RSS

The Underground Market That Unlocks Stolen iPhones

speckx1 pts0 comments

Inside the Underground Market That Unlocks Stolen iPhones

Skip to primary navigation<br>Skip to main content<br>Skip to primary sidebar<br>Skip to custom navigation<br>Company

Security

Community

IPv6 CoE

Infoblox Threat Intel

Home / Infoblox Threat Intel / Lookalike Domains Expose the iPhone Theft Economy

Lookalike Domains Expose the iPhone Theft Economy

Authors: Maël Le Touz, Elena Puga

Executive Summary

Modern smartphones are extremely secure and can be remotely locked and turned into a worthless brick if they are stolen. iPhones in particular can be remotely secured using a feature called Activation Lock, preventing all future use in case the device is stolen. Even individual components can be locked by the owner.

And yet, iPhones are stolen … a lot. Figures indicate over 7.35 million are stolen in the United States yearly. So, how do the thieves monetize them?

After a friend reached out for help, we discovered a thriving underground marketplace, organized on Telegram, focused on one thing: unlocking high-end phones—mostly iPhones. By combining technical tooling and social engineering, thieves now have a way to unlock devices at scale and make phone theft profitable.

These so-called "unlocking tools" create a market for stolen phones by allowing anyone with a pulse to try to turn a bricked "lost or stolen" device into easy money.

Despite the fact that there are no publicly disclosed vulnerabilities for late model iPhones, threat actors use clever techniques to convince the owner to enter their passcode. SMS phishing (smishing) is one of them, and our DNS telemetry shows steadily growing and persistent activity.

We initially assumed thieves would be interested in the phone’s data. Those devices, after all, hold potentially priceless personal and corporate information. Interestingly, we discovered the opposite. Thieves are after a quick buck, and the value of the data is secondary to the value of the hardware. It seems like their phishing domains are often detected, and some of the tools sold in these forums contain mechanisms to detect DNS blocks and automatically request delisting from Google Safe Browsing.

This paper will detail how, by analyzing DNS clusters, we were able to pivot from an initial text to reveal a thriving marketplace enabling and ultimately driving phone theft. We will then explain how this underground economy functions and how smishing is only one tool in the toolbox they use to gain access to stolen phones.

From Smishing to Panels

When somebody loses access to their iPhone, they can set a message on the locked screen, directing the finder to contact a specific phone number to return the device. See Figure 1. Users will usually choose their spouse’s or parent’s phone number. It’s this helpful feature that offers the scammers a way to reach out to the phone’s owner and manipulate them into unlocking it.

Figure 1. Lost iPhone displaying a contact number

This is how one of our friends was contacted when their iPhone was stolen in Asia. Shortly afterwards, they received a text with a link to a URL hosted on applemaps-support[.]live.

Lookalike domains targeting Apple are nothing new: we detect over 800,000 a year. But the timing of the text was suspicious, and whoever sent the message clearly had the device in their possession.

At first glance, the page on applemaps-support[.]live closely resembles the real Apple Findmy page, but this is of course a decoy—the website is not operated by Apple. The phone appeared to be moving on the spoofed map (see Figure 2) but before we could do anything else, a pop-up appeared asking for the PIN code to unlock the phone. Had our friend given their passcode, the thief would have immediately gained full control of the device.

Figure 2. iPhone phishing page shows stolen phone moving

Pivoting on DNS characteristics of the domain, we quickly identified a cluster of related phishing pages, all using Apple lookalike domains.

Discovery of an iPhone Unlocking Marketplace

Not all the domains in the cluster hosted phishing content. In several cases, threat actors had inadvertently exposed their own admin login page at the root of several websites. Other pages on the same domains advertised “phone unlocking tools.” This made us curious: Could these unlocking services be connected to smishing attacks targeting iPhone owners who had lost their devices?

Indeed, we soon identified dozens of Telegram groups functioning as a large underground marketplace focused on unlocking phones. Different sellers offer their services to end users looking to unlock phones. The products are sold under different names, but always offer the same features:

An unlocking tool: a Windows binary able to automatically "jailbreak" old phones. The same tool also offers a way to extract identifying information from a plugged-in device,

An ‘FMI OFF’ (Find My iPhone Off) or ‘iCloud Webkit:’ a phishing and smishing kit designed to convince legitimate owners to forfeit their...

stolen phone iphone unlocking domains iphones

Related Articles

Elevated error rates on requests to multiple models

recroad9 ptsclaude incident islands rates elevated error

Donald Trump and sons to be 'forever' exempt from tax audits

doener9 ptsdigital access newsletters premium financial times

PopuLoRA: Co-Evolving LLM Populations for Reasoning Self- Play

AMavorParker8 ptstasks model training self populora play

Old Reddit Is Down

Crunsher7 ptsdata autoplay videoplayerelement comments function false

The ultimate female fantasy – A feminist critique of Beauty and the Beast

muge6 ptsbeast story paglia beauty older butler
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.