Fake Apple Activation Lock / Find My device-unlock lure — post-theft phishing arriving 1-30 days after a loss/theft report: "Your lost iPhone 15 Pro has been located in [city]. Sign in to remove Activation Lock." Exploits the victim's urgency to recover a $1,000+ device. Harvested Apple ID credentials enable thief-resale of the stolen hardware PLUS full iCloud takeover (photos / Keychain passwords / contacts / messages across every tied device) PLUS password-reset access to every service receiving email at the iCloud mailbox. Distinct from generic Apple-ID phish (no device-loss framing), fake-icloud-storage-full-lure (quota), fake-apple-id-purchase-lure (fake receipt). Evidence: Krebs on Security + Wired 2018-2020 organized post-theft phish-ring coverage; AppleInsider 2023-2025 "fake iCloud unlock service" warnings; FBI Cyber 2024 advisory on post-theft-phish targeting NBA players + high-profile theft victims

Post-theft Apple ecosystem takeover phishing via Activation Lock / Find My. Real Apple Activation Lock bricks a lost / stolen iPhone / iPad / AirPods / Apple Watch / Mac until the original owner's Apple ID credentials are entered, which makes stolen Apple hardware worthless to thieves unless they can harvest the owner's credentials. Attackers exploit this with a phish arriving 1-30 days after the victim files a loss / theft report: "Your lost iPhone 15 Pro has been located in London — sign in to remove Activation Lock to recover." The link leads to a typosquat host (apple-find-my-verify.example, icloud-findmy-unlock.example, airpods-recover-apple.example) that presents a pixel-perfect fake Find My / Apple ID sign-in UI and harvests the credentials. Victims are EXTREMELY susceptible because (a) they have just lost an expensive device, (b) they genuinely WANT a "your device was found" message to be real, (c) the lure arrives timed to the loss event, which makes it feel like a real system response, and (d) the urgency timer ("click within 24 / 48 / 72 hours or the device is reset") overrides careful inspection. Blast radius once the Apple ID credentials are harvested is catastrophic: (1) the thief unlocks and resells the stolen device, which is the primary goal, (2) the attacker now has full iCloud access — every photo, document, Note, Keychain-saved password, contact, message, call history, and iCloud Drive file across every device tied to the Apple ID, (3) Apple Pay may be exposed if not 2FA-locked, (4) the iCloud @icloud.com / @me.com mailbox now belongs to the attacker, which means password-reset emails for every other service the victim uses flow through attacker-controlled inbox, enabling cascading takeover of bank / broker / work accounts. Distinct from `fake-icloud-storage-full-lure` (quota-frame billing phish, completely disjoint vocabulary), `fake-apple-id-purchase-lure` (fake receipt + refund flow), and generic unfocused Apple-ID phishing (which has no device-loss trigger). Real precedents: Krebs on Security and Wired documented organized 2018-2020 Chinese phone-theft rings that shipped stolen phones to warehouses and systematically phished the owner's email until cracked; AppleInsider 2023-2025 published multiple warnings about "fake iCloud unlock services" that are all phishing fronts; the FBI Cyber Division issued a 2024 advisory specifically flagging post-theft-phish targeting NBA players and other high-profile theft victims. Legitimate Find My / Activation Lock messages from Apple come exclusively from `apple.com` / `appleid.apple.com` / `icloud.com` / `support.apple.com` / `apple.co` domains, and the real Apple NEVER asks you to sign in via an email link to remove Activation Lock — the removal is done inside Settings on a signed-in device OR on appleid.apple.com via bookmark, never from an email. Defense: if you lose a device, mark it lost in Find My immediately (which puts a contact phone number on the lock screen), then treat EVERY subsequent "your device was found" email as phishing by default until verified via the real Find My app on another signed-in device. Never click the link in the urgency email — open the Find My app directly to verify the device's current status.