From Brick to Cash Cow: Why Thieves Want Your Unlocked iPhone
Toggle Dark Mode
Over the past few years, there’s been a dramatic increase in iPhone snatching as the preferred theft method for crooks. While part of that is arguably a matter of convenience — it’s easier to get an iPhone out of someone’s hand than their pocket or purse — it turns out there’s a far more subtle and insidious reason: an unlocked iPhone is far more valuable.
That’s because Apple has done an excellent job of making stolen iPhones nearly useless to thieves. In 2013, Apple added Activation Lock in iOS 7, effectively turning stolen iPhones into bricks unless a thief could provide the credentials of the original owner. Initially, this led to a dramatic reduction in iPhone thefts as thieves decided Apple devices simply weren’t worth the trouble.
Of course, while some criminals are idiots, many of the bad actors of the world are smarter than the average bear. It didn’t take long for professional thieves to come up with all sorts of clever tricks that turned iPhones back into desirable targets. Granted, there’s still no way to bypass the Activation Lock, but that doesn’t stop crooks from using phishing and other social engineering tactics to attempt to con the original owner into supplying their password or even removing the Activation Lock.
Incidents of theft also gradually rose again as iPhone repairs got more expensive. A stolen device might not be usable on its own, but it could be mined for parts such as displays, cameras, and batteries, which could then be sold on the black market, ultimately finding their way to less ethical discount repair shops. Apple soon countered this by adding Activation Lock for iPhone parts, ensuring a display or other key part placed in a different iPhone would refuse to function without the original owner’s Apple Account and password.
Sadly, these restrictions haven’t entirely dried up the market for stolen iPhones. While many crime rings end up with bricks, they presumably manage to trick enough of their victims into unknowingly removing the Activation Lock to make it worthwhile. However, it turns out that these are still traded at a significant discount compared to an iPhone that’s already unlocked.
The Lucrative Unlocked iPhone Market
According to a recent report by Wired’sMatt Burgess (Apple News+), an unlocked iPhone can be worth four to ten times more on the black market compared to a locked one. In raw dollars, that’s up to $800 more.
Dan Guido, the CEO and cofounder of security firm Trail of Bits and a strategic adviser to mobile security firm iVerify, says a stolen phone may only be worth $50 to $200 when it is locked. “But if you unlock it, it’s worth $500, or it’s worth $1,000.” That difference can encourage people to develop ways to try and get into devices. “This whole thing is an ecosystem, and there’s multiple people at different levels of the supply chain that all work together in order to unlock phones,” he says.
Matt Burgess, Wired
Although Apple’s new Stolen Device Protection feature should dissuade thieves nearly as effectively as Activation Lock, since it enforced biometric authentication for any significant security changes, it wasn’t enabled by default until recently (in iOS 26.4), which means a lot of folks don’t use it.
However, it’s also no longer just about the phone. Years ago, the hardware was the target of most iPhone thefts. Crooks could be nosy opportunists, but generally as long as you had a secure password they were much more likely to just wipe the iPhone and sell it off to the highest bidder.
Today, the information we store on our iPhones is far more valuable than the hardware itself, particularly since most thefts are now part of organized crime rings. The crook who steals your iPhone may not be, but it’s almost guaranteed that the people they’re selling it to are — and they’re far more interested in finding ways to separate you from your money.
“Phone thieves don’t just want the handset—they want access to bank accounts and personal information,” says Will Lyne, the head of economic and cybercrime at London’s Metropolitan Police. Lyne highlights one case of four men who had been caught handling more than 5,000 stolen phones and spending money from financial accounts on the devices.
Matt Burgess, Wired
Burgess’ report delves into the reality of an entire “stolen-phone unlocking economy” made up of dozens of groups that sell unlocking tools and services “mostly with a focus on iPhones.” Researchers at cybersecurity firm Infoblox have linked more than 10,000 phishing websites to these activities, with traffic to them having nearly quadrupled in the past year.
An unlocked iPhone may be the golden goose for these criminals, but those are still much harder to acquire. So, tools that can turn a $50 brick into an $800 cash cow are in high demand.
The Passport of a Stolen iPhone: From Toronto to Vietnam
While Burgess provides several examples, I can cite one from my own experience that illustrates how many levels an iPhone theft operates at.
