SouthernWorldwide.com – Thieves have discovered a new, unsettling method to exploit stolen iPhones, turning a device’s security features against its owner through a sophisticated passcode scam.
Traditionally, marking an iPhone as lost through Apple’s Activation Lock rendered it nearly useless to a thief, effectively turning it into a “locked brick.” This feature was designed to deter phone theft by significantly reducing resale value. However, cybercriminals have devised a cunning workaround to bypass these protections.
Recent research from Infoblox Threat Intel, a cybersecurity research team, has revealed that criminals are employing a multi-pronged approach. They are utilizing fake Apple web pages, deceptive text messages (smishing), and tools found on Telegram to trick individuals whose iPhones have been stolen into voluntarily surrendering their passcodes.
Infoblox Threat Intel monitors criminal online activities by analyzing DNS, the system that directs devices to websites. This analysis allows researchers to identify patterns in suspicious website names and network traffic, thereby spotting fake domains, phishing sites, and larger scam operations.
What makes this scam particularly alarming is its personal nature. The victim may have just had their phone stolen, and the fraudulent message could arrive immediately afterward. The fake webpages might even display a map showing the supposed real-time location of the stolen iPhone.
WHY IPHONE USERS ARE THE NEW PRIME SCAM TARGETS
The researchers found that many thieves are less interested in the personal data stored on the phone and more focused on converting the device into cash through resale. By obtaining the victim’s passcode, they can remove security measures, wipe the device clean, and then sell it as an unlocked unit.
Adding to the cruelty of the scheme, a feature intended for legitimate recovery can be weaponized. When an iPhone is lost, users often leave a message on the lock screen with a contact number, hoping a good Samaritan will return it. Scammers can exploit this same contact number to reach out to the victim.
In one documented case, a victim whose iPhone was stolen received a text message shortly after the incident. This message contained a link to a fake website designed to mimic Apple’s official style. The fake page presented a map that appeared to show the phone’s location in motion, and then prompted the user to enter their device’s PIN code.
Had the victim entered their passcode, the thief would have gained complete control over the device. The effectiveness of this scam lies in its believability. The thief may indeed possess the stolen phone, and the message can be timed perfectly to coincide with the victim’s distress. The fake pages are often so convincing, closely resembling Apple’s legitimate “Find My” interface, that a stressed individual trying to recover an expensive device can easily fall prey.
A locked iPhone holds minimal resale value. Conversely, an unlocked iPhone can be erased, detached from its owner’s Apple account, and sold for significantly more. The Infoblox research uncovered Telegram groups offering phone unlocking services. Some of these tools are tailored for older phone models, while others gather intelligence on newer devices to craft more convincing phishing attacks.
These illicit services can include sophisticated tools such as “Find My iPhone Off” kits, counterfeit Apple login pages, AI-powered voice call simulators, and pre-recorded messages that impersonate Apple support personnel.
The low cost associated with these unlocking services makes this underground market highly accessible. Some attempts to unlock a phone can cost as little as a few dollars. The research indicates that unlocking a recent iPhone can range from $5 to $50, with the average price often falling below $10.
This affordability is a key factor in the widespread proliferation of this scam. Thieves no longer require advanced technical expertise. They can simply purchase an unlocking kit, follow the provided instructions, and deploy a professionally crafted scam message.
The scam extends beyond generic messages. Criminals can personalize phishing pages by extracting details from the stolen phone or associated linked accounts. This information can include the victim’s name, email address, device specifics, and even the length of their passcode (four or six digits). The fake page might also display a chosen location on a simulated “lost iPhone” map. The scammer then distributes this link via text, WhatsApp, or email.
Upon entering credentials or a passcode on the fake page, the information is transmitted directly to the attacker, often through Telegram. From there, criminals can remove linked devices from the victim’s Apple account and prepare the phone for resale. This level of personalization explains why the scam messages can feel eerily specific and urgent, making the alert seem official and helpful.
Researchers identified over 10,000 domains linked to these phone unlocking tools and smishing campaigns. Many of these domains mimicked Apple’s branding or used generic customer-support language, often incorporating themes related to location tracking and phone finding.
Furthermore, the research revealed a staggering 350% increase in traffic to verified smishing domains in 2025 compared to the previous year. This indicates a significant surge in this type of malicious activity.
