Two men from Maryland were found guilty this week of defrauding Apple out of over $3 million worth of iPhones through an elaborate scheme involving thousands of counterfeit devices. Haotian Sun, 33, of Baltimore and Pengfei Xue, 33, of Germantown were convicted on Tuesday of conspiracy to commit mail fraud and mail fraud by a federal jury in Washington D.C., according to an announcement from the U.S. Attorney’s Office.
The multi-year scheme involved Sun and Xue obtaining counterfeit iPhones from sources in Hong Kong beginning in 2017. They would then submit these devices, sometimes thousands at a time, to Apple and Apple authorized service providers while posing as legitimate customers seeking repair services. By spoofing serial numbers and using various aliases, they were able to trick Apple into believing the phones were real and qualified for replacement under warranty. In total, prosecutors say Sun and Xue submitted around 5,000 counterfeit phones and netted approximately $3 million worth of authentic replacement iPhones from Apple over a two year period.
Sun and Xue are Chinese nationals, though the extent of their ties to the U.S. is unclear. Their ability to exploit mail and delivery services was key to pulling off the deception, according to prosecutors. The men now face up to 20 years in prison on the conspiracy and mail fraud convictions when they are sentenced later this year.
The case highlights the vulnerabilities in Apple’s repair ecosystem to determined fraudsters. While Apple thoroughly vets repair claims, prisoners were still able to take advantage of cracks in the system to trick customer service agents and obtain valuable replacement devices. Spoofing serial numbers, a tactic used by Sun and Xue, can make it especially difficult for companies like Apple to detect patterns of abuse.
Prosecutors portrayed the scheme as highly sophisticated given the lengths the men went to conceal their identities and avoid detection. Over the two year timeframe, Sun and Xue repeatedly changed information and set up new accounts to receive the replacement phones. Apple’s policies generally make it easy for customers to get defective devices repaired or swapped out, a practice that may need more safeguards to prevent abuse.
Authorities were able to eventually unravel the deception and trace the flow of phones back to Sun and Xue. The lead prosecutor highlighted that the case demonstrated the government’s commitment to prosecuting complex cybercrimes. With consumers increasingly dependent on mailing items in for repair, companies must remain vigilant against fraud, which ultimately costs customers and shareholders.
While rare, there have been similar scams attempted against Apple and other tech companies in the past. Last year, two brothers in California were sentenced to prison for a comparable iPhone swap scheme. The new genuine devices obtained through their fraud were then exported and sold overseas. Prosecutors specifically cited the use of the mail system to carry out the Maryland scheme as a basis for the conspiracy and fraud charges.
In addition to potential prison time, Sun and Xue now face severe restrictions on their access to technology and the internet. The judge ordered strict prohibitions on their computer and phone usage as a condition of future supervised release. Companies like Apple continually have to adapt safeguards and detection systems to stay ahead of cunning attackers. While they succeeded for a time, Sun and Xue ultimately failed when Apple’s security teams were able to identify the anomalous patterns and assist law enforcement in tracing the fraudulent activity back to the source.