In January 2025, my daughter’s iPhone 15 Pro was stolen from her pocket at a Value Village in downtown Toronto. She didn’t notice it was gone until it was far too late; she initially called me on her friend’s phone thinking she’d just misplaced it and hoping that I could use Find My to help her locate it by playing a sound. However, when I opened Find My, her iPhone was already half a dozen miles away. That was the point at which we knew it had been stolen.
The thief had been clever enough to turn the iPhone off, as it didn’t respond to a remote wipe request or show any other signs of being on. It remained trackable thanks to Apple’s AirTag-style tracking features; it was able to report its location in over Bluetooth to other nearby Apple devices. This wasn’t enough to provide live, real-time tracking, but it reported its location enough to follow its general journey. At one point it ironically stopped at a strip mall a few blocks away from our house; I went there on a lark, but I didn’t hold out much hope of actually finding it, since it’s not like the thief was about to admit they were carrying a stolen iPhone — and again, the fact that it was powered off prevented me from sounding any alerts on it.
To make a long story short, my daughter’s iPhone ended up in a rather sketchy neighborhood of Toronto where several large apartment buildings are located, eliminating any possibility of getting it back. It went off the grid for a while after that, and we’d pretty much given up on it. Then the social engineering began.
It actually started in March, with my daughter receiving an email from Apple indicating that someone was trying to bypass the Activation Lock. This wasn’t a security alert so much as a support email designed to provide a user with help in the event that they’re doing it wrong. A few minutes later, she received a text message saying her iPhone had been found “near Toronto,” with a link that undoubtedly would have led to a page asking for her password.
Leaving aside the fact that this was an obvious phishing attempt, the fact that the iPhone was now reporting its location 8,600 miles away in Vietnam would have also been a pretty good clue. We both ignored these messages, and they surprisingly went away after two or three sporadic attempts.
We thought that was the end of it until August, when a new series of phishing attempts came in. However, these ones were a bit more alarming, as they not only included her full name, but were also sent to her mother and me (still using her name).
At first, I was puzzled as to how the crooks had obtained this information, thinking that there must have been some connection through leaked data on the dark web. However, after researching it a bit further, the most obvious answer was the iPhone’s Medical ID feature, where my daughter had her own name listed, along with both her parents as emergency contacts — but only as “Mom” and “Dad” without our names.
However, what’s notable about this is how oddly this information seemingly flowed. The March phishing message contained no names or other personal information, and the attempts to bypass the Activation Lock meant the stolen iPhone had been forcibly wiped — along with the Medical ID.
This made it rather curious that the crooks would attempt to use that information in August, months after it should have disappeared, despite not using it in March. However, after a bit more digging it’s actually a function of how these crime rings work — and precisely what Burgess explains in his Wired report.
While I’ll probably never know for certain, the most likely scenario is that my daughter’s iPhone changed hands several times, from the original pickpocket who stole it from her (who likely got less than $100 for it, according to law enforcement officials I spoke with) to the sketchy neighborhood fence and then through several more folks after it landed in Vietnam. Somewhere along the way — likely before it even left Toronto — one of the links in the chain extracted the Medical ID and other information such as the IMEI and uploaded it to a dark web marketplace where a phishing subcontractor can later buy it as a package alongside an assortment of locked iPhones.
Once they’ve accumulated enough iPhones and their associated data to make it worth their while, they feed it into one of the custom software packages that Burgess describes, which automatically generates phishing links and pages that resemble legitimate Apple services, like the Find My portal, and blasts out SMS messages to the phone numbers of the stolen iPhones — on the assumption that most folks will activate the same number on a new phone.
Amusingly, these scripts aren’t without their flaws. After receiving the last batch of phishing attempts last August, I decided to open one of the links — in a secure sandbox, of course — just to see what it looked like. While it was obviously trying to duplicate an Apple website, it was also broken, providing nowhere that I could have entered any personal information even if I had been foolish enough to want to.
That part really highlights the massive factory-style automation behind these theft rings. Nobody is sitting at a computer designing websites and punching out phishing messages. However, there’s surprisingly little persistence behind them either. Two or three messages showed up over the course of two days, and that was it. Presumably the crooks who design these systems know they’re wasting their time if folks haven’t bitten on the first couple of tries.
