A wave of fake iCloud storage warnings is hitting inboxes worldwide this week — and it is not just a low-effort consumer scam. Behind the same attack pattern sits a documented hack-for-hire espionage campaign, active since at least 2022, that has targeted named journalists, government officials, and opposition figures across the Middle East and North Africa. The phishing email is the front door. What is behind it is considerably worse.
There is nothing technically sophisticated about this campaign at the consumer level. The emails look like Apple sent them. They warn that iCloud storage is full, that payment has failed, or that all photos and videos will be permanently deleted on a specific date unless the recipient acts immediately. Subject lines in the current wave include messages such as "We've blocked your account! Your photos and videos will be deleted on [date]" and "Payment Failure for iCloud Storage Renewal." Some escalate with follow-up messages warning of total and permanent data loss. The link in the email goes to a phishing page — not Apple. Credentials entered there go straight to the attacker.
That is the surface layer. On April 8, 2026, researchers at Access Now, Lookout, and SMEX published coordinated findings linking this exact methodology to a years-long espionage campaign targeting civil society in the Middle East and North Africa, with additional targets in the United Kingdom and potentially the United States. All three organizations conducted independent analyses and reached complementary conclusions. Their reports document a campaign operational since at least 2022, with phishing infrastructure spanning hundreds of domains, a custom Android spyware called ProSpy, and attack events documented through at least 2025. Lookout's newest ProSpy samples were dated March 2026 — meaning parts of the campaign infrastructure were still active at the time the reports were published.
The Consumer-Facing Scam#
The current phishing wave targeting general iPhone users follows a tightly repeated pattern. The email arrives claiming that iCloud storage has been exceeded and that the recipient must upgrade or verify payment immediately. Subject lines vary — some warn of account suspension, some claim a payment method has expired, and others state outright that photos will be deleted on a named date. The urgency is engineered. The goal is to prevent the recipient from pausing to verify.
UK consumer body Which? has flagged the campaign publicly, warning that every Apple user needs to be aware of fake iCloud emails claiming photos will be deleted — messages it described as a "nasty scam." The Guardian reported reader accounts of emails with subject lines matching the exact escalation pattern — initial warning, then a "final warning" stating that the deadline has passed and data will be permanently erased.
The phishing emails can appear convincing because they are timed to land when many iPhone users are already receiving legitimate Apple storage upgrade prompts. Scammers have learned that this overlap raises the click rate — the fake warning feels like a natural follow-up rather than an unsolicited threat. The email includes an "upgrade" button that does not go to Apple. It goes to a phishing page built to harvest Apple ID credentials, payment card numbers, and security codes. Recipients who enter their bank details may face unauthorized transactions; the data is used immediately or resold.
The UK's National Cyber Security Centre has directed anyone receiving a suspicious iCloud-related message to forward it to report@phishing.gov.uk. In the United States, the Massachusetts attorney general's office issued a consumer alert warning residents about this specific email pattern and advising them to check account status directly through Apple's official website or through Settings on their device — never by clicking a link in an unsolicited email. Apple's dedicated channel for reporting suspected phishing is reportphishing@apple.com.
Legitimate Apple emails do not include a direct link to enter payment details, and Apple does not send warnings threatening to delete your photos on a specific date. If you receive either of these, the email is fraudulent regardless of how closely it resembles Apple's branding.
BITTER APT: The Hack-for-Hire Connection#
The mass-market phishing wave running through ordinary inboxes right now shares its infrastructure fingerprint with a more targeted and better-resourced espionage operation. Lookout's April 8, 2026 report, published in coordination with Access Now and SMEX, assessed with moderate confidence that the espionage campaign is "most likely a hack-for-hire operation with ties to BITTER APT (T-APT-17)." The qualifier matters — Lookout noted that it cannot determine with certainty whether this represents an expansion of BITTER's own scope or a separate hack-for-hire outfit with overlapping infrastructure and personnel.
One thing worth addressing directly: this article draws a connection between the mass-market consumer phishing wave and the BITTER-linked espionage campaign. That connection is real but needs to be stated precisely, because some readers will take it to mean the same operators are running both. That is not what the research shows. What is true is that the technique — fake iCloud pages harvesting Apple ID credentials — is identical across both the commodity scam wave and the espionage campaign. The phishing infrastructure patterns, domain construction methods, and credential-harvesting page designs are structurally the same. What differs is the targeting intent: ordinary consumer scammers are running automated phishing at scale, looking for payment card data and Apple ID resale value; the BITTER-linked campaign runs targeted spearphishing against specific named individuals of intelligence value to a state-level client. The attack surface is the same. The operators are not necessarily the same. The threat to any given individual depends on which end of that spectrum they fall on.
