Contents
Find My phishing investigation (2026) · Part 1 of 2 · IoC annex →
A scene that plays out across the Middle East
In a metro carriage in Tehran, in a Cairo café, on a Dubai marina walkway, on a Riyadh ride-share — someone reaches for their phone and finds the pocket empty. Three minutes later, sometimes faster, a text arrives in the local language: "Dear Mahsa, your iPhone 14 Pro has been located. View location: https://apple.login-track.live/0OX/". By the time the panic subsides the link has already done its job. The owner has typed an Apple ID and a 2FA code into a page that looks identical to iCloud.com but isn't, and a stranger somewhere else in the region is signing into the real Find My to remove the device from the account.
The pattern is the same in every Middle Eastern city where iPhones get stolen. The lure template, the timing, the kit family, the cash-out path — all shared across many parallel operators. This report documents one of them. The specific crew whose machine got infected by its own infostealer ran 748 smishing waves against 564 iPhones, and 98.1% of the recovered victim phone numbers carry the Iranian country code +98 — but the kit they bought, the SMS aggregators they abused, and the unlock storefronts they cashed out through are all multi-tenant and used by separate operators targeting Egypt, Iraq, the Gulf, the Levant, and beyond. This is one node in a regional ecosystem, not the whole map.
We know what we know about this specific crew because the person running it caught his own malware.
TL;DR
This investigation maps a single node inside an active, multi-year Find My / iCloud phishing ecosystem that targets iPhone-theft victims across the Middle East — Iran, Iraq, Egypt, the Gulf, the Levant, and beyond — built to defeat Activation Lock not by breaking Apple's security in software, but by convincing owners to hand over their Apple ID credentials at the moment of maximum panic.
The specific node we documented surfaced because of a single OPSEC failure: the operator's own Windows machine was infected by infostealer malware ("Luffich Cloud"), and the resulting browser dump — distributed through Telegram channels @Luffich_CloudROBOT and @expertsa11m — preserved the crew's admin panels, SMS gateways, registrar accounts, and a saved "add target" queue documenting 564 stolen iPhone IMEIs and 748 victim phone numbers. 98.1% of those phone numbers carry the Iranian country code +98 — but that is the recovered queue of one operator, not a regional census. The kit they used, the SMS aggregators they abused, and the resale pipeline they fed are all multi-tenant and used by separate operators with different victim distributions.
Static analysis of that corpus, breach-intelligence cross-referencing through early 2026, and passive DNS sweeps in May 2026 tie a fragmented set of personas and infrastructure to a small crew operating from Kabul Province, Afghanistan, running a vertically integrated pipeline from personalised smishing to GSM-unlock resale. The phishing kit is not custom malware — it is PhantomUltimate, a commercial iCloud-phishing kit marketed publicly since at least October 2017, including installation tutorials on YouTube, with documented customer clusters in at least seven other countries.
Key findings:
- Host telemetry: Windows 10, machine
DESKTOP-L9Q135V, UTC+04:30 timezone, Persian (Iran) keyboard layout, autofill pointing to Kabul / Paghman, Afghanistan with postal code1002 - 243 operator-attributed phishing domains (221 from the 2022 stealer capture + 22 added via 2025–2026 breach-intel on the same email cluster)
- 69 saved credentials on commercial and grey-market SMS / A2P platforms, with spoofed sender IDs including
Apple,iCloud,FindMy, andFMI - Six authoritative nameservers (
iserverdns.info,iserverdns.us,ispvds.com) reused across the portfolio — the single highest-leverage pivot for proactive brand monitoring - 589 per-victim smishing short URLs on hosts like
apple[.]login-track[.]live(72 URLs generated), confirming operational use — not just domain warehousing - 108 free-text operator notes naming feeder handles (
mestreee,basir,sangaen, …) and Iranian victims, consistent with a cross-border theft → phishing → resale supply chain - Continued activity through December 2025 and January 2026, proving the operation did not end when the 2022 log was captured
- 20 domains still resolving in passive DNS on 6–7 May 2026, including 10 behind Cloudflare
- Forensic tooling on the operator's PC — including Elcomsoft Phone Breaker (a $999+ commercial iCloud forensics product) — suggesting possible iCloud backup extraction, not only handset flipping
Aggregate victim identifiers and full credential material were reported to Apple Brand Protection in early May 2026 under restricted handling before this public summary was prepared. No victim IMEIs, phone numbers, or usable passwords appear below.
