Labels

Sarai Hannah Ajai Formal Complaint and Technical Security Incident Report Regarding Suspected Unauthorized Access, Cellular Account Compromise Indicators, Apple iPhone 17 Security Concerns, and Verizon Orbic RC400L Rayhunter Monitoring Evidence

 Subject: Formal Complaint and Technical Security Incident Report Regarding Suspected Unauthorized Access, Cellular Account Compromise Indicators, Apple iPhone 17 Security Concerns, and Verizon Orbic RC400L Rayhunter Monitoring Evidence


Redacted

Reporting Party: Sarai Hannah Ajai
Location: *****, ***** *****
Wireless Carrier: Verizon Wireless
Verizon Account Number: [Insert Verizon Account Number]
MSISDN / Mobile Telephone Number: ***-***-****
Primary Device at Issue: Apple iPhone 17
Secondary Monitoring Device: Verizon Orbic RC400L Mobile Hotspot running EFForg/Rayhunter
Computer Used for Installation and Review: Apple Mac Mini M1
Security Software: EFForg/Rayhunter, version 0.10.2
Date of Rayhunter Installation and Initial Monitoring: May 6, 2026
Date of Continued Rayhunter Review: May 7-11, 2026
Prepared For: Personal records, Verizon fraud/security escalation, potential FCC and FTC complaints records, and lawful evidence preservation.

I. Incident Summary

I, Sarai Hannah Ajai, submit this incident report to formally document suspected unauthorized access indicators, abnormal cellular-service behavior, account-security concerns, and device-connection discrepancies involving my Apple iPhone 17, my Verizon wireless service, and my personal network-security environment.

Over a period of several months, I have observed repeated issues that I believe may be consistent with unauthorized access, account compromise, device mirroring, device cloning, cellular-session interference, SIM/eSIM-related misuse, or other forms of unauthorized computer and communications interference. These concerns include repeated network instability, unexplained signal drops, abnormal behavior affecting Apple location services, suspected unauthorized changes in device behavior, and concerns that my Apple iPhone 17 may have been mirrored, cloned, or otherwise accessed without my consent.

In response to these concerns, I purchased and configured a Verizon Orbic RC400L mobile hotspot with EFForg/Rayhunter, an open-source cellular-security monitoring tool developed to detect possible IMSI catchers, also known as cell-site simulators or stingray-type surveillance devices. The EFForg/Rayhunter project describes Rayhunter as a tool for detecting IMSI catchers and states that it was first designed to run on the Orbic RC400L mobile hotspot. (GitHub) The Rayhunter supported-device documentation further states that Rayhunter was built and tested primarily on the Orbic RC400L mobile hotspot. (efforg.github.io)

The Verizon Orbic RC400L Rayhunter device was used as a separate, self-owned monitoring device to create an independent technical record outside of my Apple iPhone 17 and Apple Mac Mini M1. The purpose of using the Orbic RC400L was to observe the Orbic hotspot’s cellular modem behavior, verify Rayhunter warning results, preserve screenshots and downloadable recordings, and reconcile connected-device counts when my Apple devices connected to the Orbic Wi-Fi network.

This report is intended to preserve the facts known at this time. It does not state as a final forensic conclusion that cloning, mirroring, interception, or unauthorized access has been proven. Rather, it documents reported indicators, observed technical behavior, Rayhunter dashboard results, device-count reconciliation, and the specific security review actions I am requesting from Verizon.

II. Relevant Federal Statutes and Regulatory Authorities

The following federal statutes and regulatory authorities may be relevant to the concerns documented in this report. These authorities are listed for issue identification and preservation purposes only. Their inclusion does not constitute a final legal conclusion that any person or entity violated the law.

1. Computer Fraud and Abuse Act — 18 U.S.C. § 1030

The Computer Fraud and Abuse Act addresses unauthorized access to protected computers and related computer-fraud activity. The statute includes provisions concerning access “without authorization” or exceeding authorized access in connection with protected computers. (Legal Information Institute)

For purposes of this incident report, this statute may be relevant if evidence later confirms unauthorized access to my Apple iPhone 17, Apple Mac Mini M1, online accounts, Verizon account controls, or connected systems.

