Throughout late 2024 and early 2025, iVerify detected anomalous activity on iPhones belonging to individuals affiliated with political campaigns, media organizations, A.I. companies and governments operating in the United States and European Union. 

Specifically, we detected exceedingly rare crashes typically associated with sophisticated zero-click attacks via iMessage – an exploitation technique previously unobserved in any systematic way in the United States. Subsequent forensic examination of several of these devices ultimately revealed a previously unknown vulnerability in the “imagent” process which, owing to its relative position in the operating system and functionality, would provide attackers a primitive for further exploitation. This vulnerability was patched by Apple in iOS 18.3. We’ve dubbed this vulnerability NICKNAME.

In the course of our investigation, we discovered evidence suggesting – but not definitively proving – this vulnerability was exploited in targeted attacks as recently as March of this year. Specifically, we learned that Apple sent Threat Notifications to at least one device belonging to a senior government official in the EU on which we saw the highly anomalous crashes. Likewise, one device demonstrated behavior frequently associated with successful exploitation, specifically the creation and deletion of iMessage attachments in bulk within a matter of seconds on several occasions after an anomalous crash. We only observed these crashes on devices belonging to extremely high value targets. And these crashes constituted only .0001% of the crash log telemetry taken from a sample of 50,000 iPhones. 

While this evidence does not definitively prove exploitation, it is nonetheless difficult to ignore and merits a public discussion, particularly in light of SignalGate. Our findings suggest it doesn’t matter what channel is being used to communicate if the device itself is compromised; attackers  have access to all conversations, regardless of whether those happen over Signal, Gmail, or any secure application. This is why it’s crucial that organizations on the front lines of digital conflict – including the US government – adapt their mobile security models to face modern threats. 

Though early days, these findings have been vetted by multiple, independent third parties, including iOS security experts, such as Patrick Wardle from the Objective-By-The-Sea foundation who have confidence in our conclusion that mobile compromise is real, not academic or hypothetical, and it's happening here in the United States.

So what exactly are those findings? 

So far, we’ve observed six devices total that we believe were targeted for exploitation by this threat actor, four of which demonstrated clear signatures associated with NICKNAME, and two which demonstrated clear signs of successful exploitation. Interestingly, all of the victims had either previously been targeted by the Chinese Communist Party (CCP) e.g., they were confirmed to have also been targeted by Salt Typhoon; they were engaging in business pursuits counter to or of particular interest to the CCP; or they had engaged in some sort of activism against the CCP.

We don’t have enough evidence to make clear attribution or a full view of an exploit chain, but the circumstantial evidence could indicate CCP. 

How does it work?

iPhones allow you to set a nickname or avatar for numbers in your contact list. The vulnerability is likely triggered by sending repeated, rapid-fire nickname updates to iMessage, which results in a use-after-free memory corruption. This makes NICKNAME a good candidate for a primitive to pivot off as part of a longer exploit chain.

We believe this vulnerability correlates with successful iPhone exploitation, owing to four concurrent factors: 

• The extreme rarity of these specific crash patterns (<0.001% of all crash logs)

• Their exclusive appearance on devices belonging to high-value targets

• Similarity to crash patterns seen in known spyware attacks

• Evidence of successful exploitation, including the receipt of at least one Apple Threat Notification proximal to the observed behavior and evidence of ‘cleaning’ behavior

Is it Still Active?
Differential analysis reveals the vulnerability was patched in the iOS 18.3.1 release; however, NICKNAME could be one link in a larger exploit chain. It is possible that there are other elements of the exploit chain that are still active, which is why we’re only speaking about the link in the chain that has definitively been patched.

The full technical analysis can be found here. We look forward to sharing any additional material findings when our investigation concludes.