Publication note: aggregate statistics only; allow 7–14 days after platform reporting before citing victim-scale numbers in public channels (per source handling rules).
What we are not saying
Before going further: this report is built from fragments — reused emails, admin-panel fingerprints, timezone and keyboard signals, nameserver habits, and one OPSEC failure that handed us an attribution-grade view. To avoid amplifying the wrong things:
- We are not naming legal individuals. The handles below are operational identifiers from admin logins, not legal-name attribution.
- We are not claiming this is one person. Whether
Wahab,Mike Johan,Lehi Sulaimani, and the secondary aliases belong to one operator or a small crew sharing one PC cannot be resolved from this evidence alone.- We are not attributing PhantomUltimate's other customers in India, Nepal, Bangladesh, Pakistan, Vietnam, Indonesia, or Kenya to this crew. Kit fingerprint matches require additional clustering before attribution.
- We are not publishing victim IMEIs, victim phone numbers, named victims from operator notes, usable credentials, or full operator mailboxes. Those stay in the Apple submission and law-enforcement package.
- The Telegram channels
@Luffich_CloudROBOTand@expertsa11mare log marketplaces, not the phishing crew. The same channels distributed unrelated logs from victims with no connection to phishing infrastructure.
The supply chain at a glance
The operation is best understood not as a single phishing campaign but as a three-tier criminal supply chain crossing the Iran/Afghanistan border. The diagram below collapses that into one frame.
When the hunter got hunted
The investigation begins with an ironic twist. The actor under analysis is the victim of an infostealer — their own browser was compromised — but is simultaneously the operator of large-scale phishing infrastructure. That dual role is why the log is attribution-grade: it contains not victim credentials alone, but the operator's saved logins to their own phishing-kit admin panels, hosting control panels, SMS dashboards, and domain registrars.
The corpus comprises nine files and roughly 14,927 lines, all carrying a header referencing @Luffich_CloudROBOT. The logs were brokered through Telegram (@expertsa11m, @Luffich_CloudROBOT) as part of an infostealer-cloud-as-a-service offering. These channels are log marketplaces, not the operators — we verified that by checking other dumps the same channels distributed, which trace to unrelated victims with no phishing infrastructure of their own.
The most significant files break down as follows:
| Artifact | What it contained |
|---|---|
| Credential export (~5,088 lines) | 848 saved records across 681 hosts — registrars, SMS APIs, hosting panels, unlock shops |
| Autofill "add target" export (~3,887 lines) | The operator's victim queue: IMEI, model, color, phone numbers, short URLs, notes |
| Identity autofill (~1,532 lines) | Registrar contact data, payment fields, Kabul / Paghman address fragments |
| Host telemetry (~246 lines) | Machine name, timezone, keyboard layouts, installed software inventory |
| Admin-panel cookies | Active sessions on live phishing-kit backends |
The stealer agent timestamp on the host telemetry file reads 11 February 2022 (local). For years, that date bounded our understanding of the operation. It was wrong to treat 2022 as an end date — breach-intel through January 2026 (§ Continued operation, below) proves the same crew kept running.
Passwords as the operational fingerprint
The single most useful linkage signal in the entire corpus is not a domain pattern or an IP block — it is password reuse. Across 848 saved credentials, a small handful of operator passwords appear hundreds of times. Each one ties an admin login on a lcloud.com-* domain to an admin login on a different apple.id-* domain, then to a saved registrar account, then to an SMS-aggregator dashboard. The dense reuse is what lets us cluster 221 separately-registered domains into a single operator without ever touching the live kits.
We do not publish the passwords themselves. The cluster is identifiable to defenders without them: any new phishing domain whose /admin/ panel accepts the same email + password pair is the same crew until proven otherwise.
The attack flow
What happens between "your iPhone is stolen" and "the device is wiped and resold" is a nine-stage pipeline. Every box below maps to a specific saved login or autofill record in the dump.
