Tools once reserved for government hacking of Apple iPhones are showing up in the hands of cybercriminals, according to security researchers who track illicit markets. The warning points to a growing trade in “second hand” exploits that may shift the balance of mobile security. Researchers say techniques first used in state operations are now being repurposed for theft, extortion, and spyware.
From State Operations to Street-Level Crime
Security researchers reported that methods originally designed to break into iPhones are turning up in criminal campaigns. These techniques can grant silent access to messages, photos, and calls. Many are based on so-called zero-day or recently patched vulnerabilities, which give attackers a temporary edge.
“Exploits used by governments to hack into Apple iPhones have been found used by cybercriminals,” researchers said, warning of an emerging market for “second hand” exploits.
For years, government agencies have sourced exploit chains through private brokers and in-house teams. Apple has repeatedly shipped emergency updates to close these holes. But once a technique leaks, is resold, or is partially reverse-engineered from a patch, criminals can copy it. That handoff may take weeks or months, but the damage can be swift.
How Exploits Spread After Disclosure
When Apple fixes a critical bug, attackers study the patch to learn what changed. If the original method becomes known, it can be rebuilt with small tweaks. Private sellers also move code through closed forums, making resale harder to trace. In some cases, a technique first seen in a targeted operation later appears in broad phishing runs.
Researchers describe a chain that starts with a high-end buyer, such as a government unit, and ends with criminal crews. That chain is fueled by high prices for working iPhone exploit chains and by the demand for stealth access to locked-down devices.
Why iPhone Attacks Are So Valuable
iPhones hold sensitive personal and corporate data. The platform’s strong security and rapid updates make stable exploits rare. That rarity drives up prices and fuels a gray market. Criminals seek these tools for fraud, account takeovers, and spyware that can run with little user interaction.
Well-known cases, like Pegasus spyware in past reporting, showed how zero-click attacks can compromise devices without taps. While those tools targeted specific users, a wider criminal turn can bring scaled attacks against businesses and high-net-worth individuals.
Industry Response and Ongoing Risks
Apple runs a bug bounty program, ships frequent security updates, and deploys features such as Lockdown Mode for high-risk users. Mobile carriers and researchers share indicators to spot active exploits. Still, short windows exist between discovery, patching, and user updates. Those windows are now being monetized in repeat sales.
Law enforcement officials argue that targeted access can help stop serious crime. Security experts counter that any exploit stockpile risks leakage and resale. Once a method escapes a closed environment, it can spread fast and linger in modified form even after patches land.
What Users and Companies Can Do Now
Experts recommend basic steps that reduce exposure during the period when resale-driven attacks are most active.
- Update iOS and apps as soon as patches are available.
- Enable automatic updates and consider Lockdown Mode for at-risk users.
- Disable iMessage and FaceTime for sensitive travel if threat level is high.
- Use Mobile Device Management to enforce rapid patching across fleets.
- Limit side channels: avoid untrusted charging stations and unknown configuration profiles.
What to Watch Next
Researchers will track whether exploit resale shortens the time between state use and criminal adoption. Shorter cycles would increase costs for companies and individuals, as attackers move faster than patch deployment. Greater transparency by brokers and stronger norms on vulnerability handling could help, but enforcement is difficult across borders.
The spread of “second hand” iPhone exploits marks a new phase in mobile threats. The market forces behind resale are strong, and defensive speed is the main counter. The next test will come with the discovery of the next critical bug and how quickly it moves from elite operations into common crime.
Senior Software Engineer with a passion for building practical, user-centric applications. He specializes in full-stack development with a strong focus on crafting elegant, performant interfaces and scalable backend solutions. With experience leading teams and delivering robust, end-to-end products, he thrives on solving complex problems through clean and efficient code.
