A Cryptocurrency Wallet Company Claims Zero-Day iMessage Exploit Targeting iPhone Users, But Industry Experts Are Skeptical
A “credible intel” about a high-risk zero-day exploit targeting iMessage on the Dark Web has been making rounds this week. The official Twitter account of Trust Wallet, a cryptocurrency wallet maker, wrote that “High-value targets are likely,” and each use raises detection risk.
We have credible intel regarding a high-risk zero-day exploit targeting iMessage on the Dark Web. This can infiltrate your iPhone without clicking any link. High-value targets are likely. Each use raises detection risk.
Their recommendation was for iPhone users to completely turn off iMessage until Apple patches this alleged exploit. However, there is no evidence or confirmation from Apple or any other sources that the exploit even exists.
The tweet went viral, garnering over 3.6 million views as of publication. Due to the attention received, Trust Wallet made a follow-up post hours later, standing by their decision to go public and stating that they “actively communicate any potential threats and risks to the community.”
When reached for comment, Trust Wallet did not respond to TechCrunch’s request. Meanwhile, Apple spokesperson Scott Radcliffe also declined to comment.
However, Trust Wallet’s CEO Eowyn Chen cleared the air stating that the “intel” was actually an advertisement on a dark web site called CodeBreach Lab. The alleged exploit is being offered for $2 million in Bitcoin cryptocurrency. The advertisement for the “iMessage Exploit” claims it can remotely execute code (known as RCE), without any interaction from the target, also known as a “zero-click” exploit. However, there is no evidence of this exploit being real.
Remote code executions are one of the most potent exploits, allowing hackers to take control of a device over the internet. Combining it with the zero-click capability makes it highly valuable since it can be done without the device owner’s knowledge. In fact, a company that acquires and resells zero-day exploits has offered to pay between $3 to $5 million for a zero-click exploit, which is indicative of its rarity and difficulty to develop.
-
Contact Us
Do you have any information about actual zero-days? Or about spyware providers? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or email. You can also contact TechCrunch via SecureDrop.
Given the circumstances surrounding where and how this supposed zero-day is being offered, it is highly likely that this is all a scam. Trust Wallet most likely fell for it, spreading what the cybersecurity industry calls FUD or “fear, uncertainty, and doubt.”
While it is true that zero-day exploits exist and have been used by government hacking units, the average iPhone user does not need to turn off iMessage as a precautionary measure. It would be more helpful to suggest turning on Lockdown Mode, a special feature that disables certain device functionalities to prevent hacking attempts.
According to Apple, there have been no successful hacks using Lockdown Mode. Tech experts like Runa Sandvik and the researchers at Citizen Lab, who have investigated several cases of iPhone hacks, recommend using this feature.
On the other hand, CodeBreach Lab seems to be a new website with no known history. A Google search only returned seven results, with one being a post on a well-known hacking forum asking if anyone has heard of CodeBreach Lab before.
The CodeBreach Lab owners describe their website as “the nexus of cyber disruption.” However, it would be more accurate to call it the “nexus of braggadocio and naivety.”
TechCrunch attempted to reach out to CodeBreach Lab for comment but was unable to find any contact details or a way to reach the alleged company. When attempting to buy the alleged exploit, the website requested the buyer’s name, email address, and $2 million worth of Bitcoin sent to a specific wallet address on the public blockchain. However, no one has sent the requested amount so far.
In essence, whoever wants this so-called exploit must transfer $2 million to a wallet that is not linked to any known person or entity, and there is no way to verify or contact the seller. It is very likely that it will stay that way.