Authors: Maël Le Touz, Elena Puga
Executive Summary
Modern smartphones are extremely secure and can be remotely locked and turned into a worthless brick if they are stolen. iPhones in particular can be remotely secured using a feature called Activation Lock, preventing all future use in case the device is stolen. Even individual components can be locked by the owner.
And yet, iPhones are stolen … a lot. Figures indicate over 7.35 million are stolen in the United States yearly. So, how do the thieves monetize them?
After a friend reached out for help, we discovered a thriving underground marketplace, organized on Telegram, focused on one thing: unlocking high-end phones—mostly iPhones. By combining technical tooling and social engineering, thieves now have a way to unlock devices at scale and make phone theft profitable.
These so-called “unlocking tools” create a market for stolen phones by allowing anyone with a pulse to try to turn a bricked “lost or stolen” device into easy money.
Despite the fact that there are no publicly disclosed vulnerabilities for late model iPhones, threat actors use clever techniques to convince the owner to enter their passcode. SMS phishing (smishing) is one of them, and our DNS telemetry shows steadily growing and persistent activity.
We initially assumed thieves would be interested in the phone’s data. Those devices, after all, hold potentially priceless personal and corporate information. Interestingly, we discovered the opposite. Thieves are after a quick buck, and the value of the data is secondary to the value of the hardware. It seems like their phishing domains are often detected, and some of the tools sold in these forums contain mechanisms to detect DNS blocks and automatically request delisting from Google Safe Browsing.
This paper will detail how, by analyzing DNS clusters, we were able to pivot from an initial text to reveal a thriving marketplace enabling and ultimately driving phone theft. We will then explain how this underground economy functions and how smishing is only one tool in the toolbox they use to gain access to stolen phones.
From Smishing to Panels
When somebody loses access to their iPhone, they can set a message on the locked screen, directing the finder to contact a specific phone number to return the device. See Figure 1. Users will usually choose their spouse’s or parent’s phone number. It’s this helpful feature that offers the scammers a way to reach out to the phone’s owner and manipulate them into unlocking it.
Figure 1. Lost iPhone displaying a contact number
This is how one of our friends was contacted when their iPhone was stolen in Asia. Shortly afterwards, they received a text with a link to a URL hosted on applemaps-support[.]live.
Lookalike domains targeting Apple are nothing new: we detect over 800,000 a year. But the timing of the text was suspicious, and whoever sent the message clearly had the device in their possession.
At first glance, the page on applemaps-support[.]live closely resembles the real Apple Findmy page, but this is of course a decoy—the website is not operated by Apple. The phone appeared to be moving on the spoofed map (see Figure 2) but before we could do anything else, a pop-up appeared asking for the PIN code to unlock the phone. Had our friend given their passcode, the thief would have immediately gained full control of the device.
Figure 2. iPhone phishing page shows stolen phone moving
Pivoting on DNS characteristics of the domain, we quickly identified a cluster of related phishing pages, all using Apple lookalike domains.
Discovery of an iPhone Unlocking Marketplace
Not all the domains in the cluster hosted phishing content. In several cases, threat actors had inadvertently exposed their own admin login page at the root of several websites. Other pages on the same domains advertised “phone unlocking tools.” This made us curious: Could these unlocking services be connected to smishing attacks targeting iPhone owners who had lost their devices?
Indeed, we soon identified dozens of Telegram groups functioning as a large underground marketplace focused on unlocking phones. Different sellers offer their services to end users looking to unlock phones. The products are sold under different names, but always offer the same features:
- An unlocking tool: a Windows binary able to automatically “jailbreak” old phones. The same tool also offers a way to extract identifying information from a plugged-in device,
- An ‘FMI OFF’ (Find My iPhone Off) or ‘iCloud Webkit:’ a phishing and smishing kit designed to convince legitimate owners to forfeit their iCloud/Apple Account and screen lock passcode,
- Social engineering tools: scripts, AI voice calling software and pre-recorded sound files in different languages impersonating Apple and asking for the passcode
The tools are typically offered on a pay-as-you-go basis, where customers will pay a small fee per unlock attempt or smishing link sent. End users will routinely ask for technical help and share videos of successful attacks (as in Figure 3)
Figure 3. Buyer asking for help on how to unlock a likely stolen iPhone XR. An unlocking tool can be seen in the background.
