Apple Just Said It Blocked $2.2 Billion in App Store Fraud Last Year—1.1 Billion Fake Accounts, 193,000 Banned Developers, and 11.2 Billion Stopped Since 2020

The Topline Numbers Are Larger Than Most Banks Process

On May 20, 2026, Apple published its annual App Store fraud prevention report for the 2025 calendar year. The headline is that Apple blocked $2.2 billion in potentially fraudulent transactions in a single year. Over the six years from 2020 to 2025, the cumulative total is $11.2 billion. That is more fraud volume than most national retail banks process in legitimate transactions.

The supporting numbers are the part that defines the scale of the fraud economy attacking iOS. Apple rejected 1.1 billion fake customer account creations in 2025. It deactivated another 40.4 million existing accounts caught engaging in fraud or abuse. It terminated 193,000 developer accounts and rejected 138,000 attempts to enroll as a new developer. It blocked 5.4 million attempts to use stolen credit cards. It banned 2 million accounts from making any further App Store purchases.

For comparison, the United States Treasury Department processes roughly 1.3 billion payment transactions in a year. Apple is operating fraud screening at federal payment volume—on a single retail platform.

The Review Pipeline Behind the Numbers

Apple evaluated 9.1 million app submissions in 2025 and rejected 2 million of them. Within that rejection pile:

• 1.2 million new app submissions rejected outright
• 800,000 update submissions blocked, often because the developer tried to introduce a new behavior after the original app had passed review
• 59,000 "bait and switch" apps removed where the visible function on the store page did not match the function delivered after install
• 22,000 submissions caught with hidden features—a category that includes apps that secretly route traffic, mine cryptocurrency, or load remote content not declared at submission time
• 371,000 spam and copycat submissions rejected; 443,000 rejected for privacy violations
• 2.5 million TestFlight beta submissions blocked, often because the TestFlight channel was being used as a distribution pipe for malware aimed at recipients who never went through the App Store

On the discovery side, Apple processed 1.3 billion user ratings and reviews and removed 195 million as fraudulent. It blocked 7,800 deceptive apps from appearing in App Store search results and another 11,500 from showing on the top charts. The chart manipulation number is the one most relevant to ordinary users: even if a malicious app is technically still installable, blocking it from the rankings means typical browsing never surfaces it.

What Apple Is Actually Catching

The fraud categories that drove the $2.2 billion number are not exotic. Apple highlights three patterns. First, fake financial apps—imitations of legitimate banks, crypto wallets, or trading platforms that capture credentials at signup and then drain the linked accounts. Second, phishing apps disguised as utilities, customer service portals, or government services that exist solely to harvest passwords and identity documents. Third, deceptive subscription apps that present a free trial UI but quietly enroll the user in a recurring charge, often for "services" that do not exist.

The 11,500 apps blocked from charts is the receipt for how aggressive the chart manipulation problem has become. Fraudulent developers buy fake reviews and rating boosts to climb the rankings, then collect installs from users who trust the top of the chart. Apple's enforcement intercepts this loop before installs happen. Its 195 million fake review removals show that the underground market for App Store reviews remains industrial in scale.

Sideloading is the other category Apple flagged. The report disclosed 2.9 million blocked attempts in the last month alone to install apps from "pirate storefronts"—third party distribution channels that bypass Apple's review. Apple also identified and blocked 28,000 illegitimate apps living on those storefronts. The numbers track with the EU Digital Markets Act timeline that compelled Apple to allow third party app distribution on iOS in the European Union.

Why the Most Damaging Scams Are Not Inside the Store

If Apple is intercepting $2.2 billion a year, and competent fraud operations are still profitable, the obvious question is where the profitable fraud actually happens. The answer in 2026 is: outside the App Store, in channels Apple does not gate.

The biggest consumer fraud category of 2025 was not malicious apps. It was crypto ATM scams that drained $388 million from US victims through phone calls and emails that directed targets to physical kiosks. The biggest enterprise fraud category was business email compromise, where the attacker never installs anything on the victim's phone—they just send a convincing email asking the CFO to wire money. The fastest growing consumer scam was AI generated phishing emails that mimic the writing style of someone the victim knows.

For all of these, the entry point is the inbox, not the App Store. Apple's controls do not apply once the user is reading an email or clicking a link from SMS. The fraud actors who used to ship malicious apps now ship malicious links. The link goes to a website that captures credentials, drains a wallet, or simply convinces the victim to take their own money out and hand it over.

The Numbers That Should Bother You

Two figures in Apple's report deserve a second look. The first is the 1.1 billion rejected account creations. To rack up a billion attempts in a year, somebody is running automated signup farms continuously. That is the infrastructure that, when redirected at other services—email providers, banks, retailers—is what powers credential stuffing attacks against the rest of the internet. Apple intercepted the Apple ID half of that infrastructure. The same farms are firing at Gmail, Outlook, and every other major identity provider.

The second is the 193,000 developer account terminations. Each terminated account had to clear Apple's developer enrollment process at least once. That means the developer paid $99, submitted government identification, and passed an identity verification check before being terminated for fraud. The fraud economy is not built on anonymous accounts. It is built on willingness to use real or stolen identities for short term throwaway operations. The same identity arbitrage powers the BEC and gift card scam economies—criminal operators acquire identities at scale, burn them on a campaign, and acquire new ones.

What Apple's Disclosure Is and Is Not

Apple's report is also a regulatory document. The European Commission is actively investigating Apple under the Digital Markets Act over whether its App Store gatekeeping is anti competitive. The annual fraud number is Apple's argument for why the App Store still needs to exist as a gated channel: $2.2 billion in blocked fraud is what curation buys you. Open third party stores, the report implies, would let that fraud through.

That argument has merit and limits. The merit is the empirical record—Apple really does run one of the largest fraud screening operations on the consumer internet. The limit is that closed curation does not prevent the fraud that bypasses the store entirely. Apple does not screen the email a user receives. It does not screen the SMS that prompts them to install a configuration profile that bypasses the App Store. It does not screen the website a user types their bank credentials into.

For users, the practical reading of Apple's report is that the App Store is, by far, the most defended retail surface on iOS. The damage now comes from the channels Apple does not curate. Email and SMS are the obvious ones. Phishing emails sent through Apple's own apple.com email infrastructure were one of the most successful attack vectors of April 2026, precisely because every spam filter accepted them.

The Mismatch Between Apple's Defense and Where Users Lose Money

The fraud blocked by Apple represents a defense at the install layer. The fraud actually costing people money in 2026 sits one layer above, at the message layer. Microsoft blocked 8.3 billion phishing emails in a single 90 day period and the volume keeps rising. The FBI's 2025 numbers showed $11.4 billion in cryptocurrency scam losses, almost all of which began with a message—email, text, or social DM.

The defense for the inbox is structurally similar to Apple's App Store defense: filter the bad before it reaches the user, give the user a verified channel for legitimate senders, and degrade the trust signal for anything coming from outside it. Gmail's built in spam filtering does the first part. Domain verification standards like SPF, DKIM, and DMARC are supposed to do the third. The middle part—a curated channel for senders the user has explicitly opted into—is the gap that lets phishing through.

Gblock sits in that gap for tracking pixels specifically. Marketing senders embed invisible images that load from third party servers to confirm an open and capture the recipient's IP. Phishing senders use the same mechanism to confirm a live address and time their next attack. Gblock blocks the third party load before it happens, so a phishing operator who is testing whether your address is alive gets no signal back. The defense is structurally identical to Apple blocking an install before the malicious app runs.