MacBook scams when buying a Mac: how to avoid getting ripped off
MacBook scams in the second-hand market all run on two server-side locks Apple will not remove for second-hand buyers. The architecture behind them, the recurring fraud patterns, the 15-minute pre-purchase protocol, and the remediation paths when something goes wrong.

MacBook scams when buying a Mac: how to avoid getting ripped off#
Two server-side locks dominate every MacBook scam pattern in the second-hand market, and Apple will not remove either one for a second-hand buyer without Apple-accepted proof of original purchase. A used Mac concentrates several thousand dollars of value into a recognizable brand with hardware-bound identifiers, and the locks that protect the original owner from theft also make a stolen or otherwise tainted unit nearly impossible to "fix" after the fact. This guide catalogs the fraud patterns that recur most often, the 15 to 20 minute pre-purchase protocol that catches almost all of them, and the remediation paths when something has gone wrong. For the activation-lock side specifically, see the dedicated walkthrough on the Activation Lock and Find My checks in detail, and the Activation Lock reference that explains why the binding is hardware-enforced covers why an SSD wipe and macOS reinstall do not clear it.
The architecture that drives the scams#
Three structural facts shape almost every used-Mac scam.
Activation Lock is enforced server-side. On any Apple Silicon Mac or T2-equipped Intel Mac, Activation Lock is enforced by Apple's servers against the device's hardware identifier. Once Find My Mac is enabled, the device's UUID and serial are registered on Apple's iCloud activation servers as locked to a specific Apple ID. Erasing the SSD, reinstalling macOS, or replacing internal components does not remove the lock. Apple's published policy is that it will not bypass Activation Lock for anyone other than the original purchaser without Apple-accepted proof of ownership (al-support.apple.com).
MDM enrollment is bound at Apple's servers, not on the disk. When an organization buys Macs through Apple Business Manager (ABM), Apple School Manager (ASM), or the older DEP (collectively now Automated Device Enrollment, ADE), the serial number is permanently registered to that organization on Apple's servers. On every fresh boot, every macOS reinstall, and every Erase All Content and Settings, the Mac contacts Apple's ADE servers and re-downloads the management profile. Wiping does nothing. The full mechanics, including why "Remote Management" on a Mac can't be removed from the user side, live in a separate post.
On Apple Silicon, the SSD is cryptographically paired with the SoC. The SSD modules are NAND-only; they pair with the SoC's built-in storage controller and the Secure Enclave. They cannot be silently swapped between machines without bricking. The logic-board-plus-SoC-plus-NAND unit can be swapped as a whole; the NAND alone cannot.
Hardware fraud: the Mac Studio case-swap problem#
The Mac Studio is uniquely vulnerable to case-swap and logic-board-transplant fraud. Outer chassis dimensions (7.7 x 7.7 x 3.7 inches) and housing are identical across all configurations in a generation; the price spread runs from $1,500 to $13,000+; and the case has its own laser-etched serial independent of the logic-board serial reported by macOS.
The two recurring patterns: a scammer transplants a lower-spec board into a high-spec shell so the case sticker reads "M1 Ultra, 128 GB, 4 TB" while About This Mac reports the board's true identity; or a scammer with an Activation-Locked board buys a damaged-case unit whose chassis serial is clean in Apple's systems, swaps the boards, and ships a unit that locks at first boot because Activation Lock follows the logic board. The chassis-weight diagnostic for Mac Studio Ultra vs Max is the single most reliable catch for this pattern.
Apple Authorized Service Providers normally re-flash the system serial onto a replacement logic board so the two match; independent shops typically do not. Cross-generation swaps fail (Secure Enclave and SSD-SoC binding), but intra-generation, intra-model swaps work fine. A Mac Studio M1 Max board runs in an M1 Ultra chassis and reports itself as a Max (Macworld's coverage of Luke Miani's logic board swap demonstrations). That intra-generation population is what scammers exploit.
The cooling-mass diagnostic#
The Mac Studio Ultra uses a heavier copper thermal module; the Max uses a lighter aluminum heatsink. Chassis weight differs by roughly two pounds between configurations in the same generation, and copper density is independent of any sticker or serial manipulation.
| Generation | Configuration | Cooling | Reference weight |
|---|---|---|---|
| M1 Mac Studio | M1 Max | Aluminum heatsink | 5.9 lb / 2.7 kg |
| M1 Mac Studio | M1 Ultra | Copper thermal module | 7.9 lb / 3.6 kg |
| M3 / M4 Mac Studio | M4 Max | Aluminum heatsink | 6.1 lb / 2.74 kg |
| M3 / M4 Mac Studio | M3 Ultra | Copper thermal module | 8.0 lb / 3.64 kg |
Sources: Apple's Mac Studio specs, 512 Pixels' weight comparison, Tom's Hardware on the M1 Ultra copper cooler. A digital postal scale settles it: an "Ultra" listing whose unit weighs near the Max reference almost certainly contains a transplanted Max logic board.