2. Wiretap Act / Electronic Communications Privacy Act — 18 U.S.C. § 2511

18 U.S.C. § 2511 concerns the interception, disclosure, and use of wire, oral, or electronic communications. The U.S. Department of Justice describes § 2511 as prohibiting unauthorized interception, disclosure, and use of wire, oral, or electronic communications, subject to statutory exceptions. (Department of Justice)

This authority may be relevant if later evidence confirms unlawful interception, monitoring, redirection, or use of communications associated with my wireless line, Apple iPhone 17, Verizon service, or related accounts.

3. Stored Communications Act — 18 U.S.C. § 2701

18 U.S.C. § 2701 addresses unlawful access to stored communications, including intentional unauthorized access to a facility through which an electronic communication service is provided, or intentionally exceeding authorized access, and thereby obtaining, altering, or preventing authorized access to communications in electronic storage. (Legal Information Institute)

This authority may be relevant if later evidence shows unauthorized access to stored messages, account records, email, cloud communications, Verizon account records, or other stored electronic communications.

4. Identity Theft and Authentication Misuse — 18 U.S.C. §§ 1028 and 1028A

Federal identity-theft provisions may be relevant if evidence later confirms unauthorized use of my personal identifying information, account credentials, SIM/eSIM credentials, authentication features, or identity-related information in connection with account takeover, unauthorized device provisioning, or fraudulent access.

5. Customer Proprietary Network Information — 47 U.S.C. § 222

47 U.S.C. § 222 requires telecommunications carriers to protect the confidentiality of proprietary information relating to customers, including customer proprietary network information. (Legal Information Institute) Customer proprietary network information includes information relating to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service made available to the carrier by virtue of the carrier-customer relationship. (Legal Information Institute)

This authority is relevant to my request that Verizon review, preserve, and disclose to me the account-security information, SIM/eSIM activity, authentication events, device identifiers, and access history associated with my wireless line.

6. FCC SIM Swap and Port-Out Fraud Protections

The Federal Communications Commission adopted rules intended to protect consumers from SIM-swap and port-out fraud. The FCC’s SIM-swap and port-out fraud materials state that wireless providers must notify customers regarding SIM change and port-out requests, offer account-lock options to block SIM changes and number ports, and maintain processes to report, investigate, remediate, and document fraud involving customer accounts. (Federal Register)

These FCC rules are relevant to my request that Verizon confirm whether any SIM change, eSIM transfer, port-out request, device authentication, failed authentication attempt, account-access event, or device-provisioning event occurred on my account without my knowledge or authorization.

III. Description of Reported Irregular Activities

Over the past several months, I have observed and documented behavior that I believe may be associated with unauthorized access, abnormal cellular-network behavior, or device compromise. The following issues are included for preservation and technical review:

A. Network Instability

I have experienced frequent and unexplained service disruptions, including signal drops and periods of instability in areas where I reasonably expected normal cellular coverage. These events have contributed to my concern that my cellular line or device session may be subject to abnormal network behavior, account-level interference, or SIM/eSIM-related problems.

B. Suspected Unauthorized Mirroring or Cloning

I have ongoing concerns that my Apple iPhone 17 may have been mirrored, cloned, or subjected to unauthorized access, allowing an unauthorized party to observe activity, interfere with settings, or manipulate device behavior. I am not stating that this has been conclusively proven by the Rayhunter dashboard alone. However, the recurring pattern of device behavior and account-security concerns has caused me to treat the issue as a potential compromise requiring formal carrier review.

C. Location Data and “Find My” Anomalies

I have observed inaccurate location behavior in Apple’s location-related services, including concerns that “Find My” or system-level location data may not consistently reflect expected device location information. This raises concern about possible location-service interference, account-session interference, device misidentification, or other device-management problems.

D. Unusual Device Behavior and Settings Concerns

I have observed behavior suggesting that settings, access controls, or device functions may not always be operating as expected. I did not authorize any third party to access, configure, control, mirror, clone, or administer my Apple iPhone 17, Verizon account, Apple account, Mac Mini M1, or related connected-device environment.

