It could be God sometimes or it could be the power.

I'm here because I got too carried away.

And sometimes when you do that, you end up places like this.

Aaron Johnson is due to spend the next several years at this high-security prison because he stole hundreds of iPhones and from them hundreds of thousands of dollars.

He exploited a vulnerability in Apple's software.

The same vulnerability I've been investigating for the last year.

He grabbed the phone and then disappeared.

Along with others, Johnson seen here in red would target people in and around bars in Minneapolis to get their phones and their passcodes.

I just watch them put it in.

How many numbers?

Six. Rarely I get four digits.

In cities across the country, these are using the iPhone passcode to get into stolen phones and loot their victims' bank accounts and money apps and lock them out of their Apple accounts. Sometimes for good.

Following our investigation into these widespread crimes, Apple created new security software,

but you'll have to turn on the stolen device protection setting and even then some loopholes remain the biggest loophole you.

That's why I sat down with Johnson to learn how he tricked victims and turned Apple's security vulnerability into a lucrative business.

How did you get involved with stealing phones?

So, at first I just started pickpocket the phones.

I didn't get the passcode or nothing. I just got the phone.

I was homeless.

I didn't have nothing.

Started having kids and needed money.

So I couldn't really find a job.

Let's say it's Friday night, we meet at a bar.

I have an iPhone 15 Pro Max. What happens?

I say I have the drugs.

They say they want the drugs and I tell them to take my information down. The whole time, I don't have any drugs.

So as soon as the phone's in my hand, I just ask them, what's the code or I watch them put it in before they give it to me.

And then I kind of just talk about other things.

Is there an age of person you're looking for when you're out?

College.

Because they're more partying and they are already drunk and don't know what's going on for real.

I interviewed a number of Johnson's victims.

All men under 30.

I was approached by two men who seemed very ecstatic.

Some told me Johnson approached them, offering drugs,

Definitely had cocaine.

They were like, "Do you want to buy some?"

And I was like, "No."

Others told me Johnson would say he was a rapper and wanted to add them on Snapchat.

Just a Snapchat.

Like that's just, that just seems normal. When I open up the phone and I hand it to him to...

I lock the phone and then I tell him that it's locked or something's wrong with your phone, it locked on me.

And then that's when they, "Ok. No problem. 2664 something, something."

Or they just do it for me.

You ever videotape them?

Yeah.

Videotaped a lot of numbers.

Never did this and people say, "Hey, you took my phone."

Yeah, but by that time it's already, I don't have it no more.

So.. - Who has it?

Whoever I passed it to.

This wasn't a one man job, a police investigation alleged that Johnson worked with others.

According to his arrest warrant, he used trickery and violence to get the phones.

Johnson who's now 26, pled guilty to racketeering and was sentenced to 94 months in prison.

You've got the phone, you've got the passcode, what do you do next?

It's kind of like a, like a bank robbery.

You gotta be quick, you gotta go to the settings and go to iCloud, click reset password and put the six-digit code in and make my own password.

And then I turn on Find My iPhone and then that completely locks them off the phone.

This was the bit that was so crazy to me when I first started reporting on this crime.

With just the passcode to an iPhone, a thief can change someone's Apple ID password and do a host of other things to your account and phone.

How fast were you changing Apple ID passwords?

Faster than you could say supercalifragilisticexpialidocious.

I got to that fast where I can do it just right there.

So why are you doing this so fast?

So that I can take control and they don't have access to it anymore.

And you got to beat the mice to the cheeses.

With the passcode Johnson removed the owner's face from face ID and enrolled his own, making it easier to gain access to saved passwords to bank apps.

This is my phone, right?

You've got into my settings. Where are you going from here?

So then I go add my face on there on the face ID verification.

Now when you got your face on there, you got the key to everything. Things that people thought were safe.

Like? - Savings, checkings, cryptocurrency apps.

Venmo. - Venmo. Paypal.

Yeah, you don't need face for none of that.

That's kind of little money.

I'm trying to take as much as I can.

If Johnson couldn't unlock the apps with his face, he'd look elsewhere on the phone.

I go through their notes and the password to everything is in there.

Social security number, everything.

While victims were sleeping, Johnson would be draining money from their bank accounts.

Before 5 am, I would have everything transferred out of the bank.

But then if some people have, like, credit line or something, that's when I would go shopping with it, go get, you know, nice stuff.

Yeah, just by beeping my face on, that's all I got to do is put my face on it and beep and I can swipe for thousands of dollars, clothes, shoes, you know, all type of stuff, kids stuff.

There was one more trick to this scheme. Ater stealing the money, Johnson would erase the iPhone.

Yes. Using the passcode and password and sell it.

Was there an average selling price of an iphone that you would sell?

If it's a iPhone 14 Pro Max with one terabyte, I probably get like $900.

Johnson said he'd typically look for those iphone Pros with their telltale three cameras.

For a 128 gigabyte or 256 gigabyte iPhone Pro or Pro Max, he'd get about $650.

For a regular non Pro iPhone, he'd get $300 to $400.

Probably get like 5 to 10 phones a night.

So 10, 20, 30. 30 phones from Friday to Sunday.

He said he could make up to $20,000 a weekend just from selling the phones.

And while he did steal some Android phones,

There's more value to the iPhone.

But here's the kicker. Johnson was using stolen Apple products and their Apple pay function to buy more Apple products.

It was an extensive scheme of profiting off of Apple's vulnerabilities and products.

I go to Target, probably get like 3, 4 iPad Pros.

Yeah, brand new in the pack, like $1200, $1300.

Then I'll sell it with the iPhones.

You were using the Apple products to get cash.

Yeah, exactly what I was doing.

Do you think Apple should be doing more?

Yes. I think Apple should do more to protect people.

But first they got to hire me.

I'm just playing.

Well, Apple has done more but now you need to do more too.

A week after I visited Johnson, Apple answered our months of reporting on these crimes with the stolen device protection setting.

When it's available in IOS 17.3, it will be off by default.

If you don't turn it on, all of Johnson's tricks will still work.

If you do turn it onl, it adds a line of defense to your phone when you're away from home or work.

A thief would need your face or fingerprint scan to change an Apple ID password.

Then they'd need to wait an hour and then again, they would need your biometrics.

Same goes for adding a new face ID and disabling Find My iPhone; to access save passwords, a thief would need your biometrics.

Still, some apps like Venmo are vulnerable and using Apple Pay to buy things would still work.

Also, don't store your passwords in the notes app.

Everything that you can ever imagine is in the notes or within the photos.

Plus, you should just create a stronger passcode one that uses letters and numbers.

And of course, don't get your passcode out.

I mean, watch your surroundings, stay on top of it. That's all.

According to the warrant, Johnson's group was thought to have stolen $300,000.

Johnson says that the grand total was probably somewhere between $1 millon and $2 million.

Do you ever wish you didn't know this trick?

I mean, I wish I would have not being so greedy and just got what I got and changed my life.

I truly, I'm sorry for all the people that I stole from, probably ruin your life.

But I just felt like my life was ruined and I had nowhere else to go.

When you get out, you gonna forget about this trick?

There's gonna be new tricks out, but I don't want no parts of it.

I'm just gonna be do better for myself, my life, for my kids.