France’s national cybersecurity apparatus says Apple has issued fresh threat notifications to users whose devices were targeted by advanced spyware, underscoring that commercial surveillance tools remain an active, global threat. The alerts, sent directly by Apple to affected Apple IDs, indicate that at least one device linked to those accounts was targeted and may be compromised, according to guidance shared by France’s incident response teams.
France confirms new round of Apple threat alerts
Officials associated with France’s national response capability, including ANSSI and its CERT-FR team, said they are aware of a new wave of Apple warnings and are advising recipients to treat them as high-risk. While the number of impacted people in France remains unknown, the government’s message is clear: Apple issues these notices only when it has high confidence that state-grade spyware or a comparable mercenary tool was used to target a device.
Apple does not identify the attacker or the exploit chain in these messages. That opacity is deliberate. The company’s threat intelligence and telemetry are used to detect signs of compromise without disclosing specifics that would help operators refine their methods. In France, concern around such tools is not theoretical: the country’s leadership has previously been linked to high-profile spyware targeting, including reports that President Emmanuel Macron changed phones after Pegasus-related revelations.
What Apple’s warning actually means
Apple’s so-called “threat notifications” arrive by iMessage and email and are mirrored in the Apple ID portal. The company warns that these attacks are exceptionally sophisticated and costly, typically deployed by government clients via commercial vendors. Recipients are urged to secure their accounts, update devices, and seek expert help—Apple frequently points to civil-society responders such as Access Now’s Digital Security Helpline.
Security researchers caution that attackers increasingly rely on “zero-click” exploits delivered through messaging services, where no tap is required for infection. Past cases have exploited iMessage and WebKit components before Apple patched the vulnerabilities. Citizen Lab and Google’s Threat Analysis Group have documented multiple iOS zero-day chains used by commercial surveillance vendors, and Zerodium has publicly quoted seven-figure payouts for reliable iOS zero-click exploits—an illustration of the high stakes involved.
The mercenary spyware market behind the attacks
Apple consistently attributes these campaigns to “mercenary spyware” operators rather than naming specific countries. The marketplace includes well-known firms such as NSO Group (Pegasus), Intellexa (Predator), Candiru, and the now-defunct QuaDream. Investigations by Citizen Lab, Amnesty International’s Security Lab, and media consortia have linked their tools to surveillance of journalists, activists, lawyers, and political figures across multiple regions.
In Europe, Predator has figured in scandals involving unlawful surveillance, while Pegasus has been detected on devices of public officials and dissidents globally. Researchers at Kaspersky also detailed “Operation Triangulation,” an iMessage-based infection chain that silently compromised iPhones, reinforcing how mobile platforms are continually probed by elite exploit teams.
Apple says it has sent threat alerts to users in more than 150 countries, a sign that these operations are not isolated to a handful of jurisdictions. The company has responded with platform hardening—such as BlastDoor messaging isolation, Rapid Security Response updates, and Lockdown Mode—which can meaningfully reduce attack surface. Independent researchers have observed that Lockdown Mode can disrupt certain exploit techniques by disabling high-risk features.
Steps French users should take now
If you received an Apple notification, verify it by signing into your Apple ID account directly rather than following links. Immediately update iOS, iPadOS, macOS, and watchOS to the latest versions. Consider enabling Lockdown Mode if you are a journalist, activist, lawyer, public official, or otherwise at heightened risk. Rotate Apple ID and email passwords, enable hardware security keys for Apple ID where feasible, and review devices linked to your account.
Contact reputable support organizations such as Access Now, or seek forensic assistance from independent labs like Citizen Lab or Amnesty International’s Security Lab. Preserve your device state when possible—sudden factory resets can erase valuable indicators. High-risk users may wish to transition to a new, fully updated device, segment communications (work/personal), minimize iMessage exposure, and avoid installing unvetted configuration profiles.
Why France is watching closely
French authorities have prioritized resilience against foreign interference and covert digital operations, with bodies like Viginum monitoring information manipulation and ANSSI issuing technical guidance to public institutions. At the European level, the Parliament’s PEGA committee urged tighter controls on spyware procurement and stronger safeguards for fundamental rights, while calling out the risks of opaque vendor ecosystems.
The challenge is balancing legitimate investigative needs with civil liberties and democratic oversight. Without meaningful transparency from buyers and vendors, abuses are hard to detect and harder to remedy. Apple’s warnings offer a rare window into covert activity, but the underlying problem is systemic.
The bigger picture
These latest alerts signal that elite mobile spyware remains active despite aggressive patching and platform defenses. Commercial surveillance tools thrive because they are lucrative, deniable, and often shielded by secrecy. France’s acknowledgment of the Apple notifications adds weight to a growing consensus: targeted spyware is no longer exceptional—it’s part of the security baseline for high-value individuals and institutions.
The practical path forward pairs rapid device updates and protective modes with policy reforms, procurement scrutiny, and support for independent forensics. Until the market incentives shift, more alerts will follow. The question for governments and platforms alike is how quickly they can turn early warning into lasting deterrence.