BITTER (also tracked as APT-C-08, APT-Q-37, T-APT-17, Hazy Tiger, Orange Yali, and TA397) is a South Asian cyber espionage group active since at least 2013. According to MITRE ATT&CK, it has historically targeted government, energy, and engineering organizations in Pakistan, China, Bangladesh, and Saudi Arabia. BITTER's arsenal has included BitterRAT, ArtraDownloader, AndroRAT, and the Android malware Dracarys, which Meta and Cyble attributed to the group in 2022. Dracarys was distributed through fake sites impersonating Signal, Telegram, and YouTube. The technical link to the current ProSpy campaign runs through shared C2 infrastructure: Lookout identified that the domain com-ae[.]net, used to distribute ProSpy, had previously been tied to Dracarys infrastructure via the C2 domain youtubepremiumapp[.]com. Both malware families use numbered command-and-control commands and worker-class naming conventions that are structurally similar despite being developed years apart in different languages.
The ProSpy malware received independent corroboration from ESET in October 2025, before the April 2026 joint disclosure. ESET documented two Android implants — which it tracked under the names ProSpy and ToSpy — that were masquerading as messaging apps and targeting users in the UAE. Lookout subsequently folded ESET's findings into its broader campaign analysis, noting that the implants ESET identified matched the infrastructure and targeting patterns it had already associated with the BITTER-linked operation. The fact that ESET identified these samples independently, months before the coordinated April 2026 disclosure, adds weight to the assessment that the campaign was ongoing and actively developed through at least early 2026. The newest ProSpy samples Lookout documented were from March 2026.
There is genuine disagreement in the threat intelligence community about BITTER's national allegiance, and it is worth being transparent about that. Proofpoint and Threatray published research in June 2025 assessing that BITTER is "highly likely" to operate in the intelligence interests of the Indian government, based on its targeting patterns — consistently hitting China, Pakistan, Bangladesh, and other countries along India's strategic periphery, often using lures that impersonate Pakistani, Chinese, and South Korean government entities. MITRE ATT&CK lists BITTER as South Asian, which is also the consensus position from Cisco Talos, Lookout, and most Western-aligned research organizations. However, at least one vendor — Fortiguard — has described BITTER as "China-aligned," a characterization that stands in contrast to essentially every other published assessment and is not supported by the targeting evidence. Chinese security firms, for their part, tend to attribute BITTER to India, which aligns with the Western consensus even if for different reasons. This article follows the Proofpoint, Lookout, Cisco Talos, and MITRE ATT&CK consensus: BITTER is assessed as a South Asian threat group, with strong indicators pointing toward Indian state interests, while noting that no government has publicly confirmed or denied this attribution.
Justin Albrecht, Global Director of Mobile Threat Intelligence at Lookout, told TechCrunch that the organization behind the current campaign may be an offshoot of the Indian hack-for-hire startup Appin, and named one company, RebSec, as a possible suspect. Appin — formally Appin Software Security — was co-founded in 2003 by Rajat Khare along with high school friends as a technology education startup. By 2007 it had launched a digital security consultancy, and by 2010 its client base had expanded to include Indian intelligence agencies and private-sector clients across more than a dozen countries. SentinelOne describes it as the original hack-for-hire company in India, offering covert hacking services targeting governments and private clients across more than a dozen countries by that period. Reuters published an extensive investigation titled "How an Indian startup hacked the world" in November 2023 based on internal Appin documents, law enforcement files from multiple continents, and interviews with hundreds of people. A Delhi court temporarily ordered the article taken down after a lawsuit filed by an entity claiming to represent Appin's educational franchises; Reuters stated it stood by its reporting, and the article was restored following a subsequent ruling. Appin eventually folded its hacking operations and was renamed multiple times — Wikipedia records it became Sunkissed Organic Farms in 2017 — but Albrecht noted that the activity "didn't disappear and they just moved onto smaller companies."
It is worth clarifying the distinction between these entities, because existing coverage conflates them in ways that cause confusion. BITTER APT is a threat cluster — a label applied to a persistent campaign actor based on shared infrastructure, malware families, and targeting patterns observed over more than a decade. Appin is (or was) a commercial company. RebSec is a separate commercial company. Lookout's assessment is that the campaign infrastructure and ProSpy malware share enough technical DNA with BITTER's documented toolkit to associate the two, and that the commercial hack-for-hire entity behind the current campaign likely has roots in the same South Asian contracting ecosystem that Appin helped create. These are not the same entity. They are overlapping ecosystems. Lookout explicitly said it cannot determine whether this is BITTER itself expanding its scope or a separate hack-for-hire organization with ties to BITTER. That uncertainty is honest and should not be smoothed over.
