Apple’s Double Agent

Screen Shot 2021-02-24 at 3

Hacking. Disinformation. Surveillance. CYBER is Motherboard’s podcast and reporting on the dark underbelly of the internet.

For more than a year, an active member of a community that traded in illicitly obtained internal Apple documents and devices was also acting as an informant for the company. 

On Twitter and in Discord channels for the loosely defined Apple “internal” community that trades leaked information and stolen prototypes, he advertised leaked apps, manuals, and stolen devices for sale. But unbeknownst to other members in the community, he shared with Apple personal information of people who sold stolen iPhone prototypes from China, Apple employees who leaked information online, journalists who had relationships with leakers and sellers, and anything that he thought the company would find interesting and worth investigating.

​​Andrey Shumeyko, also known as YRH04E and JVHResearch online, decided to share his story because he felt that Apple took advantage of him and should have compensated him for providing the company this information. 

“Me coming forward is mostly me finally realizing that that relationship never took into consideration my side and me as a person,” ​​Shumeyko told Motherboard. Shumeyko shared several pieces of evidence to back up his claims, including texts and an email thread between him and an Apple email address for the company’s Global Security team. Motherboard checked that the emails are legitimate by analyzing their headers, which show Shumeyko received a reply from servers owned by Apple, according to online records.

​​Shumeyko said he established a relationship with Apple’s anti-leak team—officially called Global Security—after he alerted them of a potential phishing campaign against some Apple Store employees in 2017. Then, in mid-2020, he tried to help Apple investigate one of its worst leaks in recent memory, and became a “mole,” as he put it. 

Last year, months before the official release of Apple’s mobile operating system iOS 14, iPhone hackers got their hands on a leaked early version.

At the time, people in the iPhone hacking community told Motherboard that the leaked iOS build came from a stolen prototype of an iPhone 11 that was purchased from gray-market vendors in China. Sensitive Apple software and hardware occasionally leaks out of China, and there is a thriving gray market of stolen iPhone prototypes that are marketed to security researchers and hackers interested in finding vulnerabilities and developing exploits for Apple’s devices. 

Apple is obviously not happy about any of this. But over the years, apart from the time it famously went after a Gizmodo journalist who found a prototype of an iPhone 4 in a San Francisco bar, the company has largely kept its response to leaks under wraps. In mid-June, Apple lawyers in China sent letters to a Chinese citizen who advertised and sold stolen devices, demanding they stop their activities and reveal their sources inside the company, as Motherboard reported last month.

“People trust me, and find me pretty likable, and so I’m capable of using that to my advantage”

The secretive Global Security reportedly employs former U.S. intelligence and FBI agents and is tasked with cracking down on leaks and leakers, but very little is known about the way it operates. 

One of the ways the team tracks leaks and leakers is by cultivating relationships with people in the jailbreaking and internal community, such as ​​Shumeyko. It’s not the first time something like this has happened. As Motherboard reported in 2017, an Apple employee had infiltrated the early jailbreaking scene, acting as a double agent. 

​​Shumeyko has never worked for Apple, but he assumed a similar role last year when he decided to give Apple information about the iOS 14 leak. He had obtained a copy of the leaked iOS 14 build himself, and said he also learned how the leak went down and wanted to share the information with Apple.

On May 15 of last year, ​​Shumeyko reached out to Apple Global Security via email, according to an email chain he shared. He offered information about the person who allegedly purchased the iPhone 11 that contained the iOS 14 development build, the security researchers who got a leaked copy of the operating system, and a handful of people who apparently live in China and sell iPhone prototypes and other devices that appear to leak out of factories in Shenzhen. 

“I think I found the mole who helped him orchestrate the thing,” Shumeyko wrote to Apple, referring to the iOS 14 leak and the person who allegedly purchased the stolen prototype. “I’ve identified which one of the 3 Chinese hardware suppliers sent him the phone. I’ve received a package from that same guy in the past (still have the DHL tracking number), and I have his phone number. Would any of the above be of any aid?”

