Headline: Google exposes “DarkSword” iOS exploit chain used to deliver crypto-focused data stealer to unpatched iPhones
Google security researchers have uncovered an active iOS exploit chain — dubbed DarkSword — that attackers are using to install malware on vulnerable iPhones. The chain leverages six separate vulnerabilities and has been observed affecting devices running iOS 18.4 through 18.7. Once a user lands on a malicious or compromised website with an unpatched device, the exploit can drop a JavaScript-based data stealer called Ghostblade.
What Ghostblade goes after
- Major crypto exchanges: Coinbase, Binance, Kraken, Kucoin, OKX, MEXC
- Popular wallets and wallet interfaces: Ledger, Trezor, MetaMask, Exodus, Uniswap, Phantom, Gnosis Safe
- Broad personal data exfiltration including SMS and iMessage, call history, contacts, Wi‑Fi passwords, Safari cookies and browsing history, location and health data, photos, saved passwords, and message history from Telegram and WhatsApp
Notably, Ghostblade is built for fast data grabs rather than long-term covert surveillance: it collects available data, removes temporary files, and then terminates itself — making detection and forensic tracing harder.
Multiple actors, multiple campaigns
Google’s analysis shows the exploit is being used by different types of operators, from commercial spyware vendors to groups with possible state backing. Observed campaigns include one in Saudi Arabia leveraging a fake Snapchat-like site and another in Ukraine that distributed the exploit through compromised websites, including at least one government site.
Why crypto users should care
This is the latest in a wave of malware specifically targeting cryptocurrency users. Recent examples include Inferno Drainer, which reportedly stole about $9 million from users over six months last year, and schemes that shipped counterfeit Android phones preloaded with crypto‑stealing malware.
Practical steps for users and platforms
- Update iOS to the latest version as soon as possible.
- Avoid visiting suspicious or untrusted links and websites.
- Use hardware wallets and keep private keys off general-purpose phones when possible.
- Prefer app-based or hardware 2FA over SMS-based 2FA.
- Review app permissions and limit what apps can access (especially messages, photos, and keychain items).
- Monitor exchange accounts and withdraw funds to secure storage if you suspect compromise.
- If you suspect infection, consider wiping the device and restoring from a known-clean backup.
Keep an eye on official advisories from Google and Apple for patches and detailed guidance. For crypto platforms and wallet providers, this incident reinforces the need for transaction risk signals, out-of-band verification options, and user education to mitigate drive-by web exploitation.
Read more AI-generated news on: undefined/news
