Hacking the iPhone has long been considered a rarified endeavor, undertaken by sophisticated nation-states against only their most high-value targets. But a discovery by a group of Google researchers has turned that notion on its head: For two years, someone has been exploiting a rich collection of iPhone vulnerabilities with anything but restraint or careful targeting. And they’ve indiscriminately hacked thousands of iPhones just by getting them to visit a website.

On Thursday evening, Google’s Project Zero security research team revealed a broad campaign of iPhone hacking. A handful of websites in the wild had assembled five so-called exploit chains—tools that link together security vulnerabilities, allowing a hacker to penetrate each layer of iOS digital protections. The rare and intricate chains of code took advantage of a total of 14 security flaws, targeting everything from the browser’s “sandbox” isolation mechanism to the core of the operating system known as the kernel, ultimately gaining complete control over the phone.

They were also used anything but sparingly. Google’s researchers say the malicious sites were programmed to assess devices that loaded them, and to compromise them with powerful monitoring malware if possible. Almost every version of iOS 10 through iOS 12 was potentially vulnerable. The sites were active since at least 2017, and had thousands of visitors per week.

“This is terrifying,” says Thomas Reed, a Mac and mobile malware research specialist at the security firm Malwarebytes. “We’re used to iPhone infections being targeted attacks carried out by nation-state adversaries. The idea that someone was infecting all iPhones that visited certain sites is chilling.”

A New Paradigm

The attack is notable not just for its breadth, but for the depth of information it could glean from a victim iPhone. Once installed, it could monitor live location data, or be used to grab photos, contacts, and even passwords and other sensitive information from the iOS Keychain.

With such deep system access, the attackers could also potentially read or listen to communications sent through encrypted messaging services, like WhatsApp, iMessage, or Signal. The malware doesn’t break the underlying encryption, but these programs still decrypt data on the sender and receiver’s devices. Attackers may have even grabbed access tokens that can be used to log into services like social media and communication accounts. Reed says that victim iPhone users would probably have had no indication that their devices were infected.

Google hasn’t named the websites that served as a “watering hole” infection mechanism, or shared other details about the attackers or who their victims were. Google says it alerted Apple to its zero-day iOS vulnerabilities on February 1, and Apple patched them in iOS 12.1.4, released on February 7. Apple declined to comment about the findings. But based on the information Project Zero has shared, the operation is almost certainly the biggest known iPhone hacking incident of all time.

It also represents a deep shift in how the security community thinks about rare zero-day attacks and the economics of “targeted” hacking. The campaign should dispel the notion, writes Google Project Zero researcher Ian Beer, that every iPhone hacking victim is a “million-dollar dissident“—a nickname given to now-imprisoned UAE human rights activist Ahmed Mansour in 2016 after his iPhone was hacked. Since an iPhone hacking technique was estimated at the time to cost $1 million or more—as much as $2 million today, according to some published prices—attacks against dissidents like Mansour were thought to be expensive, stealthy, and highly focused as a rule.