Some tools are designed to circumvent security measures. The research documented scripts that automatically check if smishing domains are flagged or blocked. These scripts then submit fabricated justifications to request their removal from security warnings, such as those from Google Safe Browsing. This demonstrates that criminals are not only creating fake pages but are also actively working to keep them operational long enough to deceive victims.
DON’T GET CAUGHT IN THE ‘APPLE ID SUSPENDED’ PHISHING SCAM
Following a phone theft, the most perilous communication is often the message received afterward. Victims are typically anxious, frustrated, and desperate to locate their device, which is precisely the emotional state scammers aim to exploit. A message purporting to be from Apple, Find My, or customer support can appear highly reassuring.
However, Apple will never request that you enter your iPhone passcode through an unsolicited link sent via text or WhatsApp. The passcode itself is the ultimate prize. By divulging it, you inadvertently assist the thief in transforming your locked phone into a marketable asset.
If your iPhone goes missing, adopting a few calm, measured steps can help you avoid handing over the one piece of information thieves desperately need: your passcode.
Your iPhone passcode should always remain on your iPhone. Never enter it into a website accessed via text, email, or WhatsApp, regardless of how official the page may appear.
If your iPhone is lost, utilize the Find My app on another Apple device or navigate directly to iCloud through your web browser. Do not rely on links provided within messages.
Scammers thrive on creating a sense of urgency. A message might claim your phone has been located, moved, or is scheduled for account deactivation. Take a moment to pause and think before clicking. Instead, access Apple’s official tools independently.
Avoid using simple codes such as birthdays, repeating numbers, or easily discernible patterns for your passcode. A longer, alphanumeric passcode presents a significantly more challenging obstacle for potential thieves.
Ensure that the “Find My” feature is enabled on your iPhone before any incident occurs. On an iPhone, navigate to Settings > your name > Find My > Find My iPhone and confirm that Find My iPhone is set to turned on.
If your iPhone is stolen, keep it listed within Find My and your Apple Account. Removing it prematurely can disable Activation Lock, a crucial feature that prevents others from erasing, activating, and reselling your device. When using Find My, select the stolen iPhone and choose either Mark As Lost or Erase This Device if necessary. Refrain from selecting Remove This Device unless explicitly instructed by Apple Support, your carrier, or law enforcement.
FIND A LOST PHONE THAT IS OFF OR DEAD
Robust antivirus software can be instrumental in blocking malicious links, phishing pages, and scam websites before they can cause harm. It can also alert you to potentially unsafe sites. For recommendations on the best antivirus protection for your Windows, Mac, Android, and iOS devices, visit CyberGuy.com.
Report the stolen phone to your local police department and your wireless carrier. Your carrier may be able to suspend service or block the device from accessing the network.
Yes. While Android phones possess their own anti-theft protections, thieves may attempt similar tactics. Instead of targeting an iPhone passcode, a scammer might send a fraudulent message impersonating Google, Find My Device, Find Hub, Samsung Find, or a carrier after an Android phone is stolen.
The message could falsely claim the phone has been found, moved, or is ready for retrieval. It may then direct you to a fake webpage requesting your Google account password, Samsung account password, or your screen lock PIN, password, or pattern.
This information can enable a thief to circumvent protections that make stolen Android phones more difficult to reset and resell. Google’s Factory Reset Protection, for instance, requires the previous Google account or screen lock credentials after an unauthorized reset. Samsung states that Google Device Protection functions on Galaxy phones when a Google account and lock screen are established.
The advice remains consistent: do not click on links provided in text messages, emails, or WhatsApp messages to recover a stolen Android phone. Instead, navigate directly to Google’s Find Hub, Samsung Find, or your carrier’s official website. Never enter your phone’s screen lock or account password into a recovery page that was accessed via a message.
In the past, a stolen iPhone was primarily a nuisance for thieves due to Activation Lock hindering resale. Now, criminals are actively involving victims in the unlocking process. They achieve this through deceptive Apple pages, precisely timed text messages, and convincing map displays designed to exploit panic. The most secure course of action is to exercise caution and slow down.
If your phone disappears, utilize Apple’s official Find My tools and disregard any message that solicits your passcode. That specific code could be the sole barrier between a useless device and a profitable sale for a thief.
Should device manufacturers and wireless carriers take greater measures to prevent the resale of stolen phones, or does the primary responsibility lie with users to secure their devices? Share your thoughts by contacting us at CyberGuy.com.
