Never steal a hacker’s girlfriend’s phone: How an expert exposed a global network of thieves

Hacker Martín Vigo was with his partner at a concert in Barcelona when her cell phone disappeared. He immediately sent a text message with his number in case anyone had found it. But it had been stolen. Two days later, Vigo received a text message from “iCloud,” Apple’s cloud service: “Find my iPhone 13 mini. It has been connected to the internet and located today. Last location.” It included a link to a strange address: apple(.)device-maps.net. “The text message was awful: typos, a suspicious domain, and iCloud,” says Vigo.

But as a hacker, and with his partner without her cell phone, Vigo wasn’t going to let that message go unnoticed. His weeks-long investigation coincided with a massive two-year police operation between 2022 and 2024 in six countries where 17 people were arrested: Spain, Argentina, Colombia, Chile, Ecuador, and Peru. The magnitude of the operation clarifies why, despite improvements in security, cell phone theft remains profitable.

“They had a system in place to steal cell phones, send them abroad, try to unlock them to steal as much money as possible, and if they couldn’t manage it, tweak them and resell them. They wanted to profit from everything,” explains Vigo, who has prepared a lengthy presentation of his case, which he shared at a couple of conferences before the summer.

Although a statistic repeated in the media says that some 250,000 cell phones are stolen in Spain each year, in reality, it’s half that number, according to data from the Ministry of the Interior: 120,510 in 2024. In 2019, the number was over 162,000, but the pandemic saw a significant drop. Although it hasn’t returned to pre-pandemic levels, cell phones remain a highly valued target. Headlines in the media constantly warn of thefts and operations that uncover fragments of global networks where stolen cell phones circulate: “International hub for reselling stolen cell phones collapses in Barcelona” or “Brazil suffers an epidemic of cell phone theft and cyber fraud.”

1. Theft

Vigo’s case is hardly unique. But his investigation sheds light on how criminals work. First, the theft. The ideal is to steal an unlocked phone. But it’s extremely difficult because it has to be stolen while the user is using it. Today’s cell phones provide access to credit cards, bank details, and tons of apps with our stored data.

In Vigo’s case, the phone was locked and the “Find my iPhone” feature was activated. Thanks to a system called Activation Lock, the thief needs the Apple username and password to access the phone. (Android has a similar feature called Factory Reset Protection.) “The ways of stealing have evolved,” says Vigo. “Now, with Activation Lock, you have to manage to unlock it.”

Here’s where the Vigo case takes a different turn. Once stolen, the phones are likely wrapped in aluminum foil to prevent the GPS from tracking their movements. “Then they go to a safe house where they are gathered together and shipped on pallets outside of Spain, to Morocco or China.”

This international step is vital to prevent the phone from being blocked if the thieves try to use it again. Carriers in several European countries share lists of the IMEIs (unique numbers for each device) of stolen devices so they can’t be used. But Morocco, for example, doesn’t share these lists. There, the phone can be reconnected.

2. Unlocking

The phone, in any case, is still locked. So how did the thieves intend to unlock a phone like the one belonging to Vigo’s partner? With hundreds or thousands of stored phones, another path begins: “They try to get the PIN,” says Vigo. Why the PIN? Because with the PIN, you can change the Apple password and access the device’s content.

The gang had created a system to send thousands of text messages like the one Vigo received. To know who to target with the bait message, the police say, “the organization performed social profiling of the victims, since, in many cases, in addition to the phone, they also had the victim’s personal belongings, such as their ID.” This is how they obtained the phone numbers to send the malicious SMS.

Each SMS contained a link with a unique identifier for each stolen phone. The day after the first message, Vigo received another: “Apple, we’ve detected problems locating your iPhone 13 mini. View current location without an internet connection.” Each victim received a unique link, and the server knew which victim clicked it. Upon clicking, the user would see a blank page, but the criminals would know who they were. With the first click, the attackers would redirect the user to a website they believed was credible, such as Apple’s real iCloud site.

“There you’ve already been trained to believe that if you receive a text message saying they’ve found your phone, everything is fine. But what you don’t know is that behind your back they’ve just set the perfect trap for you,” says Vigo. Why? Because the next day you receive another text message, and you click on it, more confidently. However, that link no longer redirects you to the real Apple website, but to a flawless copy created by the criminals: that’s where they ask for your PIN, and without thinking, full of hope, you enter it.

And the thieves, thanks to the identifier in the first link, already know who stole that phone and, therefore, which criminal they should have sent it to in order to access it. “The PIN is more powerful than your fingerprint or face. With it, you can delete the victim’s biometric information and add your own to access banking apps that are validated this way,” says Vigo. Apple Wallet asks you to re-authenticate, and then everything is accessible.

This PIN-stealing system, created in Latin America, was marketed as just another online service. If you had a few hundred stolen cell phones, you could try to access a handful to steal as much money as possible. Vigo tried to find out who was behind it, but he only got as far as a woman he believed to be Ukrainian, and he didn’t know if she was another victim or part of the gang.

In the press release on the case, the police explained that the gang allegedly used a total of 5,300 fake websites and illegally unlocked around 1.3 million high-end devices, about 30,000 of them in Spain.

3. The modifications

But the life of a stolen cell phone does not end there. They may have a decreasing value due to the difficulty of stealing and using them, but criminal gangs still find ways to make a lot of money.

If they can’t unlock a device with the PIN, they send it to China to be “dismantled and then sent back to Europe for resale,” says Vigo. “The devices are increasingly valuable because they have more advanced chips, better cameras, and more expensive materials. But security measures are more robust. Before, if you stole a phone, you could factory reset it and have a new one. Now, with the activation lock and the original IMEI, in Europe it’s just a brick, only good for parts.”

But there are cities in China where that IMEI can be changed, says Vigo. “It’s the hardest part, when it arrives in China and they change certain components and the IMEI. It requires a certain level of sophistication: opening the phone, changing the chip... you have to know what you’re doing because Apple detects if there are non-original components.” The goal is to be able to resell the stolen phone with a different IMEI so that it can’t be traced.

Of this entire process, if it weren’t for one crucial detail, the victims would only suffer the theft of a cell phone. “The PIN is the most powerful thing, which is why it’s extremely important to safeguard it and never give it to anyone,” says Vigo. “Never, to anyone. Apple will never ask for it. What they’re asking for are your iCloud credentials.”

Sign up for our weekly newsletter to get more English-language news coverage from EL PAÍS USA Edition