In June 2022, Google's Threat Analysis Group (TAG) published a report on RebSec, a company staffed by former employees of Appin and BellTroX that offered corporate espionage services and had targeted entities in Saudi Arabia, Bahrain, and the UAE with credential phishing campaigns. Lookout noted that some of the phishing domain patterns used by RebSec — such as icrosoft-acco.unt-log[.]com — closely resemble the infrastructure observed in the ProSpy campaign. RebSec's website and social media accounts have since been deleted. TechCrunch was unable to reach the company for comment.
Albrecht told TechCrunch that hack-for-hire groups and their clients achieve plausible deniability because the contractor runs all operations and infrastructure, leaving no direct line back to whoever commissioned the attack. — Justin Albrecht, Global Director of Mobile Threat Intelligence, Lookout
Accessing iCloud backups through stolen credentials is "potentially a cheaper alternative to the use of more sophisticated and expensive iOS spyware." — Access Now
Why credential phishing now competes with zero-click exploitsMohammed Al-Maskati, an investigator and director at Access Now's Digital Security Helpline, told TechCrunch that these operations have become cheaper and allow clients to evade responsibility — the end customer remains unknown and the infrastructure provides no trail back to whoever commissioned the work. Ragheb Ghandour, a cybersecurity technologist at SMEX, told the Committee to Protect Journalists that phishing commissioned through intermediaries is both cheaper and forensically harder to trace than direct attacks, and that expanding accountability frameworks around commercial spyware have driven operators toward tools that fall outside those frameworks.
A spokesperson for the Indian embassy in Washington, D.C. did not respond to TechCrunch's request for comment.
Lookout's report catalogued hundreds of domains used for targeted attacks since at least 2023, with the broader phishing and malicious infrastructure spanning nearly 1,500 distinct web addresses in total. The first-level domains remain active for months at a time; individual subdomains impersonating specific services are spun up on the fly for attacks against particular targets. Several were built specifically to impersonate Apple services:
facetime-web[.]me-en[.]io
apple[.]id-us[.]cc
icloud[.]com-ar[.]me
icloud[.]com-service[.]info
signin-apple[.]com-en-uk[.]coNone of these domains are Apple. A recipient who glances at a URL and sees "icloud.com" in it — without reading past the first period — may not notice that the actual registrable domain is something else entirely. The subdomain is the decoy. The domain itself is attacker-controlled. That is the intended effect. Access Now's forensic analysis found that the specific domain signin-apple[.]com-en-uk[.]co used in the attack against journalist Mostafa Al-A'sar first resolved to an IP address on the day of the attack — indicating the subdomain was likely created specifically for that target.
The campaign's lure infrastructure goes well beyond Apple. Lookout identified phishing subdomains impersonating Zoom, Microsoft Teams, Microsoft Office 365, Google Drive, Google Play, Signal, WhatsApp, Telegram, FaceTime, Yahoo, Hotmail, DHL, Reuters, The Guardian, Columbia University, and Temple University. There were also subdomains specifically referencing Bahraini government entities — the Ministry of Foreign Affairs, the Bahrain Defence Force, the Prime Minister's Office, and the National Communication Center — suggesting directed targeting of specific government accounts rather than broad credential sweeps.
The Named Targets: Egyptian Journalists and a Lebanese Journalist#
Access Now's April 8, 2026 report documents three forensically investigated attack cases. The first two involve two prominent Egyptian journalists, both of whom are government critics who had previously faced political imprisonment: Mostafa Al-A'sar and Ahmed Eltantawy.
Mostafa Al-A'sar is an award-winning independent Egyptian journalist, human rights defender, and researcher who spent nearly four years as a political prisoner before fleeing to Lebanon and later going into exile in Canada. On October 18, 2023, while he was physically located in Lebanon, he received a message via iMessage from an account purporting to be from Apple Support — using the address secure[.]appleuser[at]icloud[.]com. The message instructed him to click a link and enter his Apple ID credentials. He did enter his password. Shortly afterward, he received an Apple sign-in notification showing an authentication attempt from a location in Cairo — inconsistent with his location in Lebanon at the time. That alert prompted him to stop engaging. A few days later, the attackers made a second attempt via iMessage, this time seeking his two-factor authentication code. Access Now's forensic team, which was on a call with Al-A'sar when the second link arrived, was able to scan it in real time. The phishing page specifically asked for the 2FA code — meaning the attacker had already captured his password from the first attempt and needed only the second factor to complete the account takeover.
