DarkSword iOS Flaw Puts 221M iPhones at Risk of Crypto Theft

Edgen Crypto·Mar 20 2026, 16:12

Share to

Share to

Copy link

Key Takeaways

A newly discovered iOS exploit chain, "DarkSword," is being used by state-sponsored actors and commercial vendors to steal sensitive data, with a specific focus on cryptocurrency wallets and exchanges. The exploit affects millions of unpatched iPhones running specific iOS 18 versions, highlighting significant security risks for investors who manage digital assets on mobile devices.

A new exploit chain called 'DarkSword' targets iOS versions 18.4 through 18.7, potentially affecting over 221 million devices.
The malware specifically hunts for data from major crypto wallets and exchanges, including MetaMask, Ledger, Coinbase, and Binance.
The exploit has been deployed since at least November 2025 by various threat actors, signaling a growing commercial market for sophisticated mobile attack tools.

DarkSword Exploit Puts 221M iPhones at Risk

Google's Threat Intelligence Group, alongside security firms iVerify and Lookout, has identified a sophisticated iOS exploit kit named 'DarkSword' that has been active since at least November 2025. The exploit chain leverages six distinct vulnerabilities—including three previously unknown zero-days—to grant attackers full device control. It targets a specific range of Apple devices running iOS versions 18.4 to 18.7. Security analysts estimate that this vulnerability exposes as many as 221.5 million devices, or 14.2% of all iPhone users, to data theft.

Crypto Wallets and Exchanges Become Prime Targets

The primary payload delivered by DarkSword is a malware variant called 'GHOSTBLADE,' which is explicitly designed to extract financial data. The malware systematically searches for and steals information from a wide array of popular cryptocurrency applications. Targeted exchanges include Coinbase, Binance, Kraken, and OKX, while wallets such as MetaMask, Ledger, Trezor, and Phantom are also on the list. The attack operates in a rapid 'hit-and-run' fashion, exfiltrating credentials and other sensitive information within minutes of infection before removing its own traces. This behavior points to a clear financial motivation, prioritizing swift asset theft over long-term surveillance.

Exploit Proliferation Challenges Mobile Security

DarkSword is the second mass-exploitation kit for iOS discovered in a month, following the 'Coruna' kit. Its use by diverse groups—from the suspected Russian state-sponsored actor UNC6353 in attacks against Ukraine to commercial surveillance vendors targeting users in Saudi Arabia and Turkey—demonstrates a troubling proliferation of high-end cyber weapons. The availability of these tools on a secondary market lowers the barrier for well-funded but technically less-sophisticated groups to execute complex attacks. This trend poses a systemic risk to the mobile ecosystem, forcing investors to reconsider the security of managing assets through mobile-first platforms.