France: Apple warns victims of new spyware attacks

Bill Thompson
By Bill Thompson
Technology
9 Min Read

France’s national cybersecurity agency has resumed its warning to Apple users whose devices were targeted by advanced spyware, indicating that the commercial surveillance tools continue to pose a threat to the general public. The alerts, which people receive directly from Apple to accompanying Apple IDs, show that at least one device on the affected account was attacked and could be at risk, according to information shared by France’s incident response teams.

France agrees new round of Apple threat alerts

Officials in France with the country’s national response system, which includes ANSSI and its CERT-FR team, said they are monitoring a new wave of Apple warnings and that the recipients should treat them as high-risk. The French government has not said how many people have been affected and infected in its country, but its message was clear: Apple releases such a notice only when it has a very high degree of confidence that state-grade spyware or a similar mercenary tool was used against a device.

Table of Contents
An email from Apple notifying the user of a targeted mercenary spyware attack on their iPhone, with recommendations for immediate actions, displayed w

Apple does not name the attacker or the exploit chain in these advisories. That opacity is deliberate. Signs of compromise can be detected by the company’s threat intelligence and telemetry, but not in a way that reveals details that would assist operators in honing their techniques. In France, fears about such tools are not theoretical: The country’s leadership has been ensnared in previous high-profile spyware campaigns, with President Emmanuel Macron reportedly swapping out his own phone in the wake of Pegasus-related revelations.

What Apple’s alert is really saying

Apple’s so-called “threat notifications” come via iMessage and email and are reflected in the Apple ID portal. The attacks are highly sophisticated and expensive, and are normally handed out to government clients by commercial vendors, according to the company. Recipients are encouraged to lock down their accounts, update their devices and to consult with experts—an Apple response that often defers to civil-society responders like the Digital Security Helpline of Access Now.

Security researchers warn that zero-click attacks, in which no “tap” is necessary for a device to be infected, are becoming more common among hackers who are targeting messaging services. Previous cases have exploited parts of iMessage and the WebKit before Apple fixed similar vulnerabilities. Citizen Lab and Google’s Threat Analysis Group have tracked several iOS zero-day chains exploited by commercial surveillance vendors, and Zerodium publicized that it had paid bounties in the upper seven figures for reliable iOS zero-click exploits—an indication of the high-value game at play.

The mercenary spyware market driving the attacks

Apple consistently blames these campaigns on “mercenary spyware” operators, rather than identifying any countries by name. The market also consists of the likes of NSO Group (Pegasus), Intellexa (Predator), Candiru, and the now-inactive QuaDream. Their tools have been tied by investigations by Citizen Lab, Amnesty International’s Security Lab and media consortia to surveillance of journalists, activists, lawyers and political figures in a range of regions.

Both Predator and Pegasus have been found on the phones of public officials and dissidents around the world and has been mentioned in scandals in Europe over illegal surveillance. And that’s not even to mention a behind-the-scenes look at “Operation Triangulation,” a chain of iMessage infections that quietly hijacked iPhones, a reminder that mobile devices remain attractive targets for elite exploit groups.

Apple has sent threat alerts to users in over 150 countries, which indicates that these operations are not limited to a few jurisdictions. The company’s response is to harden the platform — measures like Blastdoor messaging isolation, Rapid Security Response updates, and Lockdown Mode, which can reduce attack surface meaningfully. But now, private security researchers say that Lockdown Mode could thwart some of the methods that exploit certain security flaws by turning off potentially risky features.

Главная » Technology “We are watching you!” DF: Warning to Apple iPhone users (or anyone else) in France.Well, shade my eyes JUNE 2025.Let me tell you the short story before somebody traces a line, draws a bead and edits it out.To all you iPhone users reporting airborne hack […]

An email screenshot on a red background with a white rectangle showing an alert from threat-notifications@ apple.com with the subject ALERT: Apple det

What French users should do now

If you did get an Apple notification Here’s how to check it out safely (don’t click any links; go to appleid.apple.com/account and sign in). Update iOS, iPadOS, macOS and watchOS to the latest releases without delay. If you are a journalist, activist, lawyer, public official, or otherwise at higher risk, consider turning on Lockdown Mode. Rotate Apple ID and email passwords, and if possible on Apple ID, turn on hardware security keys and check devices attached to your account.

Contact legitimate support organizations (like Access Now) or seek forensic support from independent labs (like Citizen Lab or Amnesty International’s Security Lab). And if it is possible preserve your device state—unexpected factory reset can wipe out important traces. “High-risk” individuals might consider switching to an entirely new fully updated device, compartmentalize communications (work/personal), limit exposure to iMessage, and refrain from downloading unvetted configuration profiles.

Why France is paying attention

French authorities have also upped their focus on building resilience to foreign interference and covert digital operations, with agencies such as Viginum tracking information manipulation and ANSSI delivering technical guidance to public institutions. At European level, the Parliament’s PEGA committee called for more oversight over spyware purchasing and for stronger protections of fundamental rights, as well as for shining a light on the dangers of opaque vendor networks.

The complication is how to square legitimate investigative imperatives with civil liberties and democratic oversight. Abuses are difficult to detect, and even harder to come to terms with, with only modest transparency from buyers and vendors. Apple’s warnings provide a rare window into the shadowy world of espionage, but the problem is systemic.

The bigger picture

These new alerts are yet another reminder that in the realm of cyber, the creators of the most elite mobile spyware leverage their knowledge to stay relevant despite being blocked by firmware and platform defenses. Surveillance tools for sale flourish because they are profitable, deniable and in many cases kept secret. France’s recognition of the Apple notifications solidifies the emerging consensus: directed spyware is now no longer extraordinary — it’s part of the security baseline for high-value individuals and institutions.

The pragmatic solution is to link rapid updates and defensive modes with policy reforms, procurement accountability, and backing for independent forensics. As long as the market incentives are as they are, expect more alerts. The question for both governments and platforms, though, is how quickly they can translate early warning into lasting deterrence.

Bill Thompson
ByBill Thompson
Bill Thompson is a veteran technology columnist and digital culture analyst with decades of experience reporting on the intersection of media, society, and the internet. His commentary has been featured across major publications and global broadcasters. Known for exploring the social impact of digital transformation, Bill writes with a focus on ethics, innovation, and the future of information.
Latest News