The second attack against Al-A'sar, in January 2024, was a Google account compromise attempt. An attacker using a LinkedIn profile under the name "Haifa Kareem" contacted Al-A'sar with a purported job offer. After he provided his contact details, he received a follow-up email with what appeared to be a Zoom link for an interview. The link led instead to a phishing page designed to steal his Google credentials through an OAuth consent flow impersonating a legitimate Google sign-in.
Ahmed Eltantawy was a well-known journalist and editor who became a politician, serving in the Egyptian parliament from 2015 to 2020 and launching a presidential campaign against Abdel Fattah al-Sisi in 2023 — before dozens of his supporters and relatives were arrested and he was reportedly blocked from campaigning, leading him to withdraw on October 13, 2023. In February 2024, an Egyptian court sentenced him to one year in prison and barred him from running for national elections for five years, on charges Human Rights Watch described as stemming entirely from peaceful political activism — specifically, his campaign's efforts to collect unofficial public endorsements to demonstrate the scale of his support. He and his aide were released on bail pending appeal; the appeal was upheld on May 27, 2024, and he was detained inside the courthouse that day. The United Nations called for his immediate release on May 31, 2024. Between May and September 2023, he was targeted with Cytrox's Predator spyware via SMS, WhatsApp, and network injection — a campaign documented by the Citizen Lab and Google's Threat Analysis Group that triggered Apple's release of emergency patches for CVE-2023-41991, CVE-2023-41992, and CVE-2023-41993. The phishing campaign from the BITTER-linked operation against Eltantawy came on top of this prior Predator targeting — and was unsuccessful. He did not engage with any of the lures. Access Now noted that a successful compromise would have given the attackers unrestricted access to both targets' Apple and Google account data, including details about their families, professional sources, and associates — exposure that, in the context of Egypt's documented crackdown on independent media, would have endangered anyone connected to them.
The third case, documented by SMEX in a parallel report also published April 8, 2026, involves an unnamed Lebanese journalist described as having decades of experience as a reporter and editor, with considerable influence in shaping political discourse and connections to the Lebanese government. This attack was successful. On May 19, 2025, the journalist received a phishing message via Apple Messages impersonating Apple. The attacker used the domain com-en[.]io — a structure designed to suggest a legitimate English-language Apple page while using a non-standard TLD. The initial attack fully compromised the journalist's Apple account and resulted in the addition of a virtual device, giving the attacker persistent access to the account's data. Two follow-up phishing messages arrived via WhatsApp on May 21 and 22 using the same infrastructure.
The journalist contacted SMEX's Digital Forensics Lab on May 25 — six days after the initial compromise. That delay has a direct forensic consequence: evidence from the first wave, which succeeded in breaching the account and adding the virtual device, was limited by the time investigators were engaged. The second wave, which arrived via WhatsApp and failed, was captured with more completeness — investigators were able to document the full credential exfiltration chain, including how the AiTM infrastructure processed the submitted username, password, and 2FA codes in sequence. This case is a practical illustration of why incident reporting speed matters: the most operationally damaging part of the attack happened before investigators had visibility.
When SMEX's Digital Forensics Lab investigated, its forensic analysis of the second wave was comprehensive enough to capture the complete credential exfiltration — username, password, and 2FA codes — in sequence. The analysis showed that the attackers executed the account takeover in approximately 30 seconds from the moment the victim submitted their password. SMEX reported that the infrastructure used 2FA interception within a 30-second window, encrypted URL parameters for victim tracking, and multi-layered anti-forensic measures.
Al-A'sar told the Committee to Protect Journalists that the persistent targeting made him feel under constant surveillance, placing severe pressure on both his journalism and his personal relationships.
The Android Arm: ProSpy and Signal Account Hijacking#
The iOS-focused iCloud phishing is only one component of the campaign. For targets using Android devices, the infrastructure delivers a spyware called ProSpy — a feature-packed surveillance tool developed in Kotlin that masquerades as popular messaging applications including Signal, WhatsApp, ToTok, Botim, and Zoom. ESET documented related samples in October 2025, labeling them ProSpy and ToSpy and noting that they targeted users in the United Arab Emirates. Lookout subsequently confirmed these were the same malware families used in the civil society targeting identified by Access Now and SMEX.
