Sarai Hannah Ajai | Formal Complaint & Forensic Summary — Verizon & Apple Ecosystem Account Takeover

Prepared by: Sarai Hannah Ajai

Date: October 07, 2025

Parties Notified: Verizon Security & Fraud Response; Federal Trade Commission (Consumer Sentinel); Apple Inc. (Security), and local law enforcement.

Executive Summary

Between May 1, 2025 and September 30, 2025, I experienced persistent account‑takeover behavior spanning my Verizon account (lines including ***‑***‑6195 and ***‑***‑9965) and Apple ecosystem devices (iPhone 11, Apple Watch Series 7, Mac mini M1). I was forced to reset passwords, PINS, passcodes, voicemail codes, Wi‑Fi keys, and router credentials repeatedly — in some cases multiple times per day. My log workbook (attached) contains timestamped entries for each reset/change I performed. The counts below reflect discrete entries recorded month‑by‑month in that workbook.

Quantitative Summary (from attached logs)

Month Logged Credential Changes (Entries)

May 2025 24

June 2025 30

July 2025 39

August 2025 30

September 2025 23

Note: An “entry” corresponds to a recorded credential change or reset event (e.g., password, PIN, device passcode, voicemail code, Wi‑Fi key, or router credential). Because several categories are tracked in parallel on the log sheets, and some days required multiple resets, totals of 146 logged credential changes occurred from May 2025 to September 2025 that reflects the intensity of activity per month rather than unique device counts.

Key Incidents Already Reported

• July 4, 2025 (~10:30 AM): During an iPhone 11 reboot, a voicemail from an unfamiliar 615 area code was left and then visibly deleted from the device screen without my interaction. This strongly suggests remote, unauthorized control consistent with device mirroring or a carrier/backend session controlling my voicemail state.

• June 27, 2025 (~8:30 AM): Neighbor (Unit 206, identified as *a*er) stated in a hallway blind spot: “You are sharing your Apple iPhone 11 and Apple’s ecosystem with me.” Days earlier, an unidentified male with a heavy foreign accent outside my bedroom window made a similar statement. I have never granted any consent to share or mirror my devices.

• September 21, 2025: Line ***‑***‑6195 abruptly lost service. Verizon’s IVR (when called from ***‑***‑9965) stated the number no longer existed with Verizon. Service returned later without my action. This pattern is consistent with an unauthorized SIM‑swap or transient port‑out/port‑in attempt enabling interception of calls/texts/OTPs.

Network & Device Topology (for context)

• Home Internet: Midcontinent Communications (Midco). Modem: Netgear Nighthawk CM1200 (wall codex). Router: ASUS AX1800 Dual Band RT‑AX1800S (Wi‑Fi 6). The Mac mini M1 is connected via Ethernet to the ASUS router; the router uplinks to the CM1200. iPhone 11 and Apple Watch 7 connect via Wi‑Fi/cellular.

Forensic Indicators Observed

• High‑frequency credential resets (daily/multiple‑times‑per‑day) with continued compromise suggests adversary persistence (e.g., cloned eSIM, IMEI/IMSI abuse, carrier‑side session hijack, or iCloud session tokens on a mirrored device).

• Real‑time voicemail deletion during reboot is indicative of backend control paths (carrier voicemail platform, conditional call forwarding, or authenticated visual‑voicemail API/session under attacker control).

• Tenants are in the common area hallway admissions and repeated targeting localized around the residence indicate potential proximity‑based exploitation (e.g., rogue AP, Wi‑Fi association capture, LAN‑side persistence on router, or Bluetooth pairing abuse).

• The September 21 transient loss of carrier‑of‑record for ***‑***‑6195 is a canonical precursor to OTP interception via SIM‑swap/port‑out fraud.

Requested Actions & Preservation

1) Verizon: Enable Number Lock/Do‑Not‑Port on all lines; require Port‑Out PIN; enforce in‑store, government‑ID verification for any SIM/eSIM or account changes; assign a fraud case and POC. Provide written confirmation of any 9/21/2025 changes, exact UTC/CT timestamps, NPAC references, receiving‑carrier data, IPs, store/rep IDs, and the authorization factor used (PIN/OTP/in‑store).

2) Apple: Invalidate all active device and iCloud session tokens; force re‑enrollment of trusted devices; provide sign‑in and device‑association logs for May–September 2025 with IPs/UA/ASN; investigate potential device mirroring or shared device IDs.

3) Midco / Network Equipment: Preserve DHCP, CMTS, and modem logs; rotate router admin credentials; audit for rogue profiles (WPS, Guest SSIDs, MAC filters), UPnP pinholes, WAN admin exposure, and unexpected DNS settings.

4) Law Enforcement/FTC: Record in Consumer Sentinel; correlate reports with any local complaints regarding SIM‑swap/port‑out activity; preserve CCTV where available for June 27, July 4–5, and September 21 windows.

Methodology — How Counts Were Derived

I compiled a month‑by‑month workbook logging each credential update I made across Verizon, Apple ID/iCloud, iPhone 11, Watch Series 7, Mac mini M1, voicemail, and Wi‑Fi/router. For this report, I computed the number of timestamped entries per month from May through September 2025. These entries corroborate the sustained frequency of resets required to temporarily regain control. Raw sheets are attached to this letter and should be treated as contemporaneous logs.