IV. Verizon Orbic RC400L Rayhunter Monitoring Device

In response to the above concerns, I purchased and configured a Verizon Orbic RC400L mobile hotspot and installed EFForg/Rayhunter on it. The purpose was to create a dedicated security-monitoring device separate from my Apple iPhone 17 and Mac Mini M1.

Rayhunter is designed to analyze cellular traffic and look for suspicious events, including possible downgrade behavior and suspicious IMSI-related requests. EFF explains that Rayhunter analyzes traffic in real time and looks for suspicious events, such as a base station trying to downgrade a connection to 2G or requesting IMSI information under suspicious circumstances. (Electronic Frontier Foundation)

I installed Rayhunter version 0.10.2 using my Apple Mac Mini M1 and the Rayhunter macOS ARM release package. After installation, the Orbic RC400L displayed the expected green status bar, and the Rayhunter dashboard became accessible through the Orbic Wi-Fi network at:

http://192.168.1.1:8080

The Rayhunter dashboard showed active recordings, recording history, available download buttons for pcap, qmdl, and zip files, system information, battery information, and analysis results showing 0 warnings for the reviewed recordings.

V. Device Photograph and Screenshot Evidence

The following device photograph and screenshot evidence should be preserved as part of this incident record.

Exhibit A — Verizon Orbic RC400L Rayhunter Device Photograph

Description: Photograph of the Verizon Orbic RC400L mobile hotspot used as the Rayhunter monitoring device.
Purpose: Shows the physical monitoring device used for the cellular-security review.
Recommended Label:
Exhibit A: Verizon Orbic RC400L Rayhunter Monitoring Device — Physical Device Photograph

Exhibit B — Rayhunter Green Bar / Device Status Photograph

Description: Photograph of the Orbic RC400L display showing the green Rayhunter status bar.
Purpose: Shows that Rayhunter was installed and running on the Orbic device.
Recommended Label:
Exhibit B: Rayhunter Green Status Bar on Verizon Orbic RC400L

Exhibit C — Rayhunter Dashboard Screenshot

Description: Screenshot of the Rayhunter dashboard showing version 0.10.2, current recording, recording history, battery information, storage information, and 0 warnings analysis status.
Purpose: Shows that the Rayhunter web interface was active, recording, and available through the Orbic network.
Recommended Label:
Exhibit C: Rayhunter Dashboard Showing Active Recording and 0 Warnings

Exhibit D — Expanded Rayhunter Analysis Dropdown

Description: Screenshot of the expanded Rayhunter analysis dropdown showing “No warnings to display!”, Rayhunter version 0.10.2, and Device system OS: Linux 3.18.48.
Purpose: Shows that Rayhunter analyzed a recording and did not flag warnings for that specific capture.
Recommended Label:
Exhibit D: Expanded Rayhunter Analysis Showing No Warnings for Reviewed Recording

Exhibit E — Orbic Connected-Device Count

Description: Screenshots of the Orbic connected-device count when no devices, one device, and two devices were connected.
Purpose: Supports the device-count reconciliation record.
Recommended Label:
Exhibit E: Verizon Orbic RC400L Connected-Device Count Reconciliation Screenshots

Exhibit F — Apple Device Wi-Fi Connection Evidence

Description: Screenshots from Apple iPhone 17 and Mac Mini M1 showing connection to the Verizon Orbic RC400L Wi-Fi network, with sensitive identifiers hidden where appropriate.
Purpose: Supports the controlled connection test showing which Apple devices were intentionally connected.
Recommended Label:
Exhibit F: Apple iPhone 17 and Apple Mac Mini M1 Orbic Wi-Fi Connection Evidence

VI. Investigation Through Secondary Monitoring Device

After installing Rayhunter, I connected my Apple devices to the Verizon Orbic RC400L Wi-Fi network to review the Rayhunter dashboard and compare connected-device counts. During initial testing, I observed a temporary device-count discrepancy. At one point, the Orbic appeared to report more connected devices than expected.