Figure 4 shows the relationship between vendors and patrons.
Figure 4. Diagram showing the organization of the ‘FMI OFF’ kit trade
The sale of unlocking services is key. Those tools are often branded to a particular Telegram group. With such software, criminals can automatically unlock older phone models but also extract identifying information that will then be used to craft smishing attacks targeting the device’s owner.
Of course, nobody in those Telegram groups discloses how they obtained the device(s) they are seeking to unlock. Some pretend they’ve simply forgotten the password to an old device, but that does not explain the need for the “FMI OFF,” or the social engineering features included in the tools.
Technical Capabilities of Unlocking Tools
The unlocking tools available offer varying levels of sophistication. The more complex ones connect to a license server (presumably to prevent unauthorized reselling) under a pay-as-you-go model: unlocking a recent iPhone can cost anywhere from $5 to $50 depending on the seller. The average price is below $10.
Under the hood, the tools are just crude graphical user interfaces (GUIs) running different command-line tools (Figure 5) based on open-source utilities designed to jailbreak iPhones and extract information.
Figure 5. Unlocking app offering a very simple GUI
While there are only a handful of functionally distinct “unlocking tools,” they are distributed and resold under different names by individuals located all over the world, making it seem like there is a plethora of options. We found sellers in Bangladesh, India, Pakistan, Venezuela, Mexico, Brazil, and other countries, as shown in Figure 6 below.
Figure 6. Local resellers of unlocking software
At the time of writing, the latest phone models and iOS versions above 17.0 are not affected by any publicly disclosed vulnerabilities enabling unauthorized access. Some entrepreneurial individuals try to exploit this gap in the iPhone unlocking market by advertising trojanized versions of tools or demanding exorbitant fees for an elusive “zero day exploit” that doesn’t really exist. If it did, such an exploit would be worth seven figures or more rather than a few hundred dollars.
Unlocking the latest phones requires a different approach: smishing! In this case, the proffered unlocking tools can extract information including device serial number, original activation country, and linked Apple Account. This data will then be used to craft a credible smishing message and landing page. This information gathering can also be done using specific Telegram bots, conveniently operated by the same groups, as shown in Figure 7.
Figure 7. Threat actor using a Telegram bot to find owner information about a given iPhone. The bot is able to check a stolen credentials database and identify linked devices on iCloud. Access to the bot requires payment in advance.
How Smishing Fits into the Supply Chain
Besides unlocking tools, developers have also created dozens of different smishing templates, as shown below in Figure 8, covering Apple but also other major brands like Xiaomi and Samsung. All are offered in a variety of languages.
Figure 8. Image generated by a reseller showing the templates they offer
End users—those looking to unlock phones—will craft the attack by personalizing their chosen template based on information harvested from the unlocking tools such as the victim’s name, email, and whether the passcode has four or six digits. Users can also insert a specific location on the “lost iPhone map,” and specify a specific language. All of this is an effort to make the attack appear more credible.
They will then prepare the smishing text, including the link to the now-personalized phishing page. Figure 9 shows examples.
Figure 9. Examples of smishing texts
The text is sent to the contact number displayed on the locked phone’s screen. The malicious link can be sent over WhatsApp, text or email, directly from the smishing template pages as in Figure 10.
Figure 10. WhatsApp smishing message received by a victim; it’s carefully crafted to look like it was sent from an official Apple account
Once the victim enters their credentials, the information is sent back to the attacker via Telegram. The login details are then immediately used to remove all linked devices from the given Apple Account, as shown in the video (Figure 11) below. Figure 12 displays both the smishing configuration panel and how the smishing page would render when browsed.
Figure 11. A short video by a threat actor demonstrating the customization of a phishing page.
Figure 12. Threat actor generating a link to a malicious landing page (left) and showing what the target page looks like (right)
Scale of Operations Observed via DNS
After expanding our initial cluster from applemaps-support[.]live and pivoting on DNS fingerprints, we identified over 10,000 domains associated with these tools. Interestingly, the domains were registered at different times and used very different hosting infrastructure. This corroborates our assessment that multiple groups are involved, based on our observations of the marketplaces.
