Apple Pay Exploit Allows $10,000 Transaction From Locked iPhone

A security exploit can authorize a $10,000 Apple Pay transaction from a locked iPhone without requiring Face ID or a passcode ^[1].

The vulnerability represents a significant risk to mobile wallet security by bypassing the biometric and passcode protections that users rely on to secure their funds. If exploited by bad actors, the flaw could allow unauthorized parties to drain bank accounts using only near-field communication (NFC) technology.

Derek Muller of the YouTube channel Veritasium demonstrated the exploit in a video released in April 2026 ^[3]. In the demonstration, Muller targeted a locked iPhone belonging to tech reviewer Marques Brownlee. The process utilized a linked Visa card and NFC to trigger the payment without any user authentication ^[2].

Reports on the potential financial impact vary. Forbes said that the exploit could move $10,000 ^[1]. Other reports indicated that thieves could potentially steal thousands of pounds from a device ^[4].

The demonstration highlights a specific weakness in how Apple Pay interacts with certain transit-related or Visa-linked payment protocols. By mimicking a specific type of transaction, the attacker can bypass the security layer that normally triggers a request for a biometric scan, or a manual passcode entry ^[2].

This exploit differs from traditional phishing or social engineering attacks because it requires physical proximity to the device. However, the ability to authorize high-value payments from a locked screen contradicts Apple's marketing of the iPhone as a secure vault for financial information ^[1].

Tech analysts and cybersecurity researchers said the incident is a call for Apple to tighten the security of its NFC handshake protocols, especially for high-value transactions that currently bypass authentication in certain transit-mode scenarios ^[2].