MacBook component harvesting#
MacBook Pro and Air models are less vulnerable to whole-board chassis swaps because firmware-level pairings to the keyboard controller, trackpad, battery, and Touch ID sensor prevent cross-generation transplants from booting (per iFixit and AppleInsider teardowns). But same-generation component harvesting on MacBooks is widespread. Dishonest repair shops extract original boards, batteries, and SSD modules and replace them with degraded, counterfeit, or lower-spec parts. Because SSD NAND is cryptographically paired with the Secure Enclave, a failed logic board renders user data essentially unrecoverable, creating a thriving black market for functional original boards. One documented case: an iMac owner discovered after a third-party repair that the machine had only two USB-C ports instead of four; the shop had installed a logic board from a lower-spec configuration.
Activation Lock scam variants#
Activation Lock triggers automatically when Find My Mac is on (the default on every Apple-ID-bound Apple Silicon or T2 Mac). Setup Assistant halts on the Activation Lock screen showing an obfuscated Apple-ID hint (e.g., j••••@gmail.com). There is no removal path without the original Apple ID password or Apple-accepted proof of original purchase.
The recurring variants: the seller advertises "iCloud unlocked" and ships a still-locked Mac; the seller signs into a throwaway Apple ID, completes Setup Assistant on camera, ships, then signs the same Apple ID back into iCloud and re-locks once payment clears (or once eBay's 30-day window expires); the seller has already completed Setup Assistant with their Apple ID and ships a Mac that will lock the moment the buyer runs Erase All Content and Settings or installs a macOS update; the listing claims "for parts" and ships an actually-functional but Activation-Locked Mac; and third-party sites sell "iCloud bypass" services for $100 to $300 that are essentially always fraudulent on Mac. Some of those services additionally harvest the Mac's serial and feed it back into the resale-fraud ecosystem.
How stolen Macs become "unlocked" Macs#
Activation Lock is robust enough that organized theft rings cannot break it cryptographically. They exploit the victim instead. When a victim activates Lost Mode in Find My, the locked screen displays the owner's contact phone number. Theft rings harvest that contact information and, weeks or months later, send spoofed iMessage / SMS phishing messages styled as official Find My notifications. The link leads to a credential-harvesting fake iCloud page. If the victim enters their credentials, the criminals remove the stolen Mac from Find My and clear server-side Activation Lock, restoring the device to a clean, sellable state. The Find My phishing pipeline that laundered stolen Macs travel through has been reported by Cybernews and other cybersecurity outlets. A buyer who acquires a "clean" Mac from a stranger on a marketplace may be unknowingly fencing a unit that traveled this path.
MDM / corporate-lock scams#
When an organization registers a Mac in ABM or ASM and assigns it to an MDM (Jamf, Kandji, Mosyle, Intune, Addigy), the serial is permanently bound to that tenant. Because ADE devices are supervised by default, the management profile cannot be removed from the user side.
The recurring patterns: a company auction or liquidator sells Macs as "factory reset, ready for new owner" without releasing them in ABM (a widely circulated example involves an Equinox Holdings MacBook used for five years before Erase All Content and Settings surfaced the lock); sellers buy pallets of ex-lease Macs from secondary-market liquidators and list them as "good condition, password reset done" (a "DO NOT ERASE" text after the sale is a common red flag); a scammer truthfully claims "no Activation Lock" while concealing that the Mac is MDM-locked; and the "wait 30 days and erase" claim conflates manual Apple Configurator side-loaded enrollment with ABM/ASM, which has no opt-out window.
Documented client-side bypass workarounds (booting into Recovery, disabling SIP, deleting active enrollment profiles, redirecting iprofiles.apple.com to 0.0.0.0 in /etc/hosts, unloading enrollment-check daemons) hide the Remote Management prompt at the UI level. The device remains registered in ABM, and the bypass disappears the moment macOS is reinstalled cleanly, NVRAM is reset, a system update overwrites /etc/hosts and re-enables SIP, or any process re-queries Apple's enrollment servers. Commercial "iCloud unlock" and "MDM bypass" services for Macs are always scams for exactly this reason. Using bypass tools on a device that is not legally yours may also constitute computer-fraud or unauthorized-access violations.