Lookout acquired 11 ProSpy samples, with the earliest dating to August 2024, indicating the malware was under active development throughout the campaign's documented period. ProSpy's capabilities include collection and exfiltration of contacts, SMS messages, device hardware and software metadata, and local files across multiple MIME types — documents, images, audio, video, archives. A worker class called NewFilesWorker specifically targets recently modified files, which allows the attacker to focus on current activity rather than historical archives. ProSpy uses ten numbered C2 commands (0 through 9) handled by individual worker classes, a structural parallel to the numbered C2 architecture used by Dracarys, the earlier BITTER Android malware from 2022.
Delivery uses a two-stage approach. Targets are first contacted through malicious sockpuppet accounts on LinkedIn or directly via iMessage — in some cases impersonating Apple Support — and pressured to click a spearphishing link. For Android targets, the link leads to a single-page staging site for a messaging application, such as a fake ToTok update page at totok-pro[.]ai-ae[.]io, which automatically downloads the ProSpy APK. The staging site supports both English and Arabic. The randomized PHP path (for example, /ca9bCVSI.php) is designed to obscure the real distribution URL — visiting the main domain without the path returns a mostly empty page showing only "Loading..."
In addition to the malware delivery and iCloud phishing, the campaign used a third technique to target Signal accounts: QR code-based device linking. Signal permits accounts to be linked to multiple devices simultaneously. Attackers sent targets a page impersonating Signal's device-linking interface, complete with instructions in Arabic, presenting a malicious QR code. If the target scanned it, they would link their Signal account to a device controlled by the attacker — granting full access to their encrypted message history and future messages without any malware installation. Lookout noted that this technique, popularized by Russian APTs in recent years, was incorporated directly into the BITTER-linked campaign's toolchain. Signal issued a public warning about such impersonation campaigns in March 2026.
This is where a widespread misconception needs to be addressed head-on. Signal's end-to-end encryption is not broken by this attack. Signal's cryptography remains sound. What the QR code linking attack exploits is a legitimate feature — device linking — that Signal provides to let users sync their account across multiple devices. The attacker does not decrypt anything. They authorize themselves as a linked device, and then Signal's own system delivers every subsequent message to both the victim's phone and the attacker's device simultaneously, fully decrypted, because that is how the linked devices feature works by design. Many online discussions of Signal's security describe the app as essentially uncompromisable and use its encryption as a reason to trust it completely. That framing is accurate about the cryptography and dangerously incomplete about the attack surface. Social engineering against the device-linking feature requires no cryptographic capability whatsoever. It requires only that the target scan a QR code they believe to be legitimate. The same technique has been documented in Russian APT operations against Ukrainian military personnel since at least 2022 and was covered in a Google Threat Intelligence Group report in February 2025. The BITTER-linked campaign's use of it demonstrates that it has spread well beyond Russian-aligned actors.
Signal issued a public warning in March 2026 — a month before the joint disclosure — specifically about impersonation phishing campaigns targeting its device-linking feature. The warning confirmed that threat actors were distributing fake "link a device" pages and QR codes designed to trick users into authorizing attacker-controlled devices. That Signal felt the volume warranted a public advisory is itself useful signal: this technique is no longer a niche APT tactic. It is in broad enough circulation that one of the most security-conscious messaging companies decided its user base needed an explicit heads-up.
The practical mitigation for this specific attack is an audit that takes under thirty seconds. In Signal, open Settings and navigate to Linked Devices. Every device currently authorized to receive your messages appears there, with a name and last-active date. If any entry is unrecognized, tap it and select Unlink. The device is immediately cut off from receiving messages. For high-risk users — journalists, activists, anyone likely to be a specific target — this audit should be a routine check, not a reactive one. A compromised linked device can sit silently for weeks or months before detection; any messages sent during that window were readable by the attacker in full.
Why iCloud Backups Are the Real Target#
For the high-value targets in the BITTER APT campaign, credential harvesting through fake Apple pages was not the end goal. It was a means of accessing iCloud backups. A successful login to a target's Apple ID gives the attacker access to that account's iCloud backup — which, depending on the target's configuration, can include the near-complete contents of their iPhone: messages, photos, contacts, call logs, health data, location history, notes, and app data.
