credentials were legit.
A fully automated process. You punch in the number of the stolen device, which even though the
device is locked, you have because you have the device's SIM card. And it's off to the races.
Deploying these fishing texts to try and get these all-important I-Cloud credentials, which if you
were to fall for it and give them over, it would use to automatically log in, do a legitimate
legitimate reset of the device, thus making it resellable without you having to touch anything.
And if we think about the two security steps it takes to brick a stolen phone, the ICloud stuff is reversible if you have the ICloud credentials.
It has to be, because what if you found the lost phone? You have to be able to get it running again.
Your credentials are the last line of defense. If they get those, they're you as far as that
device is concerned. The other line of defense is getting the device IMEI blacklisted,
but again, that's only North America wide, and they're in Southeast Asia. So if you could get
the device running again with ICloud credentials, it would now be a phone again as long as you
don't try and connect to a North American carrier. Through this process, the paperweight has been
turned back into a phone.
about the last time you heard a breach story on this show. It always starts the same way. Someone,
somewhere saw something too late, an alert buried, a signal missed, an SOC that just couldn't keep up.
Arctic Wolf set out to solve that problem by rebuilding security operations from the ground up for a world where attackers are already using AI.
They created the Aurora Super Intelligence Platform, a fully agentic system powered by the swarm of experts.
Instead of single-purpose bots or lucky-guess LLMs, this swarm is full of deterministic
agents that handle whole entire workflows. Humans stay in the loop and on the loop to validate
the critical decisions and keep everything trustworthy. And all of this is just off running on
their secure operations graph. A constantly updating intelligence engine fueled by more than
nine trillion telemetry events every week and over a decade of real world incident response.
The system reasons on real signals and real context not synthetic training data. And the result
is the new Aurora agent SOC. It's the first SCC that is agent led by design. You get
agents that coordinate, agents that investigate, agents that respond at machine speed, and hundreds
more that automate the repetitive work that normally buries human analysts.
Arctic Wolf didn't try and bolt AI onto an old model.
They rebuilt the model entirely.
What makes it even more effective is how it works with Arctic Wolf's concierge experience.
The team brings customer-specific context directly into the platform so every AI-driven
decision reflects your environment instead of generic assumptions.
The automation frees your concierge security.
team to focus on higher value strategy and proactive risk reductions while the agents
handle the grind. If you want to see what trustworthy production ready AI and security operations
actually looks like, go to arcticwolf.com slash hacked. Never feel like cyber threats are evolving
faster than anyone can keep up? Last year, 2025 was nothing short of a record-breaking year for
major breaches, from sophisticated ransomware operators to AI-enabled attacks that turn defenses
on their head. Organizations around the world saw headlines they never expected and cyber security
teams were tested like never before, but here's the thing. These incidents aren't just news headlines.
They're learning opportunities. And that's why Arctic Wolf is hosting a live webinar on February 5th,
diving the most impactful breaches of 2025. Their field CTO and security leaders are going to
unpack not just what happened, but why these attacks succeeded. And most importantly, what businesses
can do to fortify their defenses for it's too late. You're going to walk away with real insights.
into how threat actors are evolving, how defenders are responding, and what strategies can help you
stay ahead of the next big breach. It's not fearmongering. It's practical, actionable, intelligence
from experts in the trenches. Register now at arcticwolf.com slash hacked. So John starts playing
closer attention to the domains that the hackers are using. I started collating as much
detail as I could around the domains that were used for the fish, evidence of this,
figured out, they were actually all pointing to the same domain in the background that was
hosted. I was protected by a cloud flare proxy, so I couldn't really find anything about it.
And even if he can't tell who controls the domains, he knows that this activity definitely
qualifies his abuse under the terms of any registrar.
Of course.
And he's been assembling all of this evidence for his own purposes.
And it takes all of it, all the screenshots, all the domains, all the stuff he's found.
And he turns around and he goes to the registrar and says, I'm reporting some abuse.
So I just compiled all that information and then en masse fired a bunch of emails off to the abuse, you know, abuse accounts at all the different, the registrars and hosting providers.
At the end of the day, I didn't really care so much about the stolen phone.
It was that, holy crap, what are these guys doing?