One thing these domains all had in common was that they were all either lookalikes of the Apple brand or had generic customer-support-themed domain names such as viewlocation[.]app or find-your-phone[.]help. The word map below in Figure 12 illustrates the relative frequency of the most common keywords.
Figure 13: Most frequent words observed in domain names associated with these campaigns
By stepping back in time in our data, we can observe a small, but growing amount of traffic from our resolvers to verified smishing domains. The query count is comparatively low, but this is expected considering the targeted nature of the attack, along with the pay-as-you-go model used by the tool developers. However, 2025 saw traffic to these domains increase by 350% compared to the previous year, as shown in Figure 14.
Figure 14. Yearly traffic volume observed for campaign-related domains
Detection Avoidance
One interesting quirk we found in some of these tools is the ability to automatically contest detection by security products.
By querying a specific attacker-controlled endpoint hosting the list of smishing domains, and using a headless Chrome browser to attempt connection, the tools can automatically check if any domains have been blocked. If connection to a domain fails, they assume it has been blocked by Google Safe Browsing. The tools will then randomly select an excuse from a list of semi-plausible reasons (“we are a charity for homeless pets,” “my daughter’s dance studio website was flagged,” “the dog ate my homework,” etc.) and submit it to Google to try to have the block removed. It’s difficult to assess how effective this method really is, but at the time of writing most of the smishing domains were not being blocked by Google Safe Browsing.
Figure 15 shows the script code and list of justifications, and Figure 16 shows the output.
Figure 15. List of supporting reasons the threat actor’s script will choose from to contest a block on a domain
Figure 16. Threat actor running the script and its output
What We Learned
What we initially assumed was simple smishing revealed an ecosystem perfectly designed to solve a single problem: turning stolen iPhones into valuable, sellable goods.
Today, a locked device is almost worthless on the black market, while an unlocked, high-end model is easy to resell and can fetch hundreds of dollars. With this in mind, an underground marketplace has emerged which covers the entire digital supply chain from cracking to smishing. As is now commonly the case, the tools are designed to be simple and intuitive enough to offer a very low barrier to entry. This maximizes the potential user base and amplifies their reach.
Interestingly, and somewhat counter-intuitively, our findings show that the data stored on the device is considered to have little value. All the tools we analyzed wipe the device by default as soon as access is attained. Just reselling the device offers the most favorable trade‑off between risk and profit.
Acquiring a phone could be free (depending on how you do it). Unlocking it using one of these underground tools could cost less than a hundred U.S. dollars. Even older iPhone models can still be sold for hundreds of dollars.
As for the tool developers, their pricing model is based on individual unlock attempts, making volume a critical driver of revenue. The low barrier to entry, affiliate resellers and Telegram channels filled with success stories are, of course, intentional.
The growth of this ecosystem can be easily observed in DNS, reflected in the sharp increase in traffic to associated domains we have seen over the past year. As the ecosystem grows, risk increases accordingly—not only in the digital realm, but in the physical world as well. Unlocking capabilities directly translate into real-world theft, turning abstract online activity into tangible personal danger. With a phone in nearly every pocket, there’s no shortage of potential victims.
Sample List of Indicators
The full list of indicators is available on our open Github repository.
| Domain | Description |
| findyourphone[.]help | Phishing domain |
| apple[.]com-app[.]lt | Phishing domain |
| applemap[.]us | Phishing domain |
| applesupporter[.]us | Phishing domain |
| smartthingsfind-samsung[.]com | Phishing domain |
| navigate-to-location[.]me | Phishing domain |
| lphone-retained-store[.]us | Phishing domain |
| view-location[.]app | Phishing domain |
| photos-sharing[.]in | Phishing domain |
| find[.]my-id[.]com[.]es | Phishing domain |
| apple[.]connect-app[.]info | Phishing domain |
| support-lcloud[.]xyz | Phishing domain |
| icloud-f[.]com | Phishing domain |
| mapsfind[.]info | Phishing domain |
| locate-it-now[.]net | Phishing domain |
| apple-mylocation[.]info | Phishing domain |
| applebrasil[.]info | Phishing domain |
| icloud[.]sa[.]com | Phishing domain |
| phone[.]xuidns[.]pw | Phishing domain |