/admin/index.php, /admin/auth.php, /admin/install.php) across all 243 domains — a single PHP codebase mass-deployed.A secondary outcome — strongly suggested by the Elcomsoft Phone Breaker install on the operator's PC — is iCloud-backup extraction. Elcomsoft Phone Breaker is a $999 commercial forensic tool, almost exclusively seen in legitimate DFIR labs; finding it on a criminal workstation alongside 3uTools, Samsung Tool PRO, and three concurrent remote-access tools (AnyDesk, UltraViewer, TeamViewer) is the closest thing to a smoking gun in this report. Once the operator has the Apple ID password and a 2FA code, they can pull photos, messages, contacts, and keychain data — monetisable through extortion or identity fraud, not only through handset resale.
The victim database hidden in browser autofill
The single most consequential artifact is not a malware sample — it is browser autofill.
Phishing kits used by this crew expose an administrator form to queue new targets: IMEI, device model, color, victim phone numbers, and notes. Each time the operator submitted the form, the browser retained the values. The infostealer captured that history verbatim.
Aggregating unique values across the autofill export yields:
| Field | Unique values | Significance |
|---|---|---|
| Victim IMEIs | 564 | Stolen devices actively targeted for credential harvesting |
| Victim phone numbers | 748 | Smishing destinations (more numbers than IMEIs — victims with multiple SIMs and retries) |
| Personalized short URLs | 589 | Proof of sent lures, not just registered domains |
| Operator notes | 108 | Feeder handles, batch labels, paraphrased victim salutations |
| Device models | 34 strings | iPhone 6 through iPhone 13 Pro Max family |
Where this operator's victims live
Phone numbers in this one operator's recovered queue are overwhelmingly Iranian. The geographic concentration is the most consequential attributional finding for this specific crew — but it should not be read as a regional census. Find My smishing of this kind hits iPhone owners across the entire Middle East; this is what one node in that ecosystem looks like when the operator's browser autofill spills.
This is not a global spray-and-pray campaign for the crew we documented. The most plausible model is a feeder network inside Iran (street theft, pickpocketing, organised device acquisition) supplying IMEIs and contact details to an Afghanistan-based operator who runs the phishing wave and shares resale proceeds through unlock forums and storefronts. The same model — feeder network in one country, smishing operator in another, shared kit and SMS aggregators — runs in parallel across the Middle East with different national focus per operator.
What the operator notes reveal
The 108 saved notes read like an internal ticketing system. Batches are tagged with feeder handles — basir, mestreee, sangaen, molah, hamid, wz, and others — often followed by text such as "Dear [name]" and Iranian mobile numbers (redacted here).
The suffix fresh appears repeatedly (basir fresh, bismiullah fresh 1, hamid fresh new order, mestreee new fresh). In stolen-iPhone criminal slang, "fresh" means a device recently stolen before the owner enables Lost Mode or changes passwords. Speed determines profit: the window between theft and Find My lockdown is measured in minutes, not hours. The notes are operator triage — which devices are still phishable, which are already burned.
One note embedded a live smishing path on apple[.]login-track[.]live — confirming that host as an operational front-runner, not archival infrastructure.
We do not reproduce victim names or numbers in this article. They were forwarded to Apple under TLP:RED handling. The highest-impact protective action available to a platform holder is IMEI-level blocklisting at the activation layer, which can render devices unsellable even if phishing succeeds.
Operator host telemetry and geographic attribution
The stealer's host-telemetry file answers questions domain lists cannot: who was sitting at the keyboard, and with what tooling.
Machine and locale
| Indicator | Value |
|---|---|
| Computer name | DESKTOP-L9Q135V |
| Windows user | Operational handle consistent with GSM-unlock trade |
| Timezone | UTC+04:30 — Afghanistan Standard Time |
| Keyboard layouts | English (US) and Persian (Iran) |
| Stealer-reported public IP | Indonesian range (likely VPN/proxy exit — in tension with timezone) |
Address autofill
Registrar and identity autofill repeatedly reference Afghanistan, Kabul, and the Paghman district, with postal code 1002. The operator also reused spoofed Apple HQ addresses (1 Infinite Loop, Cupertino) on WHOIS contact forms — a common registrar abuse pattern that gives WHOIS records the visual veneer of legitimacy when investigators glance at them quickly.