Do you work, or used to work for Apple? Do you research vulnerabilities on Apple’s devices? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, OTR chat at lorenzofb@jabber.ccc.de, or email lorenzofb@vice.com

At the end of the email chain, an Apple employee asked if Shhumeyko was free for a chat.

“What’s the number you use for Signal/Telegram? We will assign a member of the team to reach out,” the employee wrote. 

Shumeyko said he was willing to help as a way to redeem himself for being part of that community, and to get some money out of it, according to him and his online chats with an Apple Global Security employee.

“People trust me, and find me pretty likable, and so I’m capable of using that to my advantage,” ​​Shumeyko told the Apple employee during their monthslong online chats. “I regret my involvement in all that stuff and I’ll do whatever you need me to redeem my past actions.” 

“I know I’ve been naughty, but my actions so far landed the right connections which I can use to help further the company. Getting into this whole thing was a mistake on my side,” ​​Shumeyko told the Apple Global Security employee. 

What he shared was interesting enough to prompt Apple employees to keep the communications channel with Shumeyko open for almost a year. 

Two people who are part of the Apple jailbreaking and internal community confirmed that ​​Shumeyko was dabbling in it by advertising leaked data on Twitter.

“He is widely trusted to be an original source of that information.”

“He’s tweeted a lot with internal materials from Apple,” one of the people in the Apple jailbreaking and internal community told Motherboard in an online chat. “I think he is widely trusted to be an original source of that information.”

Another person, who also asked to remain anonymous as he, too, is involved in the jailbreaking and internal communities and fears retaliation from Apple, told Motherboard that ​​Shumeyko “was most definitely involved in that community and he most definitely had some level of access to things he shouldn’t have.” 

According to the person involved in the jailbreaking community, “the ‘Apple Internal Community’ is just a bunch of kids on Twitter who find, buy, sell, and trade firmware or other such things without realizing the repercussions such things carry.” But other than kids, there are also serious sellers, mostly based in China, who sell prototype iPhones for thousands of dollars, as a Motherboard investigation showed in 2019

And Apple has been trying to crack down on them recently by sending them legal letters, which revealed that the company knows their names and home addresses, despite the fact that they only use nicknames online. 

Last year, ​​Shumeyko sent Apple investigators a PDF titled “The List,” essentially a dossier where he shared personal details such as phone numbers, WeChat IDs, and alleged locations of three people who advertised and sold devices on Twitter, as well as a U.S. citizen who collects iPhone prototypes. One of the people listed in the PDF is the one who received the legal letter from Apple, Motherboard has learned.  

Apple declined to comment for this article. 

None of the people ​​Shumeyko mentioned to Apple, and whom Motherboard spoke to, had any idea that ​​Shumeyko had become a mole for the company. 

When he was acting as a mole, ​​Shumeyko wanted to keep his relationship with Apple a secret, “fearing I might damage that fragile thing we had going on,” he said, referring to the company. But at this point, now that he’s coming out, ​​Shumeyko doesn’t care what anyone will think of him.

“Them knowing what I am doesn’t really change my life for better or worse. And, well, I just wanted to be heard for once, and the story I tell to be truthful,” ​​Shumeyko said.  

Months after he first reached out, Shumeyko explained more about why he wanted to help Apple.

“I was inspired by the rumor that the raid on the journalist’s house during the iPhone 4 Gizmodo incident was conducted by Apple’s own ‘police’ team,” ​​Shumeyko told a Global Security employee. “So I assumed prosecuting [an iPhone prototype collector who also traded leaked information and hardware] and the Chinese would be easy then, and that I’ll get to walk away with a reward generous enough to jumpstart my life entirely.”

Shumeyko said he expected Apple to “do something” with the information he provided, but it’s unclear what the company achieved with ​​Shumeyko’s information. Despite asking many times for details about how the company was acting on his information, the Apple employee he was corresponding with never gave him any answers. ​​Shumeyko also repeatedly asked if it would be possible for him to be paid for his information, citing financial problems he needed to take care of. In this case, too, the Apple employee was noncommittal, according to the conversation’s transcript. 

