Lookalike Domains Expose the iPhone Theft Economy

This report exposes an active underground marketplace—organized primarily on Telegram—that sells iPhone “unlocking” tools, smishing/phishing kits, and social engineering services to monetize stolen phones; researchers identified over 10,000 associated domains, observed growing DNS traffic to those domains, documented detection-avoidance workflows, and provided sample indicators and operational details showing how these tools enable widescale phone theft and resale.