VYPR
researchPublished May 15, 2026· Updated May 17, 2026· 1 source

Underground Telegram Marketplaces Fueling Stolen iPhone Unlocking Operations

A thriving underground marketplace on Telegram is providing thieves with sophisticated phishing tools and services to bypass Apple’s Activation Lock, turning stolen iPhones into profitable resale commodities.

Researchers at Infoblox have uncovered a sophisticated underground ecosystem on Telegram dedicated to monetizing stolen iPhones by bypassing Apple’s Activation Lock. While Activation Lock is designed to render stolen devices worthless by preventing unauthorized resale, this illicit marketplace provides thieves with the tools and infrastructure necessary to unlock these devices, significantly increasing their black-market value Help Net Security.

The operation functions as a digital supply chain, moving from the initial theft to the final unlocking of the hardware. Contrary to expectations that thieves might prioritize sensitive personal or corporate data, researchers found that the primary objective is the rapid resale of the physical device. By unlocking high-end models, thieves can transform a "worthless" locked phone into a commodity worth hundreds of dollars Help Net Security.

The technical mechanism relies heavily on smishing—SMS-based phishing—and social engineering. Thieves use specialized Windows-based tools to jailbreak older iPhones and extract critical device information, such as serial numbers, original activation countries, and associated Apple account details. This data is then used to craft highly convincing, personalized phishing messages that impersonate Apple’s "Find My" service. These messages direct victims to spoofed websites that mimic legitimate Apple portals, tricking owners into surrendering their passcodes or Apple account credentials Help Net Security.

The infrastructure supporting these attacks is vast. Infoblox reports detecting over 800,000 Apple-lookalike domains annually, with researchers identifying more than 10,000 domains specifically linked to these unlocking services. Beyond simple phishing pages, the Telegram groups offer a suite of advanced tools, including AI-powered voice calling software and prerecorded audio files that impersonate Apple support staff in multiple languages. Additionally, threat actors utilize paid bots that can cross-reference stolen credential databases to locate devices linked to specific iCloud accounts Help Net Security.

These services are marketed under various names, such as "FMI OFF" (Find My iPhone Off) and "iCloud Webkit," and include customizable phishing templates for Apple, Samsung, and Xiaomi devices. These templates allow attackers to dynamically insert victim-specific details, such as names and spoofed map locations, to enhance the credibility of their social engineering efforts. Access to these automated tools and bot services typically requires payment in advance, fueling a profitable business model for the developers Help Net Security.

This thriving marketplace highlights a persistent challenge in mobile security, where the physical theft of hardware is increasingly coupled with advanced digital exploitation techniques. With an estimated 7.35 million iPhones stolen annually in the United States, the scale of this threat remains significant. As attackers continue to refine their social engineering tactics and expand their phishing infrastructure, the reliance on user vigilance to identify sophisticated, personalized phishing attempts becomes a critical, albeit difficult, line of defense Help Net Security.

Synthesized by Vypr AI
Underground Telegram Marketplaces Fueling Stolen iPhone Unlocking Operations · VYPR