Personas and alias cluster
Multiple forum and panel handles appear across the same admin logins — mikejohan45, lehisul1970, parwezyosofi, gsmnazari786, and related variants. As stated in the sidebar above: these are operational identifiers, not legal-name attribution. Whether they represent one individual or a small crew sharing one workstation cannot be resolved from this evidence alone.
What can be stated with high confidence is that the same credential clusters reappear across hundreds of kit admin logins — an operational fingerprint useful for linking newly discovered domains.
The reseller toolkit on disk
Installed software on the host at capture time reads like a textbook iPhone gray-market workshop:
- 3uTools 2.56 — device management and firmware workflows common in unlock shops
- Samsung Tool PRO 34.8, InfinityBox BEST — adjacent mobile-unlock tooling
- Elcomsoft Phone Breaker 8.30 — commercial iCloud forensic software ($999+), almost exclusively seen in legitimate DFIR labs
- AnyDesk 7.0.14, UltraViewer 6.2.98, TeamViewer 15.13.6 — three concurrent remote-access tools (consistent with accomplice access or customer support for unlock services)
- iTunes, Apple Mobile Device Service, PdaNet+ 5.22 — required iPhone interaction tooling
- Internet Download Manager, WinRAR, Notepad++ — general operator tooling
The combination of 3uTools + Elcomsoft Phone Breaker + Samsung Tool PRO + InfinityBox BEST on a single machine is itself a forensic fingerprint — a textbook iPhone-resale-criminal toolkit. Elcomsoft Phone Breaker is the line item that elevates this from "handset flipping" to "potential identity-fraud pipeline." We cannot prove iCloud-backup extraction from the log alone, but the tooling is consistent with it, and it is the threat Apple's audit of the 564 victim accounts (§14.7 of the Apple submission) is designed to surface.
Phishing infrastructure at scale
Domain portfolio and naming logic
We attribute 243 domains to this crew — 221 directly from saved admin credentials, cookies, or install pages in the 2022 stealer log, plus 22 additional names linked through 2025–2026 breach-intelligence hits on the same email/password patterns (apple--find.info, device--icloud.info, findmyiphone.de.com, and similar).
The portfolio breaks into seven recognisable clusters. Counts are approximate and overlap at the edges; the /admin/ panel fingerprint is consistent across all of them.
| Cluster | Pattern | ~count | Examples |
|---|---|---|---|
apple.com-* |
apple.com- prefix on attacker domain |
~14 | apple.com-map-id.us.com, apple.com-id-map.com |
apple-* direct |
apple- prefix |
~22 | apple-findmy.us.com, apple-id-maps.com |
apple.id-* |
subdomain trick | ~25 | apple.id-com.click, apple.id-device.live |
lcloud.com-* |
typo-squat of iCloud | ~32 | lcloud.com-map-id.live, lcloud.com-findmy.us.com |
icloud-* |
direct iCloud impersonation | ~28 | icloud-findmy.pw, icloud.com-map-id.com |
| Locator lures | track-, find-, findmy-, locate-, support- |
~50 | track-idevice.link, find-device.support, support-findmy.link |
| Generic / unlock storefronts | misc / cross-brand | ~50 | applelogin.co, source4apple.com, imeiking.com, ifreeicloud.co.uk |
The phishing-kit backend exposes consistent PHP paths across the portfolio:
/admin/
/admin/index.php
/admin/auth.php
/admin/login.php
/admin/install.php
Any newly observed domain whose /admin/ panel accepts the operator's known email/password cluster should be treated as the same crew until proven otherwise.
Nameserver pivots — the highest-leverage DNS signal
Saved registration autofill exposed six authoritative nameservers the operator reused:
ns1[.]iserverdns[.]info
ns2[.]iserverdns[.]info
ns1[.]iserverdns[.]us
ns2[.]iserverdns[.]us
ns1[.]ispvds[.]com
ns2[.]ispvds[.]com
Passive DNS on these nameservers is more durable than chasing individual domains: when one hostname is taken down, the operator delegates the next registration to the same NS pair. Brand-protection programs should monitor these six nameservers continuously — new delegations are a leading indicator of campaign relaunch.
