Google cybersecurity researchers have identified a sophisticated iOS exploit chain, dubbed DarkSword, that is actively being used to deliver malware specifically designed to steal cryptocurrency from vulnerable iPhones. The exploit targets devices running iOS versions 18.4 through 18.7 by leveraging six vulnerabilities, allowing attackers to install malware without any user interaction beyond visiting a malicious or compromised website.
The primary malware delivered, called Ghostblade, is a JavaScript-based data stealer that aggressively hunts for major cryptocurrency exchange and wallet applications on infected devices. Its target list includes exchange apps from Coinbase, Binance, Kraken, Kucoin, OKX, and MEXC, as well as popular wallets like Ledger, Trezor, MetaMask, Exodus, Uniswap, Phantom, and Gnosis Safe.
Beyond crypto assets, Ghostblade conducts comprehensive data exfiltration, stealing SMS and iMessage messages, call history, contacts, Wi-Fi passwords, Safari cookies and browsing history, location data, health information, photos, saved passwords, and message history from Telegram and WhatsApp. The malware is designed for rapid theft, deleting its temporary files and terminating itself after data collection to leave minimal traces.
Campaigns utilizing DarkSword have been observed in Saudi Arabia, Turkey, Malaysia, and Ukraine. In Saudi Arabia, attackers used a fake Snapchat lookalike site, while in Ukraine, the exploit was delivered through compromised websites, including a government portal. The exploit chain is being deployed by a range of actors, from commercial spyware vendors to state-backed threat groups.
Researchers reported the vulnerabilities to Apple in late 2025, and patches were subsequently included in the iOS 26.3 update. Affected domains have been added to Safe Browsing lists. Users are strongly urged to update their devices to the latest iOS version or enable Lockdown Mode for protection. This incident is part of a concerning trend of malware increasingly targeting crypto users, following other campaigns like the Inferno Drainer that stole millions last year.