The only legitimate release paths: the organization's ABM/ASM admin clicks Release Device at business.apple.com (irreversible); the MDM admin issues a remove-management command while the device is online; or the original purchaser provides receipts to Apple Business Support. A second-hand individual buyer has effectively no path unless they can reach a cooperative person at the original organization.
State spoofing and forged evidence#
Doctored "Find My is off" screenshots edit the toggle position. Apple's Check Coverage does not natively display an Activation Lock line for Macs, so any "Activation Lock: Off" badge on a Mac Check Coverage screenshot is fabricated by definition; the reference for every field the Coverage Check response page returns details what Apple actually shows. Video-call deception toggles Find My off on camera and re-enables it before shipping. Apple Configurator does not display Activation Lock as a status field. DFU restore reinstalls firmware but does not remove Activation Lock. Only state observed by the buyer on the buyer's hardware, after the buyer takes possession, is reliable. The full forgery catalog and what passes for legitimate proof covers each pattern in detail.
Marketplace-specific patterns#
eBay. Avoid classified-ad listings entirely. They carry no Money Back Guarantee, push contact off-platform, and hijacked accounts routinely list Mac Studios at attractive prices and push to Zelle or wire. Other patterns: empty-box / weight-filler shipments, return switcheroos (buyer swaps in a lower-spec board and returns claiming "not as described"), cloned listings, AppleCare misrepresentation. eBay Authenticity Guarantee does not cover Macs. eBay Money Back Guarantee covers SNAD within 30 days of delivery, and Activation Lock / MDM / serial-mismatch claims are generally winnable. The largest documented Mac-related fraud case is a DOJ prosecution of a $16.2M Chinese counterfeit Apple device return fraud ring that imported counterfeit Macs with cloned serials and exchanged them at Apple Stores for authentic replacements.
Craigslist. Cash-meetup robbery, faked Zelle / Venmo "pending" screenshots, faked storefronts using stolen Apple branding. Meet only at well-lit, surveilled public locations. Many U.S. police departments designate their lobbies as "Internet Exchange Zones." Cash only, counted in front of the seller, with a second person.
Facebook Marketplace. Shipping-label scams (prepaid label routed elsewhere), fake payment confirmations (Zelle / Venmo / Cash App have no genuine pending state for completed P2P transfers between consumer accounts), cloned listings, OTP phishing, off-platform pressure. Marketplace Purchase Protection only applies to on-platform shipping-checkout orders; local-pickup has essentially no protection.
Reddit swap subs. Aged-account cultivation, confirmed-trade collusion between accomplice accounts, "you send first" pressure, PayPal Friends and Family demands, spoofed PayPal email confirmations. Always require PayPal Goods and Services, signature confirmation, and a live video call.
Freight-forwarding fraud. Scammers purchase high-value Macs with stolen credit cards and ship to a domestic forwarding warehouse (concentrations sit in tax-free zip codes like The Dalles, Oregon), then dispute claiming non-receipt. PayPal Seller Protection requires shipment only to the address on the Transaction Details page; refuse any "ship to my forwarder" request.
The 15 to 20 minute pre-purchase protocol#
Triple-match serial verification. Three serial sources must be identical: the laser-etched serial on the case bottom; the serial in Apple menu > About This Mac; and the serial from ioreg -rd1 -c IOPlatformExpertDevice | awk -F'"' '/IOPlatformSerialNumber/ {print $4}'. Verify on checkcoverage.apple.com and decode on everymac.com. The resolved model identifier and configuration must match the listing.
Mac Studio mass audit. Weigh the chassis on a digital postal scale. An advertised Ultra near Max reference weight indicates a board swap. Inspect screws, structural boundaries, and the rubber base for adhesive residue or misaligned seams.
Activation Lock state. System Information > Hardware Overview must show Activation Lock Status: Disabled. The seller's name must not appear at the top of System Settings > Apple ID. Find My Mac in iCloud settings must be off. Watch the seller perform Erase All Content and Settings on video and reach Setup Assistant. The full pre-purchase Activation Lock check, step by step covers the video script that holds up in a dispute.
