A crypto wallet maker claimed this week that hackers may be targeting people with a “zero-day” iMessage exploit — but all signs point to an exaggerated threat, if not an outright scam.
Trust Wallet’s official X (formerly Twitter) account He wrote that “we have credible information about a high-risk zero-day exploit targeting iMessage on the Dark Web. This can infiltrate your iPhone without clicking any link. They are potential high value targets. Each use increases the risk of detection.”
The wallet maker advised iPhone users to disable iMessage completely “until Apple fixes it,” even though there’s no evidence that “it” exists at all.
The tweet went viral and has been viewed over 3.6 million times since we published it. Due to the attention the post received, Trust Wallet hours later wrote a follow-up post. The wallet maker doubled down on its decision to go public, saying it “actively communicates any potential threats and risks to the community.”
Trust Wallet, which is owned by crypto exchange Binance, did not respond to TechCrunch’s request for comment. Apple spokesman Scott Radcliffe declined to comment when reached Tuesday.
As it seems, according to Trust Wallet CEO Eowyn Chen, the “intel” is an ad on a dark website called CodeBreach Lab, where someone is offering the alleged exploit in question for $2 million in bitcoin cryptocurrency. The ad, titled “iMessage Exploit,” claims the vulnerability is a remote code execution (or RCE) exploit that requires no interaction from the target — commonly known as a “zero-click” exploit — and works on the latest version of iOS. Some bugs are called zero-days because the vendor has no time or zero days to fix the vulnerability. In this case, there is no evidence of exploitation to begin with.
A screenshot of the dark web ad claiming to sell a supposed iMessage exploit. Image credits: TechCrunch
RCEs are some of the most powerful exploits because they allow hackers to remotely take control of their target devices over the Internet. An exploit like an RCE combined with a zero-click feature is incredibly valuable because these attacks can be conducted invisibly without the device owner’s knowledge. In fact, a company that buys and resells zero-days is currently offering $3 to $5 million for this type of zero-day zero-click, which is also a sign of how difficult it is to find and develop such holdings.
Contact us
Do you have information about actual zero days? Or for spyware providers? From a non-working device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382 or via Telegram, Keybase and Wire @lorenzofb or via email. You can also contact TechCrunch via SecureDrop.
Given the circumstances of how and where this zero-day is being sold, it’s highly likely that this is all just a scam, and that Trust Wallet succeeded by spreading what people in the cybersecurity industry would call FUD, or “fear of uncertainty and doubt.”
Zero-days do exist and have been used by government hacking units for years. But in reality, you probably don’t need to disable iMessage unless you’re a high-risk user, like a journalist or dissident under an oppressive government, for example.
It is better to recommend users to turn on Lock Mode, a special feature that disables certain features and functions of the Apple device with the aim of reducing the avenues that hackers can use to attack iPhones and Macs.
According to Apple, there is no evidence that anyone has successfully hacked someone’s Apple device while using Lockdown Mode. Several cybersecurity experts like it Runa Sandvik and researchers who work at Citizen Lab, who have investigated dozens of iPhone hacking cases, recommend using Lockdown Mode.
For its part, CodeBreach Lab appears to be a new site with no history. When we checked, a Google search returned only seven results, one of which is a post on a well-known hacking forum asking if anyone had heard of CodeBreach Lab before.
On its home page — complete with typos — CodeBreach Lab claims to offer several types of exploits in addition to iMessage, but provides no further details.
The owners describe CodeBreach Lab as “the nexus of cyber disruption.” But perhaps it would be more appropriate to call it the nexus of braggadocio and naivete.
TechCrunch was unable to reach CodeBreach Lab for comment because there is no way to contact the alleged company. When we tried to buy the alleged exploit – why not – the site asked for the buyer’s name, email address, and then to send $2 million in bitcoins to a specific wallet address on the public blockchain. When we checked, no one has so far.
In other words, if someone wants that supposed zero-day, they have to send $2 million to a wallet that, right now, has no way of knowing who it belongs to, and—again—no way of communicating.
And there’s a very good chance it will stay that way.