A note on scope, because this gets confused online: iCloud backup and iCloud sync are two different things, and what an attacker actually gets depends on how the target has configured their account. Apple's backup documentation makes the distinction clear — iCloud backup stores data that is not already syncing to iCloud separately. If a target uses iCloud Photos, their photos sync directly and are accessible via the Apple ID regardless of whether a backup exists. If a target uses Messages in iCloud, their messages sync directly and are accessible the same way. If they use neither of those features, photos and messages are stored only in the backup. In every configuration, the Apple ID credential gives the attacker access to some combination of backed-up data and directly synced data. Apple Pay information, Face ID settings, and content from streaming services are excluded from iCloud backup — but for the civil society targets in this campaign, those omissions are not meaningful. The photos, messages, contacts, app data, and location history that are accessible represent everything operationally relevant to a surveillance operation.
This is a significant point that gets lost when iCloud phishing is discussed only in the context of consumer fraud. Stealing an Apple ID credential is not equivalent to stealing a password to a shopping account. For a journalist, activist, or government official with iCloud backups enabled, it is equivalent to handing the attacker a copy of everything on their phone. No zero-day exploit required. No malware installed. Just a credential submitted to the wrong login page. Access Now's report framed credential-based iCloud backup access as a cost-effective substitute for conventional iOS spyware — a framing that captures exactly why this attack method has become attractive to hack-for-hire operations targeting civil society.
This campaign relied on far less sophisticated tactics than the Coruna or DarkSword exploit chains that also recently drew attention for compromising older iPhones — because for a hack-for-hire campaign targeting civil society, sophistication is not required. Social engineering a credential out of someone is cheaper, faster, and less likely to trigger detection than chaining kernel exploits. Phishing remains effective not because defenders are unaware of it, but because the volume and polish of phishing infrastructure has outpaced the average user's ability to identify it.
The SMEX investigation makes the consequence concrete. The Lebanese journalist's Apple account was fully compromised in approximately 30 seconds from the moment the password was submitted. The attacker then added a virtual device to the account — establishing persistent access without any further interaction from the victim. Everything in that account was readable by an unknown third party from that point forward. That is the intended end state for every iCloud phishing attempt in the current mass-market wave, scaled down only by the absence of a specific target worth maintaining access to.
How to Identify a Fake iCloud Email#
The indicators of a fraudulent iCloud email are consistent across the current campaign. None individually are foolproof — skilled attackers can address many of them — but together they form a reliable filter for the vast majority of attempts in circulation right now.
The sender domain is the first check. Genuine Apple email comes from domains ending in @apple.com or @email.apple.com. Any variation — additional subdomains, hyphens, country-code strings, or alternative TLDs — is a red flag. The email display name saying "iCloud" or "Apple Support" means nothing; display names are trivial to spoof and are not verified by email clients. The domain after the @ sign is the only thing that matters for sender verification.
The second check is the nature of the request itself. Apple does not send emails with embedded buttons that lead directly to a payment entry form. Apple does not warn users that their photos will be deleted on a specific date unless payment is received. Apple does not send "final warning" emails about iCloud storage. These are engineered scarcity and urgency tactics, not Apple communication patterns. If an email is asking you to act immediately to prevent data loss, that urgency is the mechanism of the scam — it is designed to suppress the instinct to verify before clicking.
The third check is to verify the claim on the device itself, not in the email. Open Settings on your iPhone, tap your name at the top, then tap iCloud, then tap Manage Account Storage. Your actual storage status is there. If it shows available space, the email claiming it is full is fraudulent. This check takes under ten seconds and requires clicking nothing in the email. If you are on a Mac, you can do the same through System Settings > Apple ID > iCloud.
A fourth check applies specifically to any link in a suspicious email: hover over it before clicking (or hold-press on mobile) to preview the destination URL. If the URL contains "icloud" or "apple" but those words appear in the subdomain rather than as the registrable domain — for example, icloud.com-service[.]info or signin-apple[.]com-en-uk[.]co — it is not Apple. The attacker owns the domain to the right of the last dot-separated segment before the TLD. Everything to the left is decoration.
There is some online confusion about how to read URLs correctly, and it is worth resolving it here. The rule is this: read from right to left, stopping at the first slash. The registrable domain — the part the attacker controls — is the segment immediately before the top-level domain (the .com, .info, .io, .co, etc.). In icloud[.]com-service[.]info, the TLD is .info, which means the registrable domain is com-service — and that is what the attacker registered. "icloud" in that URL is a subdomain. In signin-apple[.]com-en-uk[.]co, the TLD is .co, the registrable domain is com-en-uk, and everything else is decoration. Some readers have pushed back on this rule by pointing out that legitimate websites sometimes use hyphens and unusual structures. That is true, but Apple is not one of them: Apple's legitimate domains are apple.com and icloud.com, full stop. Any URL that puts those words before a dot in a subdomain position is attacker-controlled. The complexity of the new TLD landscape (.io, .co, .me, .cc and so on) is part of why these attacks work — these domains look more credible than they did when phishers were limited to .info or .biz. When in doubt, do not click the link at all. Navigate directly to appleid.apple.com in a fresh browser window.