It was more than just a single phone.
Like there's, you know, they've got some mechanism to do this.
Well, you're probably also just like looking for a little bit of, I don't know, value out of all the time invested in kind of tracking it down so that makes sense to go after them.
I kind of assume those abuse at emails are just like voids that you throw things into.
But I'm intrigued to hear if that's the truth.
It works.
Oh.
Really?
Probably in the next day.
or two, they were just taken offline. I didn't even get a response back from the registrars or
anything. Just gone, gone. I fired up my virtual machine one night just to log in and see,
hey, are they still doing this? And they're gone. And then the fishing message, the fishing message
just stopped. Within a day or two. Within a day or two. That's shocking.
They're gone. He's taken the sides down. And the
question that you naturally then ask is like, hey, URLs are really, really cheap. And John
knows he probably didn't destroy this operation, but he certainly slowed it down. And I don't
know if it was how they, maybe they just stopped fishing me. I don't know, but they, they stopped
fishing us, that's for sure. So John had reverse engineered the archivalry.
of this hack, right?
He'd used that to at least
create a little bit of a speed bump for this thing,
a little bit of friction for these folks.
He'd gotten sites pulled,
and hopefully those registars might learn
to recognize this in some way.
At least make it harder for people
to do this same thing again.
But if you're following the story
kind of closely,
there's still the IRL physical part of this
that hasn't totally been worked out.
What is the connection between these pickpockets
in eastern Canada
and phone hackers in Vietnam.
Where do those phones go?
How does a pickpocket get a phone to a hacker a world away?
That's the only part of this where there isn't really a digital trail of breadcrumbs
for someone like John to follow.
Yeah.
And then a thought popped into my head as we were discussing this,
this moment earlier in the story that we lack a little bit of clarity on.
After the phone is stolen, but before it shows up in Vietnam.
About 10 o'clock, I got a ping on my cell phone that said, oh, iPhone's been located.
And it had shown up online, three hours away at a strip mall in Toronto.
I thought, okay, that's really weird.
The strip mall.
Which was its last stop in North America before it shipped off to Vietnam.
And so I asked John, like, what business in particular in this strip mall did it show up at?
It was a Vietnamese restaurant in Toronto.
And so I asked John, did you ever go to the restaurant?
No, no, no.
The thought crossed my mind, but no, I did not.
You kind of assume that maybe they went for dinner after a busy day of
stealing phones and maybe they have
connections in Vietnam. Maybe they're Vietnamese themselves
and maybe they like Vietnamese food
you know.
Interesting. Maybe it's completely unrelated.
Maybe it's a total coincidence that they
went for Ebola Fah after
a day of stealing phones and
those phones wherever they took them just happened
to end up in Vietnam.
Right?
Or
or
there is
an international hacking ring
being run out of a Vietnamese restaurant in Ontario?
In a strip mall in Ontario.
Or that?
Could be.
We'll never know.
We'll never know.
I mean, I thought, initially I thought this was going to be, hey, you know, phone got stolen.
It's been wiped.
And somebody's going to sell it on, you know, Facebook or Kijiji or Craig's List or something.
And then make a quick buck disappear.
And the person that buys it is left holding the...
a phone that can't be activated because of the activation lock.
Okay, big deal, you know, and when I talk to my friend who's the police officer,
they said the same thing.
Like, okay, well, you know, whoever buys it's going to be upset because they can't activate it.
And big deal.
But no, in this case, it was so much bigger than that.
It did not stop there.
The, yeah, like, the economics of it just, this is the weirdest thing where it's like,
you've got to assume that they're
quantity over quality here, right?
Like you're buying
bricked phones by the
hundreds, hoping
to unbrick a few of them.
Like, I can't imagine
the churn
rate is high. Like, I imagine that
you send out a bunch of
fishing scams and maybe you get
10%. So if you
buy 10 bricked phones, maybe you get
one out of it. But I guess
if you're paying 50 bucks,
a phone for 10, that's 500
and you can resell that phone for like
800, you know, that's still a pretty
good profit margin, but
it's just sad. I wish the world could
take and dedicate all this like
lost utility to good things.
