The article describes a Telegram-based underground marketplace that sells iPhone unlocking tools, smishing kits, and social-engineering services to help thieves turn stolen devices into resaleable goods. It also shows how threat actors use Apple lookalike domains, Telegram bots, and detection-evasion tricks to scale smishing campaigns and monetize stolen iPhones. #Apple #Telegram #iCloud #ActivationLock
Keypoints
- Stolen iPhones are being monetized through an underground ecosystem focused on unlocking devices rather than stealing data.
- Threat actors use smishing and fake Apple Find My-style pages to trick owners into entering passcodes and Apple Account credentials.
- Dozens of Telegram groups and resellers offer unlocking tools, phishing kits, and social-engineering services on a pay-as-you-go basis.
- The tools can extract device details such as serial number, original activation country, and linked Apple Account to personalize attacks.
- Researchers identified more than 10,000 related domains, with traffic to campaign infrastructure increasing sharply in 2025.
- Some tools include detection-evasion features that check for blocking and submit delisting requests to Google Safe Browsing.
- The ecosystem appears optimized for hardware resale, with stolen phones often wiped after access is gained and sold for profit.
MITRE Techniques
- [T1566.001] Phishing: Spearphishing Link – Used to send victims a malicious URL via text, WhatsApp, or email to a fake Apple page (‘The malicious link can be sent over WhatsApp, text or email’).
- [T1056] Input Capture – Used to steal the screen lock passcode and Apple Account credentials when victims entered them on the phishing page (‘asking for the PIN code to unlock the phone’; ‘Once the victim enters their credentials’).
- [T1204.001] User Execution: Malicious Link – Relied on the target clicking the link in the message to reach the spoofed landing page (‘The text was sent to the contact number displayed on the locked phone’s screen’).
- [T1589.001] Gather Victim Identity Information – Collected victim name, email, passcode length, language, and location to make phishing more believable (‘victim’s name, email, and whether the passcode has four or six digits’).
- [T1598.001] Phishing for Information: Spearphishing Service – Used smishing templates and impersonation of Apple support to elicit sensitive information (‘pre-recorded sound files… impersonating Apple and asking for the passcode’).
- [T1036] Masquerading – Disguised phishing sites and messages as legitimate Apple services (‘closely resembles the real Apple Findmy page’; ‘crafted to look like it was sent from an official Apple account’).
- [T1110] Brute Force – The tools automated repeated unlock attempts through a pay-as-you-go model (‘pay a small fee per unlock attempt’).
- [T1211] Exploitation for Defense Evasion – The tools attempted to contest security blocks and request delisting from Google Safe Browsing (‘automatically request delisting from Google Safe Browsing’).
- [T1210] Exploitation of Remote Services – Used Telegram bots and panels to remotely query owner data and manage attacks (‘identify linked devices on iCloud’).
Indicators of Compromise
- [Domains] Phishing and smishing infrastructure – applemaps-support[.]live, findyourphone[.]help, applemap[.]us, and 15 more domains
- [Telegram groups/bots] Underground marketplace and owner-data lookup – dozens of Telegram groups, specific Telegram bots
- [File types / tooling] Unlocking and phishing tools – Windows binary unlocking tool, GUIs built on command-line utilities, smishing template kits
- [URL paths / web themes] Fake Apple support and Find My lookalikes – viewlocation[.]app, find-your-phone[.]help, support-lcloud[.]xyz
- [Service references] Detection-evasion and reputation systems – Google Safe Browsing, attacker-controlled endpoint hosting smishing-domain lists
Read more: https://www.infoblox.com/blog/threat-intelligence/lookalike-domains-expose-the-iphone-theft-economy/