A sophisticated zero-click vulnerability in Apple’s iMessage service, dubbed “NICKNAME,” has successfully compromised the iPhones of high-value political figures, media professionals, and artificial intelligence executives across the United States and European Union during late 2024 and early 2025.
The exploit requires no user interaction, leveraging a weakness in iOS’s “Nickname” feature that sends notifications when someone’s iCloud photo or name changes.
Security researchers detected the attacks through iVerify, which identified anomalous activity on targeted devices. The rare crashes represented only 0.0001% of crash logs from a 50,000 iPhone sample, displaying unusual patterns typical of advanced zero-click iMessage attacks.
Six devices total were believed targeted by the threat actor, with four demonstrating clear NICKNAME signatures and two showing successful exploitation evidence. Strong authentication methods could have provided an additional layer of defense against such sophisticated attacks.
Apple has addressed the vulnerability in iOS versions through 18.1.1, though the company disputes claims that the flaw was ever used to compromise devices. Apple’s head of Security Engineering Ivan Krstić has emphasized disagreement with the findings presented by iVerify researchers.
One high-value target in an EU member state received a threat notification from Apple approximately one month after experiencing such crashes, according to findings vetted by multiple independent third parties and iOS security experts.
Security researchers suspect Chinese backing for the operation, noting that all victims had previously been targeted by the Chinese Communist Party. Some affected individuals had encountered Salt Typhoon, a known cyber operation, while engaging in business pursuits counter to CCP interests or participating in anti-CCP activism.
The exploitation grants attackers extensive device access, compromising all conversations regardless of application security measures. Communications across Signal, Gmail, and other secure applications become accessible, as device compromise renders channel-specific security ineffective.
The exploit bypasses traditional security controls without alerting users. The cleaning behavior observed after crashes suggests attackers actively worked to cover their tracks following successful exploitation.
Related security incidents compound concerns about sophisticated targeting campaigns. TeleMessage, a modified Signal clone used by US government officials, was hacked in May 2025, revealing that archived chat logs lacked end-to-end encryption.
The FBI has warned about ex-officials receiving deepfake texts and AI voice messages impersonating senior US officials, indicating coordinated efforts against government communications infrastructure.