“I know I’m very much a part of the problem that I’m trying to report, and I really hate to be the Karen of this story, but still, I’m determined to fully follow through with this and I’m sorry for being a huge inconvenience,” ​​Shumeyko told the Apple Global Security employee, according to the chats viewed by Motherboard. “I know you probably can’t answer all of my previous questions, so could you kindly get someone who can talk to me over email or this app? Again: 1) How helpful were the materials provided? 2) Should I try to obtain more information? 3) Do I get any protection at all as a whistleblower?” 

Still, his constant flow of tips on people in the jailbreaking and internals community, as well as tips on Apple employees who were active online and were leaking information, were well received by the Apple Global Security employee.

“We appreciate the information you provide. Please feel encouraged to keep sharing what you have,” the nameless Apple Global Security employee said. The chats between ​​Shumeyko and the employee spanned almost a year, and the Apple employee consistently thanked ​​Shumeyko for the information and asked for more information about specific materials and people. 

In the summer of 2020, ​​Shumeyko told his Apple Global Security contact that he’d been in touch with an Apple employee in Germany who worked on Apple Maps. ​​Shumeyko alleged that the employee was offering to sell access to an internal Apple account used by employees to log in to their corporate emails and intranet. ​​Shumeyko said he always kept contact with the employee, who eventually told him that he’d gotten fired. 

“Do the right things to protect Apple. Keep it that way, you will be proud of yourself, so will we.”

​​Shumeyko said he was hoping that by helping Apple, the company would help him in return. But that, he said, never happened. And he’s now questioning whether he should have helped in the first place.

“Now it feels like I ruined someone for no good reason, really,” ​​Shumeyko told me, referring to the Apple employee in Germany.

Weeks later, out of frustration, ​​Shumeyko said he leaked the information he gathered from the employee to the Apple-focused blog 9to5Mac, which wrote an article based on the leaked data. ​​Shumeyko almost immediately regretted it, telling his Apple contact,”I know that looks bad. And I apologize for that.”

“Going forward if you plan to publish anything, please consult us (if you want to do the right things for yourself),” Apple Global Security’s employee told ​​Shumeyko. 

“Please understand that our goal is to protect Apple. All our actions are guided by the premise of what is best for the company, our employees, and our customers (of which you are one). Therefore your help—and insights—in understanding possible threats to us are very important,” the Apple employee continued. “My personal advice is that you continue to do the right things so that you can build a positive image for yourself. Do the right things to protect Apple. Keep it that way, you will be proud of yourself, so will we.”

During his conversations with the Apple Global Security employee, ​​Shumeyko shared the contact information and social media profiles of three alleged sellers of stolen devices in China, a person who collects these type of devices and who was allegedly involved in the iOS 14 leak, and the personal details and names of connections of someone who allegedly used to be an Apple intern and then became part of the jailbreaking community. 

A year after ​​Shumeyko started talking to Global Security, his relationship with Apple is basically nonexistent. Shumeyko said he last heard from Global Security on July 15. 

​​Shumeyko told Motherboard that he is still struggling financially. He is also still on Twitter trying to sell Apple data in an attempt to finally cash out on years of being involved in Apple leaks.  

“Don’t really enjoy doing this,” ​​Shumeyko said in a recent chat. “But I also do need the extra money. Unfortunately, I have more pressing issues to be worried about other than Apple.” 

Meanwhile, one of the people who knew of ​​Shumeyko and is part of the jailbreaking and internal community said ​​Shumeyko’s story as an informant will make people suspicious and less open to talk about leaks. 

“I think it goes to show that you can’t openly and safely experiment with leaked Apple internal materials,” he said. “These sort of events sort of enhance the hostile vibe sometimes felt in the community.” 

Subscribe to our cybersecurity podcast CYBER, here.