Live status (passive DNS, 6–7 May 2026)
Of 243 domains, 20 still resolved (10 behind Cloudflare). 223 returned NXDOMAIN — normal churn for an operation that rotates domains as abuse reports land.
We do not list clickable live hostnames in this narrative post (accidental navigation risk). Defanged IoCs for all 20 live domains are in Part 2.
DNS resolution alone does not prove a domain is actively serving phishing versus parked DNS. Confirming live kits is appropriately done by Apple Brand Protection, host abuse desks, or law enforcement — not third-party investigators conducting unauthorised probing.
The smishing delivery layer
If domains are the visible symptom, SMS routes are the artery.
The credential dump shows saved logins across 69 distinct SMS and bulk-messaging providers. This includes major legitimate A2P (application-to-person) aggregators — Vonage/Nexmo, Sinch, Twilio, Plivo, Infobip, MessageBird, Clickatell, 46elks, Wavecell/8x8, SMSGlobal, MontyMobile, Mocean, Clockwork — and a long tail of grey-market panels whose names alone signal abuse intent (sms-spam[.]info, sms-phoenix[.]site, realsms[.]cc).
The operator configured sender ID strings impersonating Apple services: Apple, iCloud, iSupport, FindMy, FindMyPhone, FMI, Verify, and even Google.
Why this matters more than domain takedowns
Domains are cheap and disposable. SMS aggregator accounts are the bottleneck. Each successful smish is the entry point for Activation Lock removal. Closing operator accounts on legitimate platforms — and blackholing brand-impersonation sender IDs on those routes — degrades the campaign faster than suspending the twentieth lcloud.com-* hostname.
Disrupting this layer requires coordinated abuse reports to aggregator fraud desks with evidence of saved operator emails (held in the law-enforcement package, not published here).
The lure template
Operational notes and industry reporting align on a simple, effective template — personalised with the victim's first name (from the lock screen or SIM contact card) and the exact model and color of the missing device:
Dear [Name], your iPhone [model] has been located. View location: https://[short-path]/
The Swiss National Cyber Security Centre (NCSC) issued public guidance in November 2025 on "your iPhone has been located" smishing — reminding users that Apple does not notify customers this way. Our data shows the warning is still widely ignored because the message arrives at peak emotional vulnerability, often within minutes of the theft.
PhantomUltimate: the commercial kit behind the campaign
Early analysis treated the crew's PHP kit as a private codebase. Further breach-intelligence and public marketing materials identify it as PhantomUltimate — a commercial iCloud phishing kit sold from phantomsoftware[.]us with a public demo at demo[.]phantomsoftware[.]us.
The vendor's own marketing copy describes:
- Built-in SMS and email APIs
- Geo-IP-aware multilingual landing pages
- Ready-made Apple HTML templates
That feature set maps one-to-one onto this crew's operation: 69 SMS accounts, per-victim short URLs, Persian-keyboard operators, and Iranian victims receiving localised lures.
Public marketing since 2017
PhantomUltimate is not new. Installation tutorials appear on the YouTube channel @phantomsoftware5023 (videos dating to October 2017). The broader iCloud-phishing-kit market has been documented in mainstream security press for nearly a decade — Brian Krebs covered subscription-based "iPhish" kits in March 2017, and Trend Micro, Motherboard, and 9to5Mac have profiled adjacent products (AppleKit, MagicApp, ProKit, the FMI.php / Devjo class kit family). PhantomUltimate sits in that commodity tier.
Takedown implication: Suspending one crew's domains does not kill the ecosystem. Disrupting the kit supplier — domain, demo site, and tutorial channel — impairs multiple operators simultaneously.
Multi-tenant kit, single investigation subject
Breach-intelligence on phantomsoftware[.]us surfaces distinct customer clusters in India, Nepal, Bangladesh, Pakistan, Vietnam, Indonesia, and Kenya-target .co.ke variants — each running their own domains and victim pools.
We do not name individuals in those clusters in this article. Aggregator hits alone are insufficient for public attribution. Defenders should treat kit HTML fingerprints — such as phish.report signature 467ab986 — as the unifying detection signal, then cluster by operator emails and infrastructure.