MDM state on a real network. After the Wi-Fi step in Setup Assistant, the Mac must reach Migration Assistant rather than a Remote Management screen naming an organization. Use a cellular hotspot rather than the seller's Wi-Fi so that local DNS redirection cannot suppress the enrollment query. In Terminal on a booted system: sudo profiles show -type enrollment should return Client is not DEP enabled; cat /etc/hosts should not contain Apple enrollment domains; csrutil status should report SIP enabled.
Documentation in writing. Ask the seller in writing: "Is this Mac currently or previously enrolled in Apple Business Manager, Apple School Manager, DEP, or any MDM?" A "no" in writing is admissible later. Request the original receipt from Apple or an Apple Authorized Reseller plus a live dated video covering the boot, About This Mac, the case-bottom serial, the erase, and Setup Assistant through Wi-Fi.
Payment and shipping. Pay only via eBay checkout, PayPal Goods and Services, Facebook Marketplace checkout, or credit card. Never use PayPal Friends and Family, Zelle, Venmo, Cash App, Apple Cash, or wire transfer with an unfamiliar counterparty. Ship with signature confirmation, full insurance for declared value, and tracking from a tier-1 carrier.
On-receipt protocol. Record an unbroken unboxing video before opening the package. Photograph the case serial against the shipping label and box. Power on and confirm Setup Assistant proceeds without Activation Lock or Remote Management screens. Re-run the triple-match. If anything is wrong, open a marketplace dispute within the platform's window before attempting any repair or modification.
Remediation when something has already gone wrong#
Identify the lock first. "This Mac is linked to an Apple ID. Enter the Apple ID and password..." is Activation Lock. Note the obfuscated email hint; if it matches the seller's, that is hard evidence. "[Organization] will automatically configure your Mac" is MDM/ADE. A local-account login with the previous owner's name means the seller never erased.
File a marketplace or payment dispute promptly within its window. eBay Money Back Guarantee: 30 days from delivery, open from Purchases > Return this item. PayPal Goods and Services SNAD: 180 days from payment, buyer typically pays return shipping. Facebook Marketplace Purchase Protection: checkout-shipped orders only, short window. Credit card chargeback: 60 to 120 days typical. Zelle / Venmo / Cash App / PayPal F&F / Apple Cash / wire: no recourse.
Archive the listing URL at archive.today or web.archive.org before the seller deletes it. File a police report if the device is plausibly stolen; some marketplaces require one before acting on clearly criminal cases.
Submit Apple's Activation Lock Support Request at al-support.apple.com with the original Apple Store or Apple Authorized Reseller receipt showing your name and the serial. Apple does not accept eBay, PayPal, or Facebook receipts, private bills of sale, box photos, or Check Coverage screenshots. Without original-owner cooperation, this is a long shot for second-hand buyers, but it is free.
For MDM-locked devices, identify the supervising organization shown on the Remote Management screen and contact their IT department. If the Mac was legally sold during a corporate refresh and the team simply failed to release it, an administrator can log into business.apple.com > Devices > Release Device. If the organization refuses, the Mac is most likely stolen.
If the Mac cannot be unlocked, Apple Recycling accepts iCloud-locked and MDM-locked Macs for free at any Apple Store. Selling "for parts" is acceptable only with explicit disclosure ("Activation Lock active / Apple ID linked, for parts only, will not function as a computer"); failing to disclose passes the scam to the next buyer and is itself fraud. Do not buy or sell "iCloud unlock" or "MDM bypass" services; they do not produce persistent results on current Apple Silicon.
What this means for the reader#
Apple will not help a second-hand buyer remove Activation Lock or MDM/ADE locks without Apple-accepted proof of original purchase, and second-hand buyers do not have it. Marketplace protections are the actual safety net, and they vary dramatically: eBay Money Back Guarantee and PayPal Goods and Services have teeth; Facebook Marketplace local pickup, Zelle, Venmo, Cash App, and PayPal Friends and Family give essentially no recourse. Documentation is everything; the party who logs less loses.
The used-Mac market is functional, and most transactions complete cleanly. The recurring failure mode is skipping verification because the counterparty seems trustworthy. The 15 to 20 minute protocol above is tedious but small relative to the price of a maxed Mac Studio or MacBook Pro, and it is the single most reliable predictor of whether the trade ends well. The signed diagnostic Macfax exports for a listing compresses part of it into a single chassis-vs-board serial cross-match against Apple's records, designed to flag the swaps and the locks before money moves; the protocol above is what catches everything else.
Buying a Mac? Every listing on the Macfax shelf carries a record: the exact configuration, an honest asking price, and a report you can check.