In a significant revelation, iVerify’s Research Team has uncovered a previously unknown zero-click iMessage vulnerability—dubbed “NICKNAME”—that was likely used in targeted surveillance operations against high-value individuals across the United States and the European Union. The exploit, which was patched in Apple’s iOS 18.3.1 update, was discovered following a series of anomalous crash reports on iPhones belonging to individuals tied to political campaigns, media outlets, AI firms, and government institutions.
“Specifically, we detected exceedingly rare crashes typically associated with sophisticated zero-click attacks via iMessage – an exploitation technique previously unobserved in any systematic way in the United States,” the researchers wrote.
The attacks targeted the imagent process, a core iOS component. When exploited, the bug allowed for a use-after-free memory corruption, likely triggered by sending a series of rapid-fire nickname updates through iMessage. This vulnerability served as a foothold, or “primitive,” for further exploitation, enabling attackers to pivot deeper into the device’s operating system.
While iVerify has not established full attribution, the circumstantial evidence points strongly to potential Chinese state-sponsored actors. All six confirmed or suspected targets had prior connections to the Chinese Communist Party’s interest—either through previous targeting by the known APT group Salt Typhoon, opposition activism, or business activities of geopolitical relevance to China.
“Interestingly, all of the victims had either previously been targeted by the Chinese Communist Party (CCP)… or had engaged in some sort of activism against the CCP.”
Of the six devices analyzed, four showed clear crash signatures tied to NICKNAME, and two exhibited signs of successful compromise—including bulk deletion and creation of iMessage attachments within seconds after a crash, which is indicative of digital ‘clean-up’ behavior. At least one of the devices also received an Apple Threat Notification, corroborating the timeline of suspected exploitation.
“We only observed these crashes on devices belonging to extremely high value targets. And these crashes constituted only .0001% of the crash log telemetry taken from a sample of 50,000 iPhones.”
The discovery is especially troubling in light of SignalGate and other recent disclosures, which demonstrate that even encrypted messaging platforms cannot defend against device-level compromises. As iVerify warns:
“It doesn’t matter what channel is being used to communicate if the device itself is compromised; attackers have access to all conversations, regardless of whether those happen over Signal, Gmail, or any secure application.”
Security experts, including Patrick Wardle from Objective-By-The-Sea, have independently reviewed and validated iVerify’s findings, emphasizing the real and present danger of mobile device exploitation—even on platforms as tightly controlled as iOS.
Though the specific NICKNAME vulnerability has been patched, iVerify notes that other parts of the exploit chain may still be active. As such, high-risk individuals and organizations are urged to update to the latest iOS version and adopt enhanced mobile security practices.
For a deep dive into the technical details, the full iVerify report is available here.