Saved credentials in the 2022 dump tie the Afghanistan-based crew to PhantomUltimate directly (phantomsoftware[.]us logins with the same password patterns used on kit admin panels).
Continued operation: breach-intelligence through January 2026
A stealer log is a photograph, not a live feed. The critical question for defenders and victims is whether the operation ended in 2022.
It did not. Cross-referencing four primary operator mailboxes (handles above) against commercial breach-intelligence aggregators (VidarSq, ULPS, COMBOS, Redline-style collections) shows continued use of the same password patterns on new infrastructure through December 2025 and January 2026 — for example hostinger[.]in, dashboard[.]nexmo[.]com, apple--find[.]info, device--icloud[.]info, flndmylphone[.]info, and phantomsoftware[.]us.
No single aggregator hit should be treated as definitive — credential-stuffing noise exists — but the pattern of the same mailbox cluster on new domains in the crew's naming convention, with reused operational passwords, is high-confidence evidence of continuity.
Twenty-two additional domains were added to the attributed portfolio through this pivot; three were still live in DNS on the May 2026 sweep (defanged list in Part 2).
A nine-year operation, summarised
Monetization and the GSM unlock pipeline
Phishing is not the endgame — sellable handsets are.
After credentials are captured, devices are removed from Find My, wiped, and moved through forums and storefronts the operator already uses: gsmhosting[.]com, afghan-gsmforum[.]com, gsmkashmir[.]com, unlockbank[.]com, imeiking[.]com, ifreeicloud[.]co[.]uk, and dozens of similar services.
Payment rails in the dump include PayPal (heavily used — 9 saved accounts), Skrill, Binance, and Blockchain.com — consistent with cross-border grey markets where chargebacks and KYC are weak.
Some "unlock" domains in the portfolio (ifreeicloud[.]co[.]uk, iimei[.]co[.]uk, imeiking[.]com) are resale storefronts that may outlive individual phishing front-ends because they masquerade as legitimate businesses. They remain abuse-reportable to hosts and payment processors.
Peer-comparison context — this is a regional pattern
The crew documented here is one node in a Middle East and globally distributed ecosystem of the same playbook:
- May 2026 — the UK National Crime Agency, via The Times, named Amir Khadikhel, an Afghan asylum seeker, as the alleged mastermind of a network responsible for roughly 40% of London iPhone thefts and the shipment of more than 60,000 stolen handsets to China and Dubai in under a year — £181 million worth of devices in a single year. Khadikhel's case is a near-identical operational pattern at much greater scale.
- Egypt and the broader Middle East — Find My / iCloud smishing has been a documented problem across Egypt, Saudi Arabia, the UAE, Lebanon, Jordan, and Iraq for several years, hitting the same demographic (recently-stolen iPhone owners) with the same lure template ("Dear [name], your iPhone has been located"). Local CERTs and consumer-protection bodies across the region have issued advisories; the lure language adapts to Arabic, English, and French depending on the target country, but the kit families and the SMS infrastructure are the same.
- PhantomUltimate's documented customer base — separate operators running the same kit have been linked to victim pools in India, Nepal, Bangladesh, Pakistan, Vietnam, Indonesia, and Kenya, each with their own national focus.
A separate but worth-flagging Iran-specific note: in July 2025, TechCrunch reported on Miaan Group findings that Apple had sent threat notifications to more than a dozen Iranians in 2025 after detecting government spyware on their iPhones. That is unrelated to the current operation, but it means Iranian iPhone owners specifically face a layered threat picture — nation-state surveillance at the high-value end and the opportunistic theft-and-extortion ecosystem (which this report documents) at the volume end. The practical advice for any iPhone owner in the region is the same: don't follow SMS links to log in to Find My.
What this means for defenders
If you are a potential victim
- Apple will never send you a link to log in because your lost iPhone was "found."
- Enable Lost Mode immediately; use a callback number that is not tied to your Apple ID.
- Open Find My only from the app or
https://icloud.com/find— never from SMS links. - If you already entered credentials: reset your Apple ID password from a trusted device and audit trusted devices.
