Thieves unlock stolen iPhones using cheap tools sold on Telegram

Helping a friend recover a stolen phone, Infoblox researchers uncovered a thriving Telegram-based underground marketplace selling unlocking tools and phishing infrastructure used to monetize stolen iPhones.

Activation Lock can remotely disable a stolen iPhone and prevent normal resale, with owners also able to lock individual components. Even with those protections, more than 7.35 million iPhones are reportedly stolen each year in the United States alone.

“A locked device is almost worthless on the black market, while an unlocked, high-end model is easy to resell and can fetch hundreds of dollars. With this in mind, an underground marketplace has emerged which covers the entire digital supply chain from cracking to smishing,” the researchers wrote.

“We initially assumed thieves would be interested in the phone’s data. Those devices, after all, hold potentially priceless personal and corporate information. Interestingly, we discovered the opposite. Thieves are after a quick buck, and the value of the data is secondary to the value of the hardware,” they added.

A black market built around locked iPhones

The researchers began tracking the activity after the owner of a stolen iPhone received a text message linking to a fake Apple Find My page displaying the supposedly moving device on a spoofed map before requesting the phone’s passcode.

The phishing site closely resembled Apple’s legitimate Find My service and used contact information displayed through the iPhone’s lost-device recovery feature. Entering the passcode would have given the thieves complete control of the device.

Infoblox said it detects more than 800,000 Apple lookalike domains each year. By analyzing DNS characteristics tied to the phishing domain, the researchers identified a cluster of related phishing pages using Apple lookalike domains and later uncovered more than 10,000 domains associated with the tools and phishing infrastructure.

The analysis eventually led them to Telegram groups selling services designed to unlock stolen high-end phones, especially iPhones, through phishing campaigns and social engineering. The products are sold under different names, though they generally offer the same capabilities.

Stolen device information powers smishing campaigns

The offerings include a Windows-based unlocking tool capable of automatically jailbreaking older iPhones and extracting identifying information from connected devices. Researchers also identified “FMI OFF” (Find My iPhone Off) and “iCloud Webkit” services marketed as phishing and smishing kits designed to convince legitimate owners to surrender their Apple account credentials and screen lock passcodes.

Buyer asking for help on how to unlock a likely stolen iPhone XR. An unlocking tool can be seen in the background. (Source: Infoblox)

Unlocking recent iPhone models relies on smishing campaigns. The unlocking tools can extract information including device serial numbers, original activation country, and linked Apple account details that are then used to create convincing phishing messages and fake Apple login pages designed to trick owners into entering their passcodes.

Social engineering tools include scripts, AI voice calling software, and prerecorded audio impersonating Apple support in multiple languages.

Threat actors also use bots capable of finding owner information, checking stolen credential databases, and locating devices linked to iCloud accounts. Access to the bots requires payment in advance.

Tool developers created smishing templates impersonating Apple, Xiaomi, Samsung, and other brands. The templates can be customized using victim names, email addresses, passcode length, spoofed iPhone map locations, and preferred languages to make phishing messages appear more credible.

“Of course, nobody in those Telegram groups discloses how they obtained the device(s) they are seeking to unlock. Some pretend they’ve simply forgotten the password to an old device, but that does not explain the need for the ‘FMI OFF,’ or the social engineering features included in the tools,” the researchers noted.

A low-cost market for iPhone unlocking

The unlocking tools vary in sophistication, with more advanced versions connecting to license servers under a pay-as-you-go model. Unlocking a recent iPhone can cost between $5 and $50 depending on the seller, with the average price below $10.

No publicly disclosed vulnerabilities currently allow unauthorized access to recent iPhone models or iOS versions above 17.0. Some operators attempt to exploit demand by selling trojanized versions of unlocking tools or advertising supposed “zero day” exploits that do not exist.

“If such an exploit existed, its price would likely reach seven figures rather than a few hundred dollars,” the researchers stated.

Some tools contain mechanisms designed to detect DNS blocking and automatically request removal from Google Safe Browsing blocklists. Researchers said DNS telemetry linked to verified smishing domains increased by 350% during 2025 compared with the previous year.