Small (but hopefully kinda interesting) read ahead:

Woke up to an interesting phishing text - very clearly not from Apple (nor are there any issues with my wallet), but upon opening the link in a safe environment, it didn’t bring me to a phishing site as I had expected

It very briefly redirected to href[.]li, a site used to hide the HTTP Referrer header, and then it redirects directly to apple.com - seemingly only tracking interaction details with the phishing link

But if opened on Tor, it redirects to google dot com for some reason

First time seeing this sort of phishing attempt - anyone able to clue me in on why the attacker chose this method?