A crypto wallet maker claimed this week that hackers may be targeting people with an iMessage “zero-day” exploit, but all signs point to an exaggerated threat, if not an outright scam.
Trust the official X (formerly Twitter) Wallet account wrote that “we have credible information about a high-risk zero-day exploit targeting iMessage on the Dark Web. This can infiltrate your iPhone without clicking any links. High value targets are likely to be obtained. “Each use increases the risk of detection.”
The wallet maker recommended iPhone users turn off iMessage completely “until Apple patches this,” although there is no evidence to prove “this” exists at all.
The tweet went viral and has been viewed more than 3.6 million times as of our publication. Due to the attention the post received, Trust Wallet hours later wrote a follow-up post. The wallet maker doubled down on its decision to go public, saying it “actively communicates any potential threats and risks to the community.”
trusted wallet, which is owned by the Binance crypto exchange, did not respond to TechCrunch’s request for comment. Apple spokesman Scott Radcliffe declined to comment when contacted Tuesday.
As it turns out, according to Trust Wallet CEO Eowyn Chen, the “intelligence” is an advertisement on a dark website called CodeBreach Lab, where someone is offering said alleged exploit for $2 million in bitcoin cryptocurrency. The announcement titled “iMessage Exploit” claims that the vulnerability is a remote code execution (or RCE) exploit that requires no interaction from the target (commonly known as a “zero-click” exploit) and works on the latest version of iOS. Some bugs are called zero days because the vendor does not have time, or zero days, to fix the vulnerability. In this case, there is no evidence of an exploit to begin with.
A screenshot of the dark web ad claiming to sell a supposed iMessage exploit. Image credits: TechCrunch
RCEs are some of the most powerful exploits because they allow hackers to take remote control of their target devices over the Internet. An exploit like an RCE coupled with a zero-click capability is incredibly valuable because such attacks can be performed invisibly without the device owner knowing. In fact, a company that acquires and resells zero-days It is currently offering between 3 and 5 million dollars. for that kind of zero-day no-click, which is also a sign of how difficult it is to find and develop these types of exploits.
Contact Us
Do you have any information on actual zero days? Or about spyware vendors? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or email. You can also contact TechCrunch via safe fall.
Given the circumstances of how and where this zero-day is being sold, it is very likely that it was all just a scam, and that Trust Wallet fell for it, spreading what people in the cybersecurity industry would call FUD, or “fear of uncertainty and uncertainty.” doubt.”
Zero days exist and They have been used by government hacking units for years. But in reality, you probably don’t need to disable iMessage unless you’re a high-risk user, like a journalist or a dissident under an oppressive government, for example.
It’s better advice to suggest people turn on. Lock modea special mode that disables certain features and functionality on Apple devices with the goal of reducing the avenues that hackers can use to attack iPhones and Macs.
According to Apple, there is no evidence that anyone has successfully hacked anyone’s Apple device while using lock mode. Several cybersecurity experts like Sandvik Rune and the researchers who work at Citizen Lab, who have investigated dozens of cases of iPhone hacks, recommend using Lock Mode.
For its part, CodeBreach Lab appears to be a new website with no history. When we checked, a Google search returned only seven results, one of which is a post on a well-known hacking forum asking if anyone had previously heard of CodeBreach Lab.
On its typographical home page, CodeBreach Lab claims to offer several types of exploits in addition to iMessage, but provides no further proof.
The owners describe CodeBreach Lab as “the nexus of cyber disruption.” But it would probably be more appropriate to call it the nexus between bragging and naivety.
TechCrunch was unable to reach CodeBreach Lab for comment because there is no way to contact the alleged company. When we tried to purchase the alleged exploit (why not), the website asked for the buyer’s name and email address and then sent $2 million worth of bitcoins to a specific wallet address on the public blockchain. When we checked, no one had done it until now.
In other words, if someone wants this so-called zero-day, they have to send $2 million to a wallet that, at this point, there is no way to know who it belongs to and, again, no way to contact.
And there is a good chance that it will continue to be that way.