Initially, when I believed only my Apple iPhone 17 was authorized for connection, the Orbic device-count behavior appeared inconsistent. Because I have ongoing concerns regarding possible unauthorized mirroring, cloning, or account compromise, I treated that observation as a potential compromise indicator requiring further testing.

However, I later performed a controlled reconnection process. After confirming the distinction between the Orbic admin password and the Orbic Wi-Fi password, reconnecting the Apple iPhone 17, and reconnecting the Apple Mac Mini M1, the connected-device count began matching the expected number of known devices.

The controlled baseline later showed:

  • No Apple devices connected: 0 devices shown.
  • Apple iPhone 17 only connected: 1 device shown.
  • Apple iPhone 17 and Apple Mac Mini M1 connected: 2 devices shown.

Accordingly, the earlier discrepancy is preserved as a reported device-count anomaly, but the later controlled testing reduced the immediate concern that an unknown device remained actively connected to the Orbic Wi-Fi network during the corrected baseline test.

VII. Device-Count Reconciliation Table

Step

Test Action

Known Devices Intentionally Connected

Expected Device Count

Actual Orbic Device Count

Interpretation

1

Initial connection review after Rayhunter installation

Apple Mac Mini M1 and Apple iPhone 17

2

3 initially observed

Temporary discrepancy observed; further review required.

2

Apple Mac Mini M1 disconnected from Orbic Wi-Fi

Apple iPhone 17 only

1

2 initially observed

Initial iPhone-related discrepancy remained during early testing.

3

Apple iPhone 17 disconnected from Orbic Wi-Fi

None

0

0

No device remained actively connected after both known devices were disconnected.

4

Apple iPhone 17 reconnected during early test

Apple iPhone 17 only

1

2 initially observed

Discrepancy appeared to repeat during early testing.

5

Apple iPhone 17 reconnected after confirming correct Wi-Fi password

Apple iPhone 17 only

1

1

Corrected controlled test matched expected count.

6

Apple iPhone 17 and Apple Mac Mini M1 connected after password/network verification

Apple iPhone 17; Apple Mac Mini M1

2

2

Corrected controlled test matched expected count.

7

Both Apple devices disconnected

None

0

0

Normal baseline confirmed.

VIII. Rayhunter Dashboard Findings

The Rayhunter dashboard showed the following:

Field

Observed Result

Rayhunter Version

0.10.2

Device System OS

Linux 3.18.48

Dashboard URL

http://192.168.1.1:8080

Current Recording

Active recording shown

History

Multiple recordings listed

Analysis

0 warnings on reviewed recordings

Expanded Analysis

“No warnings to display!”

Available Downloads

pcap, qmdl, zip

System Information

Storage, memory, and battery visible

The reviewed Rayhunter recording did not produce warnings. The expanded dropdown analysis showed that Rayhunter applied analyzers but displayed “No warnings to display!” for the selected recording.

This finding is significant because it shows that the Rayhunter device was installed, functioning, recording, and applying its cellular-security analysis. However, a 0 warnings result should not be overstated. It means Rayhunter did not flag suspicious cellular behavior in that specific Orbic recording. It does not conclusively determine whether my Apple iPhone 17, Verizon account, Apple account, or any other system has or has not been compromised.

IX. Technical Interpretation

At this stage, this incident should be described as a reported cellular-account and device-security concern involving suspected unauthorized access indicators, device-function anomalies, and initial connected-device count discrepancies, followed by a later controlled test that showed expected device counts.

The presently known facts support the following careful interpretation:

  1. Rayhunter was successfully installed on a Verizon Orbic RC400L.
  2. The Rayhunter dashboard was accessible through the Orbic Wi-Fi network.
  3. The dashboard showed active recordings and 0 warnings for reviewed captures.
  4. Initial Orbic connected-device counts appeared inconsistent with the number of devices I believed were connected.
  5. Later controlled testing showed normal expected counts:
    • iPhone only = 1 device,
    • iPhone plus Mac Mini = 2 devices,
    • both disconnected = 0 devices.
  6. The corrected test does not independently confirm an unknown active Wi-Fi client.
  7. The initial discrepancy remains preserved as part of the technical record.
  8. The broader concern regarding Apple iPhone 17 compromise and Verizon account security remains unresolved and requires carrier-side review.

