Headline: New iOS malware helps explain why individual crypto holders took the biggest hit in February
Private crypto holders absorbed the heaviest losses from hacks, phishing and digital theft in February 2026, according to blockchain intelligence firm Nominis — and a new strain of iOS malware uncovered by Google Threat Intelligence may be part of the reason. The finding underscores a broader shift in attacker strategy: moving from large-scale protocol exploits to targeted, user-focused attacks that steal keys and credentials directly from devices.
What Google found
- Researchers identified a JavaScript-based iOS malware component called Ghostblade, designed to run on Apple devices, extract sensitive data, then stop and remove traces.
- Ghostblade is one of six tools packaged in a suite Google calls DarkSword. Together, the tools are engineered to harvest cryptocurrency private keys, messaging content, SIM and location data, multimedia files, and system settings.
- Crucially, Ghostblade is built to execute once, collect its payload, and then wipe crash logs. Because it doesn’t run persistently, and it clears Apple’s diagnostic logs, it can evade typical detection and reporting mechanisms.
Technical and user impact
- The malware can access messages from iMessage, WhatsApp and Telegram — a major risk because conversations often contain wallet links, seed phrases or transaction confirmations.
- For crypto users the most immediate threat is private key exposure: an attacker with keys can drain wallets irrevocably.
- DarkSword and Ghostblade represent an escalation in browser- and device-based attacks directed at the crypto ecosystem, with stealthy, one-shot tools replacing noisier, persistent malware.
Why losses fell but risk rose
- Nominis reports total crypto-related hack losses fell to roughly $50 million in February from about $385 million the prior month. That drop reflects a tactical shift rather than reduced intent.
- Attackers are increasingly abandoning noisy code exploits in favor of phishing, wallet poisoning and other social-engineering tactics that trick individuals into surrendering credentials or interacting with malicious web content. Fake websites that mimic legitimate services remain a common vector: interacting with a single element can be enough to expose credentials and keys.
Bottom line
The Ghostblade/DarkSword discovery is a stark reminder that high-value individual users — not only exchanges and protocols — are prime targets. The combination of stealthy, one-time device malware and sophisticated social-engineering campaigns makes personal security practices and device hygiene more important than ever.
Image: Unsplash. Chart: TradingView.
Read more AI-generated news on: undefined/news
