Google researchers have uncovered a sophisticated iOS exploit chain—tracked as “DarkSword”—that’s being used in the wild to install malware that specifically targets cryptocurrency users on unpatched iPhones.
How the attack works
- DarkSword chains together six vulnerabilities to gain code execution on devices running iOS 18.4 through 18.7.
- A user only needs to visit a malicious or compromised website for the exploit to trigger and deploy a malware payload.
What the malware does
- The primary payload observed is a JavaScript-based data stealer named Ghostblade. Rather than long-term surveillance, Ghostblade is optimized for fast data theft: it harvests whatever it can, removes its temporary traces, and then self-terminates.
- Ghostblade actively searches for major crypto exchange apps (Coinbase, Binance, Kraken, KuCoin, OKX, MEXC) and popular wallet apps (Ledger, Trezor, MetaMask, Exodus, Uniswap, Phantom, Gnosis Safe) to capture account details or session data.
- In addition to targeting crypto apps, it exfiltrates a broad set of sensitive information: SMS and iMessage content, call logs, contacts, Wi‑Fi passwords, Safari cookies and browsing history, location, health data, photos, saved passwords, and message histories from Telegram and WhatsApp.
Who’s using it and where
- Google says multiple actors are exploiting DarkSword—from commercial spyware vendors to nation-state–linked operators.
- Campaigns have already been observed in Saudi Arabia, where attackers used a fake Snapchat-style site, and in Ukraine, where compromised websites (including a government site) served the exploit.
Why crypto users should care
- This is the latest escalation in a wave of targeted tooling aimed at stealing crypto funds or account access. Recent related incidents include Inferno Drainer (which reportedly siphoned about $9 million over six months) and counterfeit Android phones sold with preinstalled crypto-stealing malware.
Practical steps to protect yourself
- Update iOS to the latest patched release as soon as possible.
- Avoid clicking links from untrusted sources or visiting unfamiliar websites on mobile browsers.
- Use hardware wallets and segregate large holdings from mobile apps when possible.
- Enable strong multi-factor authentication (preferably hardware-based) and regularly review app permissions and device backups.
Bottom line: If you manage crypto on an iPhone running iOS 18.4–18.7, you’re a high-priority target for operators deploying DarkSword/Ghostblade. Patch immediately and tighten your operational security to reduce risk.
Read more AI-generated news on: undefined/news