Possible explanations for the initial device-count discrepancy include, but are not limited to:

  • Apple private Wi-Fi address behavior,
  • stale DHCP lease or temporary client entry,
  • device-name mismatch,
  • incorrect password/network state during initial connection attempts,
  • Apple ecosystem Wi-Fi credential behavior,
  • router or hotspot client-list refresh delay,
  • or unauthorized access requiring further carrier and forensic review.

X. Formal Complaint to Verizon

To Whom It May Concern:

I am submitting this formal complaint and security incident report regarding my Verizon wireless account, my Apple iPhone 17, and my Verizon Orbic RC400L Rayhunter monitoring device. I am requesting that Verizon treat this matter as a high-priority account-security and fraud-review concern.

I have experienced persistent security concerns and abnormal device/network behavior affecting my Verizon wireless service and Apple iPhone 17. These concerns include network instability, unexplained signal loss, suspected device mirroring or cloning, inaccurate location behavior, and unauthorized-access indicators affecting my device environment.

In response, I purchased and configured a Verizon Orbic RC400L mobile hotspot running EFForg/Rayhunter to create a separate technical monitoring record. Rayhunter was successfully installed and activated. The dashboard showed active recordings and reviewed captures with 0 warnings. I also reviewed connected-device counts on the Orbic network. During initial testing, I observed a device-count discrepancy; later controlled testing showed expected results after confirming the correct Wi-Fi password and reconnecting known devices.

I am not asking Verizon to accept the Rayhunter dashboard as conclusive proof of account compromise. I am asking Verizon to treat the incident record, device behavior, and my account-security concerns as sufficient basis for a detailed fraud, SIM/eSIM, device-authentication, and network-provisioning review.

XI. Requested Verizon Actions

I request that Verizon provide the following account-security review and written response:

1. Technical Account Audit

Please review all device identifiers, IMEI/IMEI2 records, SIM/eSIM records, ICCID records, MAC-related service records where available, and authenticated device sessions associated with my Verizon account and MSISDN ***-***-**** for at least the prior 60 to 90 days, or longer if Verizon’s records permit.

2. SIM/eSIM and Port-Out Review

Please confirm whether any of the following occurred:

  • SIM change,
  • eSIM transfer,
  • eSIM download,
  • eSIM reactivation,
  • port-out request,
  • number transfer attempt,
  • failed port-out attempt,
  • unauthorized device provisioning,
  • unauthorized device authentication,
  • account lock change,
  • fraud lock change,
  • account PIN change,
  • or profile reprovisioning event.

3. Network Re-Provisioning

Please perform or advise whether Verizon can perform a full security-oriented reprovisioning of my wireless line to address potential unauthorized sessions, stale provisioning states, abnormal routing, or SIM/eSIM configuration concerns.

4. Account Security Lockdown

Please confirm whether the following protections are active or available:

  • Number lock / port freeze,
  • SIM transfer lock,
  • account takeover protection,
  • high-security authentication flag,
  • in-store-only account changes,
  • account PIN reset,
  • device upgrade/change restrictions,
  • and written notification before SIM/eSIM or port-out actions.

5. Authentication and Access Review

Please review Verizon account-login history, failed login attempts, support contacts, in-store account access, customer-care access events, and any employee-assisted changes to my account.

6. Fraud and Cybersecurity Escalation

Please escalate this matter to Verizon’s fraud and cybersecurity departments for review of possible account compromise, SIM/eSIM misuse, device cloning indicators, unauthorized account access, and unauthorized service-control activity.

7. Written Findings

Please provide a written response identifying:

  • what Verizon reviewed,
  • whether unauthorized account activity was found,
  • whether any SIM/eSIM or port-out activity occurred,
  • whether any unknown device identifiers accessed or were associated with my line,
  • whether any remediation steps were completed,
  • and what additional steps Verizon recommends to secure my account and line.

