Google has disclosed a sophisticated iOS exploit chain called DarkSword that has been actively used since late 2025 to silently compromise iPhones, putting an estimated 270 million devices at risk and raising urgent concerns for crypto users who store wallet apps, seed phrases, and exchange credentials on their phones.
The Google Threat Intelligence Group (GTIG) published its findings on March 18, 2026, identifying DarkSword as a full-chain iOS exploit capable of complete device takeover. The research was conducted in coordination with mobile security firms Lookout and iVerify.
An "exploit chain" means attackers strung together multiple separate vulnerabilities in sequence, each one unlocking the next stage, until the combined effect grants full control of the target device. DarkSword targets iOS versions 18.4 through 18.7 and uses pure JavaScript for all attack stages.
Six Vulnerabilities, Three Zero-Days, Three Threat Groups
DarkSword chains six vulnerabilities in total: three zero-days that were unknown to Apple at the time of exploitation, and three previously patched flaws that remained effective against unpatched devices. The zero-days include CVE-2026-20700, a PAC bypass in dyld; CVE-2025-43529, a JavaScriptCore memory corruption flaw; and CVE-2025-14174.
GTIG confirmed three distinct threat actor groups deploying the exploit chain. UNC6353, a suspected Russian espionage group targeting Ukraine; UNC6748, which targeted Saudi Arabia using a Snapchat-themed decoy site; and PARS Defense, a Turkish commercial surveillance vendor whose customers deployed DarkSword as recently as January 2026 in Malaysia.
Once a device is compromised, DarkSword deploys three malware families: GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER. GHOSTKNIFE in particular collects signed-in accounts, messages, browser data, location history, screenshots, and microphone audio. The attack operates silently with no visible symptoms for the user.
Why iPhone Crypto Users Face Elevated Risk
The DarkSword post-exploitation toolkit is a worst-case scenario for anyone holding crypto assets on an iPhone. GHOSTKNIFE's ability to harvest signed-in accounts, browser data, and app data means exchange sessions, wallet credentials, and authenticator codes are all within reach of an attacker.
Seed phrases stored in the Notes app, iCloud Keychain, or third-party password managers on a compromised device are effectively exposed. Popular mobile wallets like MetaMask Mobile, Trust Wallet, Coinbase Wallet, and Exodus all run within the iOS app sandbox that a full-chain exploit like DarkSword bypasses entirely.
The exploit takes what Lookout researchers described as a "hit-and-run" approach, collecting and exfiltrating data within seconds or minutes before cleaning up. A user might never know their device was compromised, while their wallet keys and exchange session tokens have already been extracted.
Prior iOS zero-day chains such as FORCEDENTRY and Operation Triangulation were primarily used for targeted espionage against specific individuals. DarkSword is different. GTIG described it as "widely used," and researchers at Lookout warned that its proliferation across multiple actor groups signals a second-hand market where less sophisticated attackers can acquire top-tier exploits.
Matthias Frielingsdorf, co-founder of iVerify, highlighted one reason for that proliferation: "Russian hackers carelessly left the full code exposed on their sites, meaning anyone who manually grabbed all the different parts of the exploit could put them onto their own web server and start infecting phones."
Damon McCoy, a professor at NYU's Center for Cyber Security, added: "This is a pretty significant threat. There's still probably quite a few people that are still running this outdated version of iOS, and those people are quite vulnerable."
Patch Now, Move Keys Off Your Phone
Apple has patched all six DarkSword vulnerabilities. iOS 26.3 addresses the full exploit chain, and most of the individual flaws were patched in earlier updates. GTIG reported the vulnerabilities to Apple in late 2025, and delivery domains associated with DarkSword have been added to Google Safe Browsing.
Immediate action: update your iPhone to the latest iOS version. Any device still running iOS 18.4 through 18.7 remains vulnerable to the full exploit chain.
For crypto holders, updating iOS is necessary but not sufficient. The core principle is straightforward: significant holdings should not depend on the security of a networked consumer device. Move meaningful balances to a hardware wallet. Do not store seed phrases in iPhone Notes, iCloud, or any app on a phone that connects to the internet.
Users who cannot immediately migrate assets should enable iOS Lockdown Mode, which restricts attack surface by disabling certain features exploits commonly target, including JavaScript processing in some contexts. It is not a guarantee against a chain as sophisticated as DarkSword, but it raises the bar.
Review which exchange and wallet apps are logged in on your device. Revoke active sessions you do not recognize. Enable withdrawal address whitelisting on exchanges that support it, so even a compromised session token cannot redirect funds to an attacker-controlled wallet.
GTIG's assessment was blunt about the broader trend: "The use of both DarkSword and Coruna by a variety of actors demonstrates the ongoing risk of exploit proliferation across actors of varying geography and motivation." Combined with an older exploit chain called Coruna, researchers estimate hundreds of millions of unpatched devices across iOS 13 through 18.6.2 remain at risk.
The window for action is now. Devices running outdated iOS versions are not just theoretically vulnerable; they are being actively targeted by at least three separate groups with confirmed campaigns across four countries.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Cryptocurrency and digital asset markets carry significant risk. Always do your own research before making decisions.