Police arrest website used by scammers to unlock 1.2 million stolen mobile phones

A coalition of law enforcement agencies said it had shut down a service that allowed more than 1.2 million stolen or lost cell phones to be unlocked so they could be used by someone other than the rightful owner.

The service was part of iServer, a phishing-as-a-service platform that has been operating since 2018. Argentina-based iServer sold access to a platform that offered a variety of phishing-related services via email, SMS and voice call. One of the special services offered was designed to help people in possession of large numbers of stolen or lost mobile devices obtain the necessary credentials to bypass protection measures such as “Lost Mode” for iPhones, which prevents a lost or stolen device from being used without entering its passcode.

Targeting inexperienced thieves

An international operation coordinated by Europol's European Cybercrime Centre said it had arrested the Argentine national behind iServer and identified more than 2,000 “unlockers” who had logged into the phishing platform over the years. Investigators eventually found that the criminal network had been used to unlock more than 1.2 million mobile phones. Officials said they had also identified 483,000 phone owners who had received messages seeking login credentials for their lost or stolen devices.

According to Group-IB, the security firm that uncovered the phone unlocking scam and reported it to authorities, iServer provided a web interface that even inexperienced unlockers could use to extract device passwords, user credentials from cloud-based mobile platforms and other personal information from legitimate device owners.

Group-IB wrote:

During their investigation into iServer's criminal activities, Group-IB specialists also uncovered the structure and roles of the criminal syndicates operating with the platform: the platform's owner/developer sells access to “unlockers,” who in turn offer phone unlocking services to other criminals with locked, stolen devices. The phishing attacks are specifically designed to collect data that grants access to physical mobile devices, allowing criminals to obtain user credentials and local device passwords to unlock devices or separate them from their owners. iServer automates the creation and deployment of phishing pages that mimic popular cloud-based mobile platforms and has several unique implementations that increase its effectiveness as a cybercrime tool.

Unlockers obtain the necessary information to unlock the mobile phones, such as IMEI, language, owner details and contact information, which is often accessed through lost mode or cloud-based mobile platforms. They use phishing domains provided by iServer or create their own to set up a phishing attack. After selecting an attack scenario, iServer creates a phishing page and sends an SMS with a malicious link to the victim.

Upon successful completion, iServer customers will receive the login credentials via the web interface, and can then unlock a phone to disable Lost Mode so the device can be used by someone new.

Ultimately, the criminals obtained the stolen and validated credentials through the iServer web interface, allowing them to unlock a phone, disable “Lost Mode,” and disconnect it from the owner’s account.

To better disguise the scam, iServer often disguised phishing pages as pages of cloud-based services.

In addition to the arrest, the authorities also confiscated the domain iserver.com.

The shutdown and arrests took place from September 10 to 17 in Spain, Argentina, Chile, Colombia, Ecuador and Peru. Authorities in these countries began investigating the phishing service in 2022.