The problem, though, is that evidence is relatively difficult to find. ZecOps found its evidence through hints in iOS, and couldn’t obtain the malware as the messages had already been deleted. Jamf Software security researcher Patrick Wardle also told the WSJ that the evidence of ongoing attacks was “compelling,” but not authoritative.

We’ve asked Apple for comment. The investigators believe Apple has fixed the flaw in an iOS beta (presumably 13.4.5), though, so it may not be an issue for long. If the findings are accurate, though, they suggest that a patch is coming long after hackers dealt their damage — however limited it might have been.

Update 4/24 3PM ET: Apple tells Engadget that it has studied the issue and doesn’t believe it poses an “immediate risk” to users as they are “insufficient to bypass” security measures. There’s also “no evidence” it has been used against customers despite ZecOps’ claims, Apple said. Nonetheless, a fix will be coming “soon.” You can read the full statement below.