Exploit seller wants $2 million for a zero-day iMessage attack vector that probably doesn't exist

By Amber Neely

A $2 million iMessage exploit listed on the dark web probably doesn't do what the sellers say that it does, but it's still a reminder that iPhones aren't hack-proof.

iMessage on iPhone

According to a post on X made on April 15, Trust Wallet has found credible evidence related to a high-risk, zero-day exploit targeting iMessage users. Allegedly, the exploit can access an iPhone without requiring the user to click any links.

As a precaution, Trust Wallet suggests that iPhone users -- especially high value individuals -- turn off iMessage until Apple patches the problem.

It's important to note, as Tech Crunch highlights, that there is currently no definitive proof of the exploit's existence. The "proof" is derived from a dark web advertisement for something called "iMessage Exploit."

The advertisement says that the product is an RCE -- a remote code execution -- that requires no interaction from the target. It allegedly works on the latest version of iOS.

CodeBreach Lab, the seller of the supposed exploit, is asking for $2 million in Bitcoin. As of right now, no one has purchased the exploit.

While this threat is likely exaggerated, if not an outright scam, it is still important to understand why these exploits are worth taking seriously.

It is a commonly held belief that iPhones cannot get infected with malware, but this is not entirely true. While it is rare for iPhones to be infected with malware, attackers can still take advantage of zero-day vulnerabilities and zero-click exploits to infect a user's device. However, these types of attacks are typically expensive and difficult to execute due to the high level of sophistication required.