> During its investigations into iServer’s criminal activities, Group-IB specialists also uncovered the structure and roles of criminal syndicates operating with the platform: the platform’s owner/developer sells access to “unlockers,” who in their turn provide phone unlocking services to other criminals with locked stolen devices. The phishing attacks are specifically designed to gather data that grants access to physical mobile devices, enabling criminals to acquire users’ credentials and local device passwords to unlock devices or unlink them from their owners. iServer automates the creation and delivery of phishing pages that imitate popular cloud-based mobile platforms, featuring several unique implementations that enhance its effectiveness as a cybercrime tool.

There's also a more direct approach than the one described in the article:

"Robbers force people to unlock phones, banking apps at gunpoint in trendy Chicago neighborhood" https://www.cbsnews.com/chicago/news/robbers-unlock-phones-b...

I had heard of this kind of operation before. What I had heard is that the initial series of messages attempt to phish you, but after you ignore them, they try to intimidate you into giving up the password by sending you threatening messages and maybe even a video MMS of someone showing off a gun.