Underground Telegram Marketplace Exploits Stolen iPhones via Phishing and Unlocking Tools
Infoblox researchers uncovered a thriving Telegram-based black market specializing in tools and infrastructure to unlock and monetize stolen iPhones. The discovery began when a victim of phone theft received a smishing text linking to a fake Apple Find My page, designed to trick users into surrendering their passcode.
Despite Apple’s Activation Lock which renders stolen iPhones unusable without the owner’s credentials over 7.35 million iPhones are stolen annually in the U.S. alone. Thieves prioritize resale value over data extraction, turning to underground markets to bypass security measures. Researchers identified over 10,000 domains tied to phishing kits and unlocking tools, many mimicking Apple’s services with near-identical interfaces.
The marketplace offers Windows-based unlocking tools, FMI OFF (Find My iPhone Off) services, and iCloud Webkit phishing kits, which automate jailbreaking, extract device details (serial numbers, activation countries, Apple IDs), and generate convincing smishing messages. Some tools include AI voice calling software and prerecorded Apple support impersonations in multiple languages to enhance social engineering attacks.
Prices for unlocking services range from $5 to $50, with most tools operating on a pay-as-you-go model. While no known exploits exist for iOS versions above 17.0, some sellers falsely advertise "zero-day" vulnerabilities. Researchers noted a 350% increase in DNS telemetry linked to smishing domains in 2025, indicating a growing threat.
The ecosystem relies on stolen device data to craft targeted phishing campaigns, often using bots to cross-reference credentials and iCloud-linked devices. Despite claims of "forgotten passwords," the tools’ features such as FMI OFF suggest their primary use is for illicit unlocking. Some operators even include mechanisms to evade DNS blocking and Google Safe Browsing restrictions.
Source: https://www.helpnetsecurity.com/2026/05/15/stolen-iphone-unlocking-tools-telegram-groups/
Apple cybersecurity rating report: https://www.rankiteo.com/company/apple
"id": "APP1778848319",
"linkid": "apple",
"type": "Cyber Attack",
"date": "1/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '7.35 million+ (annual estimate)',
'industry': 'Consumer Electronics, Telecommunications',
'location': 'United States',
'name': 'Apple iPhone users (primarily in the U.S.)',
'size': '7.35 million stolen iPhones annually (U.S. '
'alone)',
'type': 'Individual consumers'},
{'industry': 'Technology, Consumer Electronics',
'location': 'Global',
'name': 'Apple Inc.',
'size': 'Enterprise',
'type': 'Corporation'}],
'attack_vector': 'Smishing (SMS Phishing), Social Engineering, Fake Apple '
'*Find My* Pages, AI Voice Calling Software',
'customer_advisories': 'Apple users should be cautious of smishing texts and '
'fake *Find My* pages, enable two-factor '
'authentication, and avoid sharing passcodes.',
'data_breach': {'data_exfiltration': 'Yes (via phishing kits and unlocking '
'tools)',
'personally_identifiable_information': 'Apple IDs, passcodes, '
'device details',
'sensitivity_of_data': 'High (personally identifiable '
'information, device access '
'credentials)',
'type_of_data_compromised': 'Apple IDs, passcodes, device '
'serial numbers, activation '
'countries, iCloud-linked '
'devices'},
'date_detected': '2025',
'description': 'Infoblox researchers uncovered a thriving Telegram-based '
'black market specializing in tools and infrastructure to '
'unlock and monetize stolen iPhones. The discovery began when '
'a victim of phone theft received a smishing text linking to a '
'fake Apple *Find My* page, designed to trick users into '
'surrendering their passcode. Thieves use these tools to '
"bypass Apple's *Activation Lock*, enabling resale of stolen "
'devices.',
'impact': {'brand_reputation_impact': "Potential damage to Apple's reputation "
'due to bypassed security measures',
'data_compromised': 'Apple IDs, passcodes, device serial numbers, '
'activation countries, iCloud-linked devices',
'identity_theft_risk': 'High (exposure of Apple IDs and passcodes)',
'operational_impact': 'Increased risk of identity theft, '
'unauthorized device resale, phishing '
'campaigns targeting iPhone users',
'systems_affected': 'Stolen iPhones (primarily U.S.-based), '
'phishing domains, unlocking tools'},
'initial_access_broker': {'backdoors_established': 'Unlocking tools (e.g., '
'*FMI OFF*), phishing kits',
'entry_point': 'Smishing texts, fake Apple *Find '
'My* pages',
'high_value_targets': 'iPhone users with '
'*Activation Lock* enabled'},
'investigation_status': 'Ongoing (researchers identified over 10,000 domains '
'tied to phishing kits)',
'lessons_learned': 'Growing sophistication of underground markets in '
'bypassing device security, increased use of AI in social '
'engineering attacks, need for enhanced user awareness and '
'DNS-based threat detection.',
'motivation': 'Financial gain through resale of stolen iPhones, monetization '
'of unlocking tools',
'post_incident_analysis': {'corrective_actions': 'Enhanced DNS monitoring, '
'user education, '
'collaboration with law '
'enforcement',
'root_causes': 'Lack of user awareness, '
'availability of bypass tools, '
'underground market demand for '
'stolen iPhones'},
'recommendations': ['Improve user education on smishing and phishing risks',
'Enhance Apple *Activation Lock* security to prevent '
'bypass tools',
'Monitor and block phishing domains tied to unlocking '
'tools',
'Deploy AI-based detection for voice phishing attempts',
'Collaborate with law enforcement to dismantle '
'underground marketplaces'],
'references': [{'source': 'Infoblox Research'}],
'response': {'enhanced_monitoring': 'DNS telemetry tracking of smishing '
'domains (350% increase in 2025)',
'third_party_assistance': 'Infoblox researchers'},
'threat_actor': 'Underground Telegram marketplace operators, iPhone thieves, '
'phishing kit sellers',
'title': 'Underground Telegram Marketplace Exploits Stolen iPhones via '
'Phishing and Unlocking Tools',
'type': 'Phishing, Unauthorized Unlocking, Black Market Operations',
'vulnerability_exploited': 'Lack of user awareness, Apple *Activation Lock* '
'bypass tools (e.g., *FMI OFF*), iCloud Webkit '
'phishing kits'}