Google Warns of DarkSword iOS Exploit Targeting Crypto Apps on Unpatched iPhones

Google researchers have uncovered a dangerous iOS exploit chain called DarkSword that specifically targets cryptocurrency apps on vulnerable iPhones. The exploit leverages six separate vulnerabilities to deliver malware on devices running iOS versions 18.4 through 18.7, putting millions of crypto users at risk if they haven’t patched their devices.

Once a user visits a malicious or compromised website on an unpatched iPhone, DarkSword deploys a JavaScript-based data stealer called Ghostblade that hunts for major crypto exchange apps, including Coinbase, Binance, Kraken, Kucoin, OKX, and MEXC.

Ghostblade doesn’t stop at exchange apps. The malware actively seeks out popular crypto wallet applications like Ledger, Trezor, MetaMask, Exodus, Uniswap, Phantom, and Gnosis Safe. Once it gains access, it exfiltrates far more than just crypto holdings; it steals SMS and iMessage messages, call history, contacts, Wi-Fi passwords, Safari cookies, browsing history, location data, health information, photos, saved passwords, and message history from Telegram and WhatsApp.

What makes Ghostblade particularly insidious is its design for quick extraction rather than long-term surveillance. The malware collects all available data it can find, then deletes its temporary files and terminates itself, making detection harder for users who might otherwise notice suspicious activity on their devices.

The exploitation campaigns are already in the wild across multiple regions. Google researchers have observed DarkSword being deployed in Saudi Arabia, Turkey, Malaysia, and Ukraine. In one notable case, attackers used a fake Snapchat lookalike to deliver the exploit in Saudi Arabia, while Ukrainian victims were compromised through malicious websites, including at least one government site.

Multiple threat actors are behind these campaigns, ranging from commercial spyware vendors to state-backed groups. This diversity of attackers suggests the vulnerability information has spread beyond a single organization, amplifying the risk to iOS users worldwide.

See also: Ledger Wallet Integrates OKX DEX to Enable On-Device DeFi Swaps

The timing is particularly concerning given the history of malware targeting crypto users. Last year, the Inferno Drainer malware stole approximately $9 million from crypto users over six months. More recently, researchers discovered counterfeit Android smartphones that came pre-loaded with crypto-stealing malware from the factory, demonstrating that threat actors are willing to invest significant resources in targeting digital asset holders.

For iPhone users, the solution is straightforward but critical: update to a patched iOS version beyond 18.7. Apple has presumably addressed the six vulnerabilities in newer releases, but the window of vulnerability remains open for anyone running the affected versions who hasn’t installed updates.

Crypto users face a particular risk because they often hold substantial assets on their devices through mobile wallets and exchange apps. A single successful exploitation via DarkSword could result in the complete loss of funds if an attacker gains access to exchange credentials or wallet seed phrases stored on the device.

See also: Why Crypto Feels Riskier Than Stocks (And How Professionals Measure That Risk)

The discovery underscores a persistent challenge in the crypto ecosystem: the security of digital assets depends on multiple layers of technology, from operating system vendors like Apple to individual users’ diligence in applying security patches. A weakness at any layer can compromise the entire chain.

Security researchers recommend that crypto users immediately check their iOS version and update to the latest available release. Users should also avoid visiting suspicious websites or clicking unfamiliar links on their iOS devices, as this remains the primary infection vector for DarkSword.

For those using crypto apps on iPhones, reviewing which permissions you’ve granted to exchange and wallet applications is also prudent. While application-level permissions won’t stop a system-level exploit like DarkSword, they can limit the damage if malware does gain access to your device.

Google’s disclosure of DarkSword follows a broader pattern of increasing sophistication in malware targeting crypto users. As the sector continues to grow and attract institutional capital, threat actors are investing in advanced exploitation techniques to access these high-value targets.