XII. Relationship to Federal Communications and Consumer Protection Concerns

Because this complaint concerns potential unauthorized access to a wireless account, possible SIM/eSIM misuse, suspected interception indicators, and customer proprietary network information, I request that Verizon review this complaint in light of its obligations to protect customer account information and customer proprietary network information.

Under 47 U.S.C. § 222, telecommunications carriers have a duty to protect customer proprietary information. (Legal Information Institute) FCC SIM-swap and port-out fraud rules further require wireless providers to adopt protections related to customer authentication, customer notice, account-lock options, fraud reporting, fraud investigation, remediation, and documentation involving customer accounts. (Federal Register)

If Verizon is unable to resolve or explain the account-security concerns, I may preserve this report for escalation to the Federal Communications Commission, appropriate consumer-protection agencies, and law enforcement.

XIII. Evidentiary Significance

The evidence documented in this report is significant because it relates to:

  • my Verizon wireless account,
  • my mobile telephone number,
  • my Apple iPhone 17,
  • potential SIM/eSIM security,
  • potential unauthorized account access,
  • cellular-network integrity concerns,
  • device-count reconciliation,
  • Rayhunter cellular-security monitoring,
  • and preservation of technical records for possible future escalation.

The Rayhunter dashboard evidence is significant because it shows that a separate monitoring device was installed and functioning. The Orbic connected-device screenshots are significant because they document the process used to compare expected connected devices against actual connected-device counts. The corrected baseline is also significant because it prevents overstatement of the earlier discrepancy and shows that later controlled testing produced expected results.

XIV. Preservation Statement

I am preserving this incident report, Rayhunter screenshots, Orbic connected-device screenshots, Verizon account notes, Apple device connection notes, and any available Rayhunter recording files for personal records and possible escalation.

I will preserve, where available:

  1. Photographs of the Verizon Orbic RC400L device.
  2. Photographs showing the Rayhunter green status bar.
  3. Screenshots of the Rayhunter dashboard.
  4. Screenshots of expanded Rayhunter analysis results.
  5. Screenshots of Orbic connected-device lists.
  6. Notes showing the date and time of each device-count test.
  7. Any downloaded Rayhunter ZIP, PCAP, or QMDL files.
  8. Verizon account-security notes.
  9. Apple iPhone 17 Wi-Fi connection screenshots.
  10. Apple Mac Mini M1 Wi-Fi connection screenshots.
  11. Any future Verizon written response.

This report is prepared as a contemporaneous personal record and as a formal complaint record for Verizon, FCC and FTC reviews. The report is intended to preserve the factual sequence, technical observations, and requested carrier-side audit actions.

XV. Report-Ready Summary Paragraph

On or about May 6, 2026, I installed and activated EFForg/Rayhunter version 0.10.2 on a Verizon Orbic RC400L mobile hotspot for personal cybersecurity monitoring and evidence-preservation purposes. Rayhunter was selected because it is an open-source cellular-security tool designed to detect IMSI catchers and was first designed for the Orbic RC400L mobile hotspot. After installation, the Orbic displayed the Rayhunter green status bar, and the Rayhunter dashboard became accessible through the Orbic Wi-Fi network at http://192.168.1.1:8080. The dashboard showed active recordings, recording history, system information, and reviewed captures with 0 warnings. During early connected-device testing, I observed a temporary device-count discrepancy, but later controlled reconnection testing showed expected counts: iPhone only equaled one connected device, iPhone plus Mac Mini equaled two connected devices, and both disconnected equaled zero devices. I am preserving the earlier discrepancy as part of the technical record while noting that the corrected baseline did not independently confirm an unknown active Wi-Fi client. Because I continue to experience broader device-security and Verizon account-security concerns, I request that Verizon perform a formal fraud, SIM/eSIM, device-authentication, provisioning, and account-access audit and provide written findings.

Respectfully submitted,
Sarai Hannah Ajai

Date: May 11, 2026













Labels:
Location: North Dakota, USA

Comments

Post a Comment