Go to appleid.apple.com immediately and change your Apple ID password. Sign out of all devices from the Security section. Enable two-factor authentication if it is not already active. Check your Apple purchase history for unauthorized transactions. If payment details were entered, contact your bank or card issuer right away. Forward the original phishing email to reportphishing@apple.com. In the UK, also report it to report@phishing.gov.uk. In the US, file a report at ReportFraud.ftc.gov.
Audit your trusted devices. At appleid.apple.com, scroll to the Devices section — every device currently signed in to your Apple ID is listed. Review each one. If any device is unfamiliar or was not authorized by you, click or tap it and select Remove from Account. This is the Apple-side equivalent of the Signal linked-device audit. The SMEX case documented an attacker adding a virtual device to the compromised account to maintain persistent access without any further interaction from the victim — meaning simply changing your password does not remove a device that was added before the password change. You must also remove any devices you did not add.
If you want to reduce what an attacker can access even after a credential compromise, enable Advanced Data Protection at Settings > your name > iCloud > Advanced Data Protection. This enables end-to-end encryption for your iCloud backups, photos, and notes — meaning the data in iCloud is encrypted with keys only your devices hold. Apple cannot hand it over even under a court order. One caveat: if you lose access to all your trusted devices without a recovery key or contact set up, Apple cannot help you recover it. Set up a recovery key or recovery contact before enabling this. Note for UK users: Apple withdrew Advanced Data Protection for new UK users on February 21, 2025, after the UK Home Office issued a Technical Capability Notice (TCN) under the Investigatory Powers Act demanding backdoor access to encrypted iCloud data — not just for UK citizens, but for users globally. Apple refused to comply and withdrew ADP from the UK rather than build a backdoor. In August 2025, US Director of National Intelligence Tulsi Gabbard confirmed the UK had withdrawn that original global demand following pressure from the US government; however, Apple stated it had not received official confirmation, and the Home Office declined to comment publicly. In October 2025, the Home Office issued a new, narrower TCN — this one limited to British users rather than global access — and Apple's legal challenge at the Investigatory Powers Tribunal was subsequently dismissed by mutual consent following a "change in circumstances," according to court documents obtained by Computer Weekly. The new narrower order remains active. As of the date of this article, ADP is still unavailable to UK users: Apple's own UK support page continues to state that the feature cannot be offered in the United Kingdom. UK users' iCloud backups, photos, and notes are currently protected by standard encryption (meaning Apple holds the keys and can be legally compelled to provide access under warrant), not end-to-end encryption. This is directly relevant for any UK journalist, activist, or official reading this article — particularly in the context of a campaign that specifically targeted UK civil society figures and specifically sought to access iCloud backup data.
For organizations operating in sectors targeted by hack-for-hire campaigns — media, NGOs, legal, opposition politics, government — Apple ID phishing warrants explicit inclusion in security training and threat modeling. The connection between a consumer-looking iCloud storage warning and potential full-device content exposure via backup access is not intuitive for non-technical staff. It needs to be explained directly, with concrete examples of what iCloud backup access actually gives an attacker. The SMEX and Access Now cases provide exactly that specificity.
Key CyberSpit Notes#
- The consumer phishing wave and the espionage campaign use identical techniques against the same attack surface — but are not necessarily run by the same operators. Fake iCloud emails targeting ordinary users and the BITTER APT campaign targeting named journalists and government officials use the same credential harvesting method and structurally similar infrastructure patterns. What differs is targeting intent and what happens with the access afterward. This distinction matters because some coverage of this campaign implies a direct operational link between everyday scam emails and the APT, which overstates what the research shows. The technique is shared. The operators may not be.
