Each year, countless smartphones fall victim to theft. Among them, a significant number are iPhones that are illegally shipped to various regions, particularly China, where they are dismantled for parts. However, there exists a lucrative market in which these stolen devices can be unlocked and reset, offering criminals a chance to maximize their earnings. Recent research has revealed extensive connections within the underground ecosystem that facilitates access to stolen iPhones.
Across social media platforms and encrypted messaging services, a vibrant market thrives, staffed by software vendors who cater to the demand for unlocking services used in the theft of smartphones. Researchers from Infoblox, a cybersecurity firm, have identified numerous groups engaged in selling such tools, specializing primarily in iPhones. Their findings indicate that over 10,000 phishing websites linked to these activities have been established, with a staggering 350 percent increase in traffic to these domains last year.
According to Maël Le Touz, a senior threat researcher at Infoblox, the primary motive of these thieves is profit through resale. The average cost of accessing the necessary unlocking software remains remarkably low—typically under $10—making it accessible to a broad range of criminals. “Most individuals pursuing unlocking capabilities do not possess large quantities of stolen devices,” Le Touz stated, underscoring the opportunistic nature of these thefts.
Alarmingly, the number of stolen digital devices is on the rise, with recent statistics indicating that approximately 80,000 phones were reported stolen in London alone during a single year. Although tech giants like Apple and Google have bolstered protective measures for their devices, various levels of technically adept thieves continue to exploit vulnerabilities for financial gain. An unlocked phone, or one whose passcode is known, can serve as a gateway to stealing funds from bank accounts or cryptocurrency wallets. Thieves who snatch phones might also find great value, selling these devices for hundreds of dollars.
Will Lyne, head of economic and cybercrime at London’s Metropolitan Police, emphasized that the motivations of phone thieves extend beyond simple acquisition; they are often seeking access to sensitive information such as banking credentials and personal data. He cited a case involving four suspects who were apprehended while handling over 5,000 stolen phones, many of which were linked to financial fraud.
According to Dan Guido, CEO of security firm Trail of Bits, a locked phone could fetch between $50 and $200, but unlocking it can elevate its value to $500 or more. This discrepancy incentivizes criminal actors to devise methods for gaining access to locked devices. Guido noted, “This situation creates an entire ecosystem where different actors collaborate at various levels to unlock phones effectively.”
The investigation into this underground activity began earlier this year when a law enforcement official in Asia reported their stolen iPhone being targeted by phishing schemes shortly after the incident. A common tactic observed involves phishing pages that mimic authorized sites, for example, using a fake Apple Find My page to solicit PIN codes under the guise of retrieving the phone’s location.
Reports have emerged from various sources, including individuals and national cybersecurity agencies, indicating that victims of iPhone theft often receive fraudulent messages attempting to gain access to their iCloud accounts. These phishing attempts employ detailed information about the stolen device, effectively tricking owners into providing sensitive data. As noted by cybersecurity experts, social engineering remains the most viable approach for criminals, particularly in instances where device locks can’t be bypassed.
In regard to potential attack frameworks, tactics such as initial access—where an attacker gains entry to a system—persistence, and credential harvesting from users reflect the operational methods utilized in these cybercrimes. Understanding these tactics in the context of the MITRE ATT&CK framework is crucial as stakeholders work to fortify defenses against the growing threat landscape presented by smartphone thefts and associated cyber fraud.