A crypto wallet maker's warning about an iMessage bug sounds like a false alarm
A crypto wallet maker claimed this week that hackers may be targeting people with an iMessage “zero-day” exploit — but all signs point to an exaggerated threat, if not a downright scam.
Trust Wallet’s official X (previously Twitter) account wrote that “we have credible intel regarding a high-risk zero-day exploit targeting iMessage on the Dark Web. This can infiltrate your iPhone without clicking any link. High-value targets are likely. Each use raises detection risk.”
The wallet maker recommended iPhone users to turn off iMessage completely “until Apple patches this,” even though no evidence shows that “this” exists at all.
The tweet went viral, and has been viewed over 3.6 million times as of our publication. Because of the attention the post received, Trust Wallet hours later wrote a follow-up post. The wallet maker doubled down on its decision to go public, saying that it “actively communicates any potential threats and risks to the community.”
Trust Wallet, which is owned by crypto exchange Binance, did not respond to TechCrunch’s request for comment. Apple spokesperson Scott Radcliffe declined to comment when reached Tuesday.
As it turns out, according to Trust Wallet’s CEO Eowyn Chen, the “intel” is an advertisement on a dark web site called CodeBreach Lab, where someone is offering said alleged exploit for $2 million in bitcoin cryptocurrency. The advert titled “iMessage Exploit” claims the vulnerability is a remote code execution (or RCE) exploit that requires no interaction from the target — commonly known as “zero-click” exploit — and works on the latest version of iOS. Some bugs are called zero-days because the vendor has no time, or zero days, to fix the vulnerability. In this case, there is no evidence of an exploit to begin with.
A screenshot of the dark web ad claiming to sell an alleged iMessage exploit.
RCEs are some of the most powerful exploits because they allow hackers to remotely take control of their target devices over the internet. An exploit like an RCE coupled with a zero-click capability is incredibly valuable because those attacks can be conducted invisibly without the device owner knowing. In fact, a company that acquires and resells zero-days is currently offering between $3 to $5 million for that kind of zero-click zero-day, which is also a sign of how hard it is to find and develop these types of exploits.