- 2FA does not fully protect against real-time phishing relay attacks — and this is widely misunderstood. The SMEX investigation documented a case in which the attacker captured both a password and a 2FA code through the phishing page and completed an Apple account takeover in approximately 30 seconds. This works through what the security industry calls an Adversary-in-the-Middle (AiTM) attack: instead of building a static fake login page that stores credentials for later use, the attacker runs a proxy server that relays the victim's authentication to Apple in real time, captures the session token that Apple returns, and then uses that token independently. The victim sees a normal login flow. The attacker captures the proof of authentication. This technique has become the dominant method attackers use to bypass MFA in 2025 and 2026, according to Microsoft, the Canadian Centre for Cyber Security, and Proofpoint research, with a 146% rise in AiTM attacks observed in 2024 alone by Microsoft. Here is why this matters for the current debate: a huge volume of consumer security advice — from antivirus companies, blogs, and even some official guidance — still says "enable two-factor authentication to protect against phishing" without this qualification. That advice is not wrong, but it is incomplete. 2FA stops the majority of opportunistic phishing attacks, which are static credential-capture pages that don't perform real-time relay. But it does not stop AiTM-style attacks, which are the technique used against the Lebanese journalist in this campaign and increasingly the default tooling for sophisticated attackers. For ordinary consumer phishing, enable 2FA — it helps significantly. For high-risk individuals such as journalists, activists, and political figures who are likely to be targeted specifically, 2FA alone is insufficient. A FIDO2-compliant hardware security key (such as a YubiKey) or a passkey is the mitigation that actually resists AiTM, because the cryptographic challenge is bound to the legitimate domain and cannot be replayed by a proxy. The Canadian Centre for Cyber Security confirmed in October 2025 guidance that "phishing-resistant MFA continues to prevent AitM campaigns." Passkeys on Apple devices provide this protection natively for Apple ID if the device supports them. One important caveat: FIDO2 and passkeys are only as strong as the weakest fallback authentication method on the account. If an attacker can force a downgrade to SMS or TOTP codes — for example, by manipulating the login flow or exploiting a password reset path that uses a phone-based verification — the phishing-resistant chain breaks at that point. This is a documented attack pattern increasingly observed in 2025 and 2026. The practical implication: enabling a hardware key or passkey is the right step, but it must be paired with eliminating or hardening any weaker fallback methods on the same account. For Apple ID, this means ensuring account recovery options are properly configured and that no weaker authentication pathway remains open alongside the stronger one.
- An iCloud credential compromise is not a minor account breach. Access to a target's Apple ID and iCloud backup provides near-complete visibility into the contents of their iPhone without requiring any device-level exploit. Organizations handling sensitive work need to treat Apple ID phishing with the same seriousness as any other privileged-credential phishing scenario.
- Verify storage claims on the device itself, never in the email. Check actual iCloud storage status in iOS Settings > your name > iCloud > Manage Account Storage before taking any action prompted by an unsolicited email. If storage is not full, the email is fraudulent. This check takes under ten seconds.
- Attribution is genuinely uncertain — and that is part of the design. Lookout assessed the campaign as "most likely" tied to BITTER APT, not definitively. The hack-for-hire model — where an unknown client contracts a contractor who builds and runs the infrastructure — creates deliberate distance between the attack and whoever commissioned it. The Indian embassy did not respond to requests for comment. Researchers could not identify the end client. That absence of confirmed attribution is itself a feature of the business model, not a gap in the analysis.
- Hack-for-hire continues to expand as a surveillance model. As regulatory frameworks around commercial spyware such as Pegasus have tightened, the incentive to use lower-profile hack-for-hire services has increased. Phishing-based credential theft produces a forensic trail that is harder to trace to a client than a zero-click exploit chain, and it costs a fraction of the price. The structural incentives for this model are not going away.
- Incident reporting delay is not a minor inconvenience — it is a forensic cost. The Lebanese journalist contacted SMEX six days after the initial compromise. The attack that successfully breached the account and added a persistent device occurred before investigators were engaged, which meant the forensic evidence from that first wave was limited. The second wave — which failed — was captured in completeness, including the full credential exfiltration chain. For high-risk individuals and the organizations that support them, this case makes the argument for fast reporting concretely: the most damaging compromise event is also the one with the smallest forensic window. Rapid engagement with a digital security resource like Access Now's Helpline or SMEX's Digital Forensics Lab makes a difference to what investigators can recover and attribute.
The current iCloud phishing surge is a visible symptom of a longer-running infrastructure problem. The same domain spoofing patterns, urgency-engineering tactics, and credential harvesting pages filling consumer inboxes this week sit at the low end of a spectrum that extends, at the high end, to a documented multi-year espionage campaign targeting named journalists, former political prisoners, and government officials across at least six countries. The Egyptian and Lebanese targets in the Access Now and SMEX investigations had already survived imprisonment and exile. The attack against them still nearly worked. That is what makes this particular scam worth understanding precisely.