If you protect a brand or run security operations
Prioritise actions by leverage:
- SMS aggregator abuse — suspend operator accounts; block spoofed
Apple/FindMysender IDs on those routes - Kit supplier —
phantomsoftware[.]us,phantom[.]software, YouTube@phantomsoftware5023 - Cloudflare consolidated abuse — 10 live CF-fronted domains (single submission; defanged list in Part 2)
- Nameserver monitoring — six
iserverdns/ispvdshosts - VPS abuse — Contabo, Hetzner, WebHostBox (operator-administered hosts)
- Platform IMEI blocklisting — highest victim protection per unit effort (Apple-side)
Full IoC tables, defender FAQ, and detection signatures: Part 2 — Threat intelligence annex
Editorial note
Threat-actor and infrastructure attribution is built from fragments — reused emails, admin-panel fingerprints, timezone and keyboard signals, nameserver habits, and occasional OPSEC failures like an infostealer infecting the operator's own machine. None of these alone is conclusive; together they describe a coherent, ongoing operation.
This investigation was conducted passively. We did not log into operator systems, contact victims, or probe live phishing pages in ways that could contaminate law-enforcement evidence or create computer-misuse exposure.
Aggregate statistics in this article were shared with Apple Brand Protection in early May 2026 before publication. Victim identifiers, named individuals from operator notes, usable credentials, and full operator mailbox strings are withheld. Some autofill fragments in the source material may belong to peripheral or innocent parties — we deliberately avoid amplifying unconfirmed legal names.
PhantomUltimate is used by multiple criminal customers worldwide. Indicators tied to this kit fingerprint should not automatically be attributed to the Afghanistan-based crew described here without additional clustering.
For law-enforcement or platform abuse teams requiring the unredacted evidence package, contact PhishEye through official channels. To report active Apple impersonation: [email protected].
Continue reading
Part 2 — Threat intelligence annex — Defanged live domains, IoC tables, detection signatures, timeline, and defender FAQ.
Report phishing: [email protected]
For security teams
PhishEye monitors typosquat clusters (lcloud[.]com-, apple[.]id-, track-idevice[.]) and can automate abuse workflows before smishing waves peak. Contact us for enterprise monitoring.
FAQ
Does Apple text you when your lost iPhone is found?
No. Find My does not send unsolicited SMS with login links. Any such message is a scam.
What should I do if I already clicked the link and entered my Apple ID?
Change your password immediately on a trusted device (not the stolen phone). Review Settings → Apple ID → Devices for unknown sessions, enable two-factor authentication if it was off, and contact your carrier. Report the message to [email protected].
How do I verify a real Find My or iCloud URL?
Use only the Find My app or type https://icloud.com/find yourself — never follow links in SMS or email.
Can thieves break Activation Lock without my password?
They typically cannot break it cryptographically. They phish the owner's Apple ID after theft.
What is PhantomUltimate?
A commercial iCloud phishing kit sold since at least 2017, with built-in SMS APIs — used by multiple criminal customers worldwide. See phish.report kit signature 467ab986 for the HTML fingerprint.
How many domains did this crew use?
At least 243 attributed; 20 were still live in DNS in early May 2026 (10 behind Cloudflare). See Part 2 for defanged hostnames and detection signatures.
Is this only happening in Iran?
No. The 98.1% Iran figure is this specific operator's recovered victim queue, not a regional census. The same kit and the same playbook are used by separate operators targeting Egypt, Iraq, the Gulf states, the Levant, and beyond. PhantomUltimate's documented customer base also extends to India, Nepal, Bangladesh, Pakistan, Vietnam, Indonesia, and Kenya. If you have an iPhone in any of these countries — or anywhere else, frankly — and you receive an unsolicited "your iPhone has been located" SMS after a theft or loss, treat it as a scam regardless of the language it arrives in.
Is naming the country fair attribution?
The country attribution for the operator is based on host autofill (Kabul / Paghman address, postal code 1002), keyboard layout (Persian), and timezone (UTC+04:30 — Afghanistan Standard Time). The country attribution for the victims is the 98.1% +98 dominance in this operator's queue. Together they identify where this specific operation runs and who this specific operation targets — not the legal identity of any individual, and not the boundaries of the wider ecosystem.