Every year, millions of phones are stolen, and a significant portion of these are **iPhones**. While some are dismantled for parts, a more lucrative option for criminals is to unlock and wipe the devices for resale. Researchers have now shed light on the cybercrime services that enable this process. Across the web, particularly on **Telegram**, a "thriving" ecosystem exists where software sellers provide "unlocking" tools and phishing technology to compromise stolen **iPhones**, according to **Infoblox**. Their research indicates that dozens of groups are selling these tools, focusing primarily on **iPhones**, and have linked over 10,000 phishing websites to this activity. Traffic to these domains surged by 350 percent last year, highlighting the growing scale of this illicit market. ### The Economics of Unlocking **Maël Le Touz**, a staff threat researcher at **Infoblox**, notes that the primary goal is reselling unlocked phones. With average unlocking costs below $10, it's accessible to individuals who aren't necessarily dealing with large volumes of stolen devices. The increasing number of phone thefts globally, such as the estimated 80,000 devices stolen in London in a single year, fuels this market. While **Apple** and **Google** have enhanced security measures, thieves continue to profit by unlocking devices to access bank accounts, crypto wallets, and personal information. **Will Lyne**, head of economic and cybercrime at London’s Metropolitan Police, emphasizes that thieves are after more than just the handset; they seek access to financial accounts and personal data. **Dan Guido**, CEO of **Trail of Bits** and advisor to **iVerify**, points out the significant value difference between a locked ($50-$200) and unlocked ($500-$1000) phone, which incentivizes the development of unlocking methods. “This whole thing is an ecosystem, and there’s multiple people at different levels of the supply chain that all work together in order to unlock phones,” he says. ### Phishing and Social Engineering **Infoblox's** investigation began when a law enforcement contact in Asia reported receiving a phishing message after their **iPhone** was stolen. The phishing page mimicked **Apple's Find My** service, displaying a fake map and prompting for the phone's PIN code. Reports online and from the Swiss National Cybersecurity Center detail similar phishing attempts targeting **Apple iCloud** accounts after **iPhones** are lost or stolen. These messages often include accurate device details, such as model, color, and storage capacity, likely extracted directly from the phone. The Swiss body noted, “As there is no known way to bypass this lock, tricking the owner through social engineering is the only realistic option for criminals.” **Le Touz** explained that **Infoblox** researchers created DNS fingerprints of the phishing domains and tracked related **Apple** look-alike websites, some of which exposed administration login pages and advertised phone unlocking tools. This led to the identification of multiple groups on **Telegram** offering these services. ### The Unlocking Toolkit According to **Infoblox**, these groups commonly offer three key features: unlocking tools claiming to jailbreak older **iPhones** or **Android** devices and extract owner information; phishing kits disguised as "Find My iPhone Off" to access accounts; and scripts and AI voice calling software to automate phishing campaigns. "What you need, first of all, is physical access to the phone," **Le Touz** says. If jailbreaks fail, phishing attacks are launched to gather unlocking information. The researchers noted that “All the tools we analyzed wipe the device by default as soon as access is attained.” A video obtained by the researchers showcases software called iRealm generating phishing links and pages that mimic **Apple** services. Other posts related to iRealm advertise features such as “Find My iPhone nullified” and “scripts” that mention **Apple Pay**, promising a “seamless experience” for “accessing and unlocking **Apple** devices.” In various **Telegram** groups, individuals discuss their experiences with unlocking tools, highlighting the collaborative and evolving nature of this underground economy. Some seek assistance in bypassing **Apple's Find My** feature, while others share their success or failure rates with different unlocking methods. Screenshots of phishing text messages, designed to appear as legitimate **Apple** notifications, are also commonly shared within these groups.