For sure. An iPhone
12 for context, an
unlocked iPhone used,
an unlocked used iPhone 12
retails on eBay for
in and around
in the 5 to 600 range
Canadian.
Right.
So if we assume this really this whole thing just turns on what is your success rate with the fishing scam?
Because that's the number you're dividing this out by.
If it's half of them and you buy these phones for 50 bucks and you can sell essentially,
you're selling one for 500, but only half of them are working.
So you're making like 250 on average per stolen phone.
Pretty good rate of return.
Is it every other phone works?
Is it one in 10?
Is it one in 20?
Economics of this depend entirely on how effective your fishing attack is.
But not even that.
Like how effective your pickpocketing is.
Imagine if you need two people.
Like, what's your hourly pay?
Jordan and Scott go to the mall and steal phones for a day.
Say we get 20 phones.
Yeah.
Like we have a wildly successful day.
I feel like if you can steal 20 phones in a day.
Each of those phones sells for 20 bucks.
It's $400.
You know, to say that that was a full,
eight-hour work day, you know, that's $25 an hour each.
Like, that's not crazy money.
Like, I feel like there's better, legal, more productive, you know,
contributing to society in a positive way, weighs to $25 an hour.
Maybe that's some entitlement that I have, but it just feels like.
It might also be that, and again, just speculating wildly, it could also be that this is
sort of like a, there's stages to it, right?
It's like the best thing we can do is try and truly unlock this phone because now it is
become worth about $600 Canadian.
Sick.
That's our best case scenario.
If we can't do that for parts alone, because every store that, you know, replaces screens
has to get them from somewhere.
Every store that replaces batteries, all of that stuff.
The camera module, yeah, it reduces the value of the device when it's not a single working
unit.
But say for parts, it goes from 600.
even if it on parts alone is worth half,
that phone is still worth $300,000, roughly speaking.
So it's not all or nothing.
It's just this last ditch attempt
at extracting the most value out of this phone
as humanly possible.
The other thing, too, would be,
when you're sitting in that Vietnamese restaurant,
power cycling these phones,
what's the percentage of phones that aren't bricked?
That haven't been lost.
And like, this is going to sound bad,
but I know people that still don't have pass codes on their phone.
Sure.
And it's like if there's not a passcode on your phone,
you can pretty much reset it pretty simply.
Like I think you still need to log in the ICloud, if I'm not mistaken,
assuming it's connected to ICloud.
So, yeah, I wonder what their hit rate of like just free winners are, you know?
They don't really like to do much.
Yeah, right.
The second you take it out of the pocket, it's worth the full retail value.
Yeah, yeah, or whatever it's selling for, you used.
And then you go down to stage two for the ones that are locked down,
and they get run through this fishing scam,
and then it trickles down to selling it off for parts.
Yeah, literally tearing it apart
and selling the batteries and screens.
Exactly.
When you've got digital criminals,
they're orchestrated, like essentially organized crime,
but they're going after massive things
and hacking and stealing or ransomware
where you're, you know, one good strike
and you're making, you know, millions of dollars
versus, like, steal phones.
I'm not stealing phones to get access to someone's Bitcoin wallet and steal their Bitcoin
or get their like, you know, get past their two-factor authentication.
It's like, no, I'm stealing phones because phones are worth money.
I always thought like you, right?
Oh, the phones have activation lock on them and they're pretty much useless if they're stolen.
But clearly they're not.
Thanks for listening, everybody.
Thank you in particular to John for sharing.
his story with us for reaching out, for being very generous with his time. I hope the plumbing debacle
is going well. If you happen to have solved an interesting cybercrime hacking type story and you
want to get in touch, if you have a story you think we should know about, especially if it's something
you experienced or have some connection to you, feel free to get in touch. You can find our contact
information at patreon.com slash hacked podcast. Single best way to support the show. Speaking up,
My main man, Eric Bacon,
thank you for being a Patreon supporter.
Stuart Bowles,
your support means a lot,
drum roll, holy hell.
Thank you so much to
Elisa Gonzalez-Smith.
Hacked Patreon, patron of the month.
Thank you so much.
That's this one.
That's this episode, another one in the can.
Thanks for listening.
We'll catch you in the next one.