Stolen iPhones Fueling Cybercrime Ecosystem, Researchers Find

An intricate network of cybercriminal services is exploiting stolen iPhones, transforming the once-private devices into lucrative tools for financial fraud and identity theft. Researchers at cybersecurity firm Infoblox have identified a burgeoning ecosystem on the web and messaging platforms like Telegram that provides the necessary software to bypass device security and facilitate phishing attacks, according to their latest findings. This underground economy, largely focused on iPhones, involves dozens of groups selling specialized "unlocking" tools and sophisticated phishing kits.

The scale of this illicit activity is substantial, with Infoblox tracking over 10,000 phishing websites linked to this market. Traffic to these malicious domains surged by an alarming 350 percent in the past year alone. "Reselling is a hundred percent what they’re going for," stated Maël Le Touz, a staff threat researcher at Infoblox. He noted that buyers, often operating at a smaller scale than large criminal syndicates, acquire pay-per-use software for as little as $10, indicating broad accessibility to these harmful tools.

The Growing Market for Stolen Handsets

The number of stolen phones has been on a steady rise in recent years. In London, for instance, approximately 80,000 devices are reported stolen annually. While tech giants like Apple and Google have bolstered their device protections, sophisticated and less-advanced criminals alike continue to profit from stolen handsets. If a thief gains access to an unlocked phone or knows its passcode, they can potentially access online banking accounts or cryptocurrency wallets. Street-level thieves can still fetch hundreds of dollars per device on the black market.

"Phone thieves don’t just want the handset—they want access to bank accounts and personal information," warned Will Lyne, head of economic and cybercrime at London’s Metropolitan Police. He cited a case where four individuals were apprehended with over 5,000 stolen phones and were actively exploiting financial accounts on the devices. Dan Guido, CEO of security firm Trail of Bits, emphasized the financial incentive, explaining that a locked stolen phone might fetch $50 to $200, but an unlocked one could be worth $500 to $1,000. This significant profit margin fuels innovation in methods to breach device security.

The Infoblox researchers began investigating this underground economy after a contact in law enforcement in Asia reported their iPhone stolen, followed by a phishing attempt using alternative contact details. The phishing link mimicked an Apple "Find My" page, displaying a fake location and prompting the user for their device's PIN code. Similar reports have surfaced from individuals worldwide, including warnings from the Swiss National Cybersecurity Center, detailing phishing messages received after losing iPhones. Attackers aim to gain control of Apple iCloud accounts, effectively removing the device from the owner's legitimate management.

"To make the messages look convincing, they include accurate details of the missing device—such as its model, colour, and storage capacity—which the scammers can read directly from the phone itself," the Swiss body noted in November. "As there is no known way to bypass this lock, tricking the owner through social engineering is the only realistic option for criminals."

By creating DNS fingerprints for the phishing domains, Infoblox researchers identified numerous related websites masquerading as Apple services. Some of these sites exposed their administrative login pages and openly advertised tools for unlocking phones. Ultimately, the investigation pinpointed multiple groups on Telegram actively promoting these "unlocking" services. Common offerings across these groups include tools that claim to jailbreak older iPhones or Android devices to extract owner information, phishing kits marketed as "Find My iPhone Off" tools for account access, and scripts coupled with AI voice-calling software to automate phishing operations.

"What you need, first of all, is physical access to the phone," Le Touz explained. Even if jailbreaks fail, the available systems can still be leveraged for phishing attacks to gather necessary information. "All the tools we analyzed wipe the device by default as soon as access is attained," the researchers reported. Evidence, including a video obtained by researchers showing software called iRealm generating fake Apple service pages, highlights the sophistication of these tools. Posts associated with iRealm mention features like "Find My iPhone nullified" and advertise scripts for Apple Pay integration, promising a "seamless experience" for accessing and unlocking Apple devices.

Discussions within these Telegram groups reveal users inquiring about bypassing device locks, such as one post asking about turning off "Find My" on blocked iPhones. While the services do not explicitly advertise for use with stolen devices, the integration of phishing tools strongly suggests illicit intent. "There’s plenty of means to unlock your own phone through legitimate use of your Apple ID," noted Dan Guido of Trail of Bits. "Apple’s provided the right pathway for people that legitimately can't get into their own devices, but these things serve no purpose for someone who's legitimately trying to do that." After being contacted by WIRED, Telegram reportedly removed several groups associated with these unlocking services, though a spokesperson stated the platform maintains "industry-leading moderation" against cybercrime.

Apple has made significant strides in enhancing device security in recent years, rendering many older jailbreaks obsolete and fortifying newer iPhones against exploits. The company has also introduced Stolen Device Protection, which adds layers of security against unauthorized changes—though users must enable this feature. Law enforcement officials advise users to activate built-in anti-theft features, keep software updated, use strong passwords, and remain vigilant in public to mitigate risks should their iPhone be stolen.