"Your iPhone Wasn't Hacked. Here's What Actually Happened."

The call comes in some variation of the same way every time.

A client tells us their partner — current, estranged, or former — has been reading their messages. Knows things they shouldn't know. Shows up where the client didn't tell them they'd be. The client has done some Googling. They've landed on articles about Pegasus, FlexiSPY, mSpy, or one of the dozens of commercial spyware products with names that sound like they belong in a Bond film. They're convinced one of those tools is running silently on their device.

In the vast majority of domestic cases we examine, that's not what happened.

The real attack is simpler, cheaper, and in some ways more insidious — because it doesn't require touching the device at all.

The cost reality nobody talks about

Let's start with the surveillance tools clients are afraid of, because the numbers matter.

NSO Group's Pegasus — the tool that infected the phones of journalists and dissidents and made international headlines — costs approximately $650,000 USD for a license covering ten targets. That's the floor. Annual maintenance runs into the hundreds of thousands. The NSO Group only sells to vetted government customers. A domestic abuser cannot buy Pegasus. A private investigator cannot buy Pegasus. Nobody reading this article can buy Pegasus.

Commercial "stalkerware" — products like FlexiSPY, Spynger, or Hoverwatch — sits at the other end of the market. These run $30–$200/month and are targeted at parents claiming to monitor children and at jealous partners willing to cross a criminal line. They require physical access to an unlocked device and typically need the device to be jailbroken on iOS to achieve the deep access their advertising claims. Installation leaves traces: modified system directories, unexpected certificate profiles, entries in the device's process list, elevated TCC (privacy permission) grants to apps with no legitimate reason for them.

Cellebrite UFED — the same professional forensic extraction tool we use at DRL — starts around $15,000 USD and requires specialized training. It is not a surveillance tool; it is a point-in-time extraction appliance. It does not run on devices continuously. But clients see it mentioned in news articles and assume it represents some category of covert ongoing access.

When we do a full filesystem extraction on a device submitted with domestic surveillance concerns, the first thing we establish is whether any of these categories of tools are present. On most devices, the answer is no — and the absence of evidence is itself evidence.

What the forensics actually shows

A recent case: a woman submits her iPhone alleging her estranged spouse had been reading her emails, iMessages, and locked notes for years. She changed her Wi-Fi password. Her router app still showed her phone connecting to the network hours later, then again in the middle of the night while she slept, and on one occasion while she was physically out of the house carrying the phone in her hand. She'd seen the screen wake on its own one evening. She was convinced the phone was compromised.

Here is what a full filesystem extraction actually showed:

No malware. No jailbreak. No MDM configuration profiles installed without her knowledge. No suspicious LaunchDaemons beyond the Cellebrite extraction agent placed there by us. We checked the TCC database — the iOS privacy permission log — and found elevated permissions on one app with a generic-looking bundle ID. We identified it as a widely-distributed speed test application, not stalkerware. Clean.

No unknown devices in her iCloud trust circle. We queried the TrustedPeersHelper.db — a CoreData SQLite database that records every device ever enrolled as a trusted peer in someone's iCloud account, complete with hardware identifiers, serial numbers, and timestamps. Every device in that database was hers or her immediate family's. No third-party laptop. No burner phone. No unknown Mac. The attack never required a trusted device.

The other party's email address in her Identity Services cache. iOS maintains a local status cache of iMessage addresses it has recently resolved. The spouse's email address was sitting in idstatuscache.plist, cross-referenceable with SMS database content.

And in the SMS database — her own messages to a friend confirming the access: she described the other party having obtained all her passwords and account credentials and having been reading her email and other communications, potentially for years.

That's the entire case. No spyware required.

The actual attack: credential access

Apple's iCloud ecosystem is extraordinarily powerful. When you share your Apple ID credentials with someone — or when they learn your password through observation, a shared device, or a password manager they had access to — they can, from any browser on any machine:

• Read every iMessage and SMS delivered to your device via icloud.com
• Access every photo in your Camera Roll in near-real-time
• Read your Notes, including locked notes if they also know your device passcode
• See your approximate location via Find My
• Download iCloud Drive documents
• Access iCloud Keychain if they are enrolled as a trusted peer

None of this requires installing anything. None of it touches the device. None of it leaves forensic artifacts on the phone itself — because the access happens on Apple's servers. The phone's filesystem is clean because the phone was never the point of entry.

This is why clients who change their device and assume they're safe often aren't. The attack doesn't live on the hardware. It lives in the account.

Why the Wi-Fi anomalies were real — just not what she thought

The router logs in this case weren't fabricated. The anomalies were real. But they pointed somewhere different.

Modern iPhones use a randomized private MAC address per Wi-Fi network — a network identifier unique to that device on that SSID. This address is visible to anyone with access to the router's management app. Anyone who had previously been on that router account would have seen it. Cloning a known MAC address onto another device and connecting to the same Wi-Fi is not technically difficult. But more importantly: we examined the phone's known-networks plist — the file that stores every saved Wi-Fi network on the device with timestamps for when each was first added — and found that the home network credential was not saved to the phone until well after the anomalous connections were reported. The router app connections that occurred in the days before predated the phone having that network's password. Her phone could not have been auto-connecting to a network it didn't yet know.

Something else was connecting. Using her MAC address.

The forensic evidence didn't confirm spyware. It confirmed a pattern of access from external devices, combined with credential-level account access — both of which are unrelated to anything installed on the phone.

What forensics can and can't tell you

A full filesystem extraction gives us everything stored on the device. What it cannot give us is the server-side log of what happened on the account. Apple does not surface iCloud.com login history locally. The IP addresses, timestamps, and session tokens from web logins to icloud.com live on Apple's servers — not on the phone.

This is why our recommendations in domestic surveillance cases almost always include:

1. Apple Privacy Portal (privacy.apple.com) — Apple's GDPR/privacy law data request mechanism allows a user to request their own account activity logs including trusted device history and sign-in locations. This is the appropriate first step.

1. Apple Law Enforcement Portal — If there is a legal proceeding underway, counsel can submit a formal production order for iCloud account access logs including IP addresses and timestamps per access event. These are the server-side records that prove account takeover.

1. Change Apple ID credentials immediately, and do it from a device that has never been in the abuser's possession. Password change notifications go to all trusted devices; if he controls a trusted device or session, he will be notified. The secure sequence is: remove trusted devices → change password → sign out all sessions.

1. Enable two-factor authentication with a phone number only accessible to you. Shared or observed 2FA numbers defeat the entire mechanism.

The forensic takeaway for counsel

If you are representing a client in a family law or domestic abuse matter with a digital surveillance component, here is what a properly scoped mobile forensic examination actually establishes:

• Whether the device was jailbroken or had unauthorized software installed (device-level compromise)
• Whether unknown trusted peers were enrolled in the victim's iCloud account (credential-level compromise via device trust)
• What accounts were configured on the device and what access they had
• What the communication record actually contains, including relevant admissions
• What permissions were granted to which apps and when
• The complete network history of the device, including anomalous connection patterns

What it cannot establish — without a legal production order directed at Apple — is when and from where the iCloud account was accessed via web browser. The most damaging access often happened entirely offsite, on hardware that was never submitted for examination, against an account rather than a device.

The absence of malware on the phone is not exculpatory. In most domestic surveillance cases we examine, it is the expected finding — because the phone was never the target.

---

Data Rescue Labs performs iOS and Android forensic examinations for domestic abuse victims, family law counsel, and corporate clients. If your client alleges digital surveillance and you need a court-ready examination report, our Mobile Forensics and iCloud Forensics teams handle this